The National Institute of Standards and Technology (NIST) is preparing to modify and make updates to its guidance on carrying out the HIPAA Security Regulation and is looking for ideas from stakeholders on facets of the guidance that ought to be adjusted.
NIST publicized the guidance – NIST Special Publication (SP) 800-66, Revision 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule – around October 2008. Throughout the last 13 years, cybersecurity has advanced and the threat scenario has evolved a great deal. NIST’s cybersecurity sources have at the same time developed for the duration of that time and an upgrade to the guidance is now past due.
NIST is going to be revising the guidance to integrate its new cybersecurity methods, will enhance understanding of non-NIST solutions associated with concurrence with the HIPAA Security Guideline, and will change its enforcement guidance for HIPAA-covered companies and business associates.
In particular, NIST has required feedback from stakeholders about their experiences implementing and applying the resource guideline, such as the elements of the guidance that were helpful and those that weren’t, along with the explanations why.
NIST wishes to learn from covered entities and business associates that have employed the guidance and have identified key principles to be lacking, and for stakeholders who discovered that the guidance isn’t pertinent to their business to give data on how it could be made a lot more relatable, handy, and actionable to a bigger spectrum of people.
Covered entities and business associates have observed the HIPAA Security Law in a variety of different solutions. NIST is in search of facts on many tools, resources, and methods that were implemented that have been confirmed beneficial, and for covered entities that have experienced victories with their compliance systems to share details on how they deal with compliance and safety concurrently, compare risks to ePHI, find out if the security steps enforced are helpful at defending ePHI, and how they record demonstrating enough enforcement. NIST furthermore likes to hear from any covered entity or business associate that has carried out accepted security strategies that have diverged from conformity with the HIPAA Security Rule.
Stakeholders are supposed to send feedback up to June 15, 2021 for inclusion prior to the offered update. Sent feedback is going to be considered and integrated as long as it is practicable.
