I recently read that HIPAA regulations require organizations to follow NIST guidelines and standards. Is this true?...
How does HIPAA incorporate NIST guidelines? Should healthcare organizations follow the NIST regardless?
Although HIPAA does not directly require that covered entities follow NIST guidelines and standards, it references many of them as strong practices. NIST guidelines provide technical information and advice to organizations trying to meet common security objectives that overlap with those of HIPAA. NIST publications can therefore be valuable resources for organizations that must comply with HIPAA, helping them better understand their HIPAA obligations and how to meet them.
In particular, NIST offers its Special Publication 800-66, a document of over 50 pages entitled "An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule." Describing each HIPAA requirement in turn, this guide provides details on the administrative and technical safeguards that a HIPAA covered entity can put in place for compliance.
As NIST indicates, SP 800-66 was prepared for use by government agencies, and may be used by nongovernment agencies on a voluntary basis. The document contains a disclaimer stating that it is intended for federal organizations, and that it is not intended to be, nor should it be, construed or relied on as legal advice for any other organization or person. In other words, HIPAA is the still the law. The NIST publication is a helpful guide, but is one interpretation of the law, not the law itself. Consequently, it cannot be used as legal validation of a position or actions undertaken to comply with HIPAA.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Find out why HIPAA controls don't do enough for privacy and security
Learn how NIST standards can help with penetration testing
Find out how well the NIST Cybersecurity Framework is being received
Dig Deeper on HIPAA
Related Q&A from Mike Chapple
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading
Now that NIST has deprecated the use of SMS 2FA, should nongovernment organizations follow suit? Expert Mike Chapple discusses the risks of SMS-based... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.