The HIPAA Security Rule sets national standards for safeguarding electronic protected health information (ePHI). Any nonprofit that handles Protected Health Information (PHI) must adhere to these requirements. Although the rule was established in 1998 and last significantly updated in 2013, it remains enforceable for all covered entities and business associates. Given the medical industry’s vulnerability to cyberattacks, the National Institute of Standards and Technology (NIST) developed Special Publication 800-66, Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, to assist institutions in maintaining compliance and protecting both ePHI and their security.
Earlier this month, NIST released an update to Special Publication 800-66 with the release of NIST SP 800-66r2. NIST’s publication provides useful guidance on implementing the rule to properly safeguard electronic protected health information (ePHI). The publication is meant to aid understanding of the Security Rule, Breach Notification Rule, and Omnibus Rule and help organizations implement security controls to meet both HIPAA compliance and industry-standard best practices.
The HIPAA Security Rule has two types of controls – required and addressable. As its name implies, required specifications must be complied with by all covered entities and business associates. On the other hand, addressable specifications are controls that the covered entity must assess whether the implementation is reasonable and appropriate in safeguarding ePHI for the organization.
The first step in implementing the HIPAA Security Rule is to conduct a risk assessment. The risk assessment will determine which addressable controls are required and help the organization identify gaps in their current security posture. Annual risk assessments are strongly encouraged to maintain compliance with the Security Rule and to ensure the organization continuously improves its security posture. Contact the IT Services Team to learn more about how GBQ can help your organization implement and maintain compliance with the HIPAA Security Rule.
Article written by:
John Stuart
Senior Cybersecurity Analyst