NIST HIPAA Compliance: The Advantages of the NIST Framework
NIST HIPAA compliance offers several advantages to covered entities and business associates. The HIPAA Security Rule is worded using language that is vague and unhelpful. For example, the Security Rule has this to say about encryption: ““Implement a mechanism to encrypt and decrypt electronic protected health information.” There are no instructions. The NIST framework contains specific workflows and standards that essentially serve as both an instruction book and technical manual, so that a user can implement an encryption mechanism that can be objectively validated. The NIST framework is also used by numerous Fortune 500 companies, and as a result, many large healthcare providers are more comfortable working with organizations using the NIST framework.
NIST HIPAA Compliance: The NIST HIPAA Crosswalk
NIST also provides a “crosswalk” that “maps” NIST guidelines to specific Security Rule standards. This way, a user can look up NIST guidance on a particular topic – say, automatic login, and be informed as to what the HIPAA standard addressing automatic login is. The NIST guidance is usually much more specific than the equivalent Security Rule requirement, and therefore serves as a blueprint for Security Rule compliance.
Organizations that have already aligned their security programs to either the NIST Cybersecurity Framework or the HIPAA Security Rule can use the crosswalk to identify potential gaps in their programs. Addressing these gaps will strengthen Security Rule compliance, and the ability to effectively secure ePHI and other critical information and business processes.
For example, if a covered entity has an existing security policy providing for risk management, the policy may not be very detailed, because the Security Rule does not provide much information as to what risk management actually is or does. The covered entity can use the NIST crosswalk to determine which pieces of the NIST Cybersecurity Framework it is already meeting and which it should incorporate into its overall risk management program. Having a more thorough risk management program will provide greater protection to an organization in the event of an emergency, which will in turn allow the organization to retain a competitive edge over organizations that have not used the crosswalk.
The crosswalk maps all administrative, physical, and technical safeguard standards and implementation specifications in the HIPAA Security Rule to a corresponding NIST Cybersecurity Framework Subcategory, allowing for enhanced compliance with the entire Security Rule. Previously, other NIST-like standards addressed only one aspect or element of HIPAA Security Rule compliance, resulting in programs that were strong in some compliance areas and weaker in others.