The federal government has implemented security standards for its own agencies. The division of the federal government that created these standards is called The National Institute for Standards and Technology, or NIST. NIST details its standards in published resources, and encourages private entities to adopt the security standards in their own line of work. HIPAA NIST refers to a NIST publication, “An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.” This publication, which NIST made public over a decade ago, provides HIPAA NIST guidelines for covered entities and business associates. These guidelines describe how covered entities and business associates can implement a HIPAA security program using NIST standards. Through HIPAA NIST, an organization uses NIST guidelines to strengthen its overall HIPAA security.
HIPAA NIST: The Standardized Framework
The NIST publication for implementing the HIPAA Security Rule is one of many NIST publications. Other NIST publications address security standards related to other federal laws. The publications, collectively, form an overall security framework. This framework is called the NIST Cybersecurity Framework (NIST CSF). The framework provides security best practices in a number of areas, including access controls, audit logging, password policies, and many other IT measures the HIPAA Security Rule requires covered entities and business associates to address. While following the NIST CSF is voluntary, more and more organizations use the framework every year. As such, NIST has become a common language for security standards.
HIPAA NIST Compliance: The Advantages of the NIST Framework
The HIPAA NIST guidelines offer several advantages to covered entities and business associates seeking to enhance security compliance. The HIPAA Security Rule’s text is vague and often lacking in detail. For example, the Security Rule addresses encryption by stating: “Implement a mechanism to encrypt and decrypt electronic protected health information.” What kind of mechanism? Morse Code? The Rule simply states that something “reasonable” and “appropriate” should be implemented, if feasible.
The HIPAA NIST framework provides actual details for how to encrypt and decrypt. The framework contains a series of workflows and standards, which serve as both a blueprint and user manual an organization can use. Following the workflow and standards allows a user to implement an encryption mechanism that can be objectively validated. The NIST framework is also used by numerous Fortune 500 companies, and as a result, many large healthcare providers are more comfortable working with organizations using the NIST framework.
HIPAA NIST Compliance: The Crosswalk
NIST also provides a “crosswalk” that “maps” (correlates) NIST guidelines to specific Security Rule standards. The crosswalk allows an organization to look up a particular NIST guidance topic – say, automatic logoff. When the user looks up a topic, the crosswalk reveals which HIPAA Security Rule provision addresses that topic. The crosswalk, by serving as a cross-reference, saves users time.
Organizations that align their security programs to either the NIST Cybersecurity Framework, or the HIPAA Security Rule, can use the crosswalk to identify potential gaps in their programs. In remediating these gaps, an organization strengthens Security Rule compliance. This allows an organization to more effectively secure ePHI and other critical information and business processes.
For example, if a covered entity has an existing security policy providing for risk management, the policy may lack detail, since the text of the Security Rule does not provide much information as to what risk management actually is or does. The covered entity can use the NIST crosswalk to obtain the missing information. This will allow the covered entity to determine which parts of the NIST Cybersecurity Framework it is already following, and which it should incorporate, into its overall risk management program. Having an effective risk management program will prepare an organization for how to respond in the event of an emergency.
The crosswalk maps all of the administrative, physical, and technical safeguard standards and implementation specifications in the HIPAA Security Rule, to a corresponding NIST Cybersecurity Framework Subcategory, allowing for enhanced compliance with the entire Security Rule. This means that there is no Security Rule provision left unaddressed by NIST. Previously, other “guidelines” would focus on only one or a few elements of Security Rule compliance, resulting in a compliance program that was deficient in many areas.