The National Institute of Standards and Technology (NIST) is seeking public comment as it prepares to update its Introductory Resource Guide on implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule for the first time in over a decade. NIST’s updated guidance is particularly timely and of interest in light of a new amendment, signed into law on January 5, 2021, that instructs the Department of Health and Human Services to take into account whether an entity has demonstrated that it has “recognized security practices” (as defined by law) in place.
NIST’s guidance, first published in 2005 and last updated in 2008, provides insight and suggestions as to how HIPAA-regulated entities are expected to implement Security Rule requirements. The HIPAA Security Rule generally eschews detailed, prescriptive requirements in favor of broader, higher-level safeguards, allowing HIPAA-regulated entities to adopt a diverse set of approaches in implementing the Rule. NIST’s guidance was intended to help bridge the divide between the high-level Security Rule language and much more detailed NIST cybersecurity guidance. NIST is now updating its HIPAA…
