In response to the newly enacted HIPAA cybersecurity bill that requires the HHS to incentivize healthcare organizations to implement “recognized cybersecurity best practices,” NIST is planning to update their guidance. The updated NIST cybersecurity framework guidance is meant to clarify what security measures should be in place to comply with the HIPAA Security Rule. More details on the NIST cybersecurity framework guidance are discussed.
What is the Current HIPAA Cybersecurity Guidance?
HIPAA cybersecurity guidance is currently up for interpretation, as healthcare organizations are meant to scale security requirements as relevant to their business. Unfortunately, in many cases, this leaves healthcare businesses confused, often leading to insufficient security measures. This is because HIPAA Security Rule guidance was intentionally written as a high-level overview of what must be implemented.
In the past, NIST has sought to remedy this by releasing a Cybersecurity Resource Guide with very precise guidance. However, NIST seeks to release new HIPAA cybersecurity guidance that would be a middle ground between HIPAA Security Rule guidance and the current NIST cybersecurity framework guidance.
How is NIST Changing the Guidance?
In January 2021, a new cybersecurity bill (HR 7898) was passed to bolster the healthcare industry’s cybersecurity posture. The bill does so by requiring the HHS to incentivize HIPAA cybersecurity by taking into account an organization’s implementation of a “recognized cyber security framework” (such as NIST) when conducting an audit and deciding whether or not to fine the organization.
The new guidance is set to provide healthcare organizations with detailed guidance on what recognized cybersecurity best practices are and how to implement them. This is particularly important to ensure that healthcare organizations implement effective security practices, as the bill defines “recognized security practices” as:
- The cybersecurity practices developed under section 405(d) of the Cybersecurity Act of 2015;
- Programs and practices that are developed in, recognized by, or outlined in federal laws other than HIPAA; and
- Standards, guidelines, best practices, methodologies, procedures, and processes developed under the National Institute of Standards and Technology Act (NIST Act).
The updated guidance also seeks to:
- Educate readers about information security terms used in the HIPAA Security Rule;
- Amplify awareness of NIST cybersecurity resources relevant to the HIPAA Security Rule; and
- Amplify awareness of non-NIST resources relevant to the HIPAA Security Rule.
NIST Cybersecurity and Public Comment
To ensure that the new NIST Cybersecurity Resource Guide adequately addresses the concerns of covered entities and business associates, NIST is giving them until June 15, 2021, to submit comments.
NIST is asking healthcare organizations to:
- Describe any tools, resources, or techniques that their organization currently uses or would like to use to implement the HIPAA Security Rule.
- Describe how their organization manages compliance and security simultaneously (i.e., how their organization achieves compliance with the HIPAA Security Rule while also improving cybersecurity posture).
- Describe how their organization assesses risk to ePHI (electronically protected health information) and how this assessment leads to identifying appropriate security controls/practices.
- Describe how their organization determines that security measures implemented in accordance with the Security Rule are effective in protecting ePHI and how often their organization initiates a process to determine such effectiveness.
- Describe how they document the process of demonstrating adequate implementation of recognized security practices.
- Describe how these recognized security practices overlap with and diverge from compliance with the HIPAA Security Rule at their organization.
Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!
Essential Telehealth Law & Ethical Issues
Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!
Telehealth Law & Ethical Course Bundle
This Telehealth Legal & Ethical Course Bundle provides the most important risk management and telehealth compliance training available anywhere to help meed telehealth, regardless of the size of your telehealth services.
HIPAA Compliant Cybersecurity for Professionals
Must-know information about how to protect your telehealth practice from a ransomware attack. Operate w/ EYES WIDE OPEN.