NIST Cybersecurity, HIPAA Cybersecurity, nist cybersecurity framework

NIST Cybersecurity Guidance Update for Clinical HIPAA Cybersecurity


June 9, 2021 | Reading Time: 2 Minutes

Please support’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker. How

In response to the newly enacted HIPAA cybersecurity bill that requires the HHS to incentivize healthcare organizations to implement “recognized cybersecurity best practices,” NIST is planning to update their guidance. The updated NIST cybersecurity framework guidance is meant to clarify what security measures should be in place to comply with the HIPAA Security Rule. More details on the NIST cybersecurity framework guidance are discussed.

What is the Current HIPAA Cybersecurity Guidance?

HIPAA cybersecurity guidance is currently up for interpretation, as healthcare organizations are meant to scale security requirements as relevant to their business. Unfortunately, in many cases, this leaves healthcare businesses confused, often leading to insufficient security measures. This is because HIPAA Security Rule guidance was intentionally written as a high-level overview of what must be implemented.

In the past, NIST has sought to remedy this by releasing a Cybersecurity Resource Guide with very precise guidance. However, NIST seeks to release new HIPAA cybersecurity guidance that would be a middle ground between HIPAA Security Rule guidance and the current NIST cybersecurity framework guidance.

How is NIST Changing the Guidance?

In January 2021, a new cybersecurity bill (HR 7898) was passed to bolster the healthcare industry’s cybersecurity posture. The bill does so by requiring the HHS to incentivize HIPAA cybersecurity by taking into account an organization’s implementation of a “recognized cyber security framework” (such as NIST) when conducting an audit and deciding whether or not to fine the organization.

The new guidance is set to provide healthcare organizations with detailed guidance on what recognized cybersecurity best practices are and how to implement them. This is particularly important to ensure that healthcare organizations implement effective security practices, as the bill defines “recognized security practices” as:

  • The cybersecurity practices developed under section 405(d) of the Cybersecurity Act of 2015;
  • Programs and practices that are developed in, recognized by, or outlined in federal laws other than HIPAA; and
  • Standards, guidelines, best practices, methodologies, procedures, and processes developed under the National Institute of Standards and Technology Act (NIST Act).

The updated guidance also seeks to:

  • Educate readers about information security terms used in the HIPAA Security Rule;
  • Amplify awareness of NIST cybersecurity resources relevant to the HIPAA Security Rule; and
  • Amplify awareness of non-NIST resources relevant to the HIPAA Security Rule.

NIST Cybersecurity and Public Comment

To ensure that the new NIST Cybersecurity Resource Guide adequately addresses the concerns of covered entities and business associates, NIST is giving them until June 15, 2021, to submit comments.

NIST is asking healthcare organizations to:

  • Describe any tools, resources, or techniques that their organization currently uses or would like to use to implement the HIPAA Security Rule.
  • Describe how their organization manages compliance and security simultaneously (i.e., how their organization achieves compliance with the HIPAA Security Rule while also improving cybersecurity posture).
  • Describe how their organization assesses risk to ePHI (electronically protected health information) and how this assessment leads to identifying appropriate security controls/practices.
  • Describe how their organization determines that security measures implemented in accordance with the Security Rule are effective in protecting ePHI and how often their organization initiates a process to determine such effectiveness.
  • Describe how they document the process of demonstrating adequate implementation of recognized security practices.
  • Describe how these recognized security practices overlap with and diverge from compliance with the HIPAA Security Rule at their organization.

HIPAA Resources

Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!

Essential Telehealth Law & Ethical Issues

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Telehealth Law & Ethical Course Bundle

This Telehealth Legal & Ethical Course Bundle provides the most important risk management and telehealth compliance training available anywhere to help meed telehealth, regardless of the size of your telehealth services.

HIPAA Compliant Cybersecurity for Professionals

Must-know information about how to protect your telehealth practice from a ransomware attack. Operate w/ EYES WIDE OPEN.

Disclaimer: offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. Some of’s blog content is generated with the assistance of ChatGPT. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Privacy Policy and Terms and Conditions.

Was this article helpful?

Please share your thoughts in the comment box below.

Notify of
Inline Feedbacks
View all comments

Register for Free

Receive Any of Our 57 FREE Newsletters!


Most Popular Blog Topics

You May Also Like…

ChatGPT HIPAA Considerations
ChatGPT HIPAA Considerations

ChatGPT HIPAA compliance is one of the hottest topics at 2023 conferences and with good reason. AI...