Q
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Should healthcare organizations follow the NIST guidelines for HIPAA?

HIPAA regulations incorporate NIST guidelines and standards, so do healthcare organizations need to be compliant with both? Expert Mike Chapple explains.

I recently read that HIPAA regulations require organizations to follow NIST guidelines and standards. Is this true?...

How does HIPAA incorporate NIST guidelines? Should healthcare organizations follow the NIST regardless?

Although HIPAA does not directly require that covered entities follow NIST guidelines and standards, it references many of them as strong practices. NIST guidelines provide technical information and advice to organizations trying to meet common security objectives that overlap with those of HIPAA. NIST publications can therefore be valuable resources for organizations that must comply with HIPAA, helping them better understand their HIPAA obligations and how to meet them.

In particular, NIST offers its Special Publication 800-66, a document of over 50 pages entitled "An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule." Describing each HIPAA requirement in turn, this guide provides details on the administrative and technical safeguards that a HIPAA covered entity can put in place for compliance.

As NIST indicates, SP 800-66 was prepared for use by government agencies, and may be used by nongovernment agencies on a voluntary basis. The document contains a disclaimer stating that it is intended for federal organizations, and that it is not intended to be, nor should it be, construed or relied on as legal advice for any other organization or person. In other words, HIPAA is the still the law. The NIST publication is a helpful guide, but is one interpretation of the law, not the law itself. Consequently, it cannot be used as legal validation of a position or actions undertaken to comply with HIPAA.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Find out why HIPAA controls don't do enough for privacy and security

Learn how NIST standards can help with penetration testing

Find out how well the NIST Cybersecurity Framework is being received

This was last published in November 2016

Dig Deeper on HIPAA

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close