The National Institute for Standards and Technology, or NIST, a division of the U.S. Department of Commerce, develops information technology standards. It sets forth these standards in published guidelines and resources. Over a decade ago, NIST issued a publication, “An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.” This publication provides guidelines for how organizations should implement and oversee a HIPAA security program within their organization. In the years since, healthcare providers have used this publication and subsequent NIST cybersecurity guidance to develop and maintain security policies and procedures under HIPAA’s Security Rule. This article discusses NIST HIPAA compliance, which is an organization’s use of NIST guidelines to strengthen its overall HIPAA security protocols.
NIST HIPAA Compliance: The Standardized Framework
The NIST publication for implementing HIPAA is part of NIST’s overall security framework.
The NIST Cybersecurity Framework (NIST CSF), a series of guidelines, provides a standardized framework for federal agencies to secure their security infrastructure. NIST encourages private employers, including healthcare employers, to follow the guidelines. The guidelines provide advice on audit logging, vulnerability scanning, password policies, access controls, and numerous other IT measures the HIPAA Security Rule requires covered entities and business associates to address. The NIST CSF is voluntary, in that organizations face no penalties or fines for not using it.
NIST HIPAA Compliance: The Advantages of the NIST Framework
NIST HIPAA compliance offers several advantages to covered entities and business associates. The HIPAA Security Rule is worded using language that is vague and unhelpful. For example, the Security Rule has this to say about encryption: ““Implement a mechanism to encrypt and decrypt electronic protected health information.” There are no instructions. The NIST framework contains specific workflows and standards that essentially serve as both an instruction book and technical manual, so that a user can implement an encryption mechanism that can be objectively validated. The NIST framework is also used by numerous Fortune 500 companies, and as a result, many large healthcare providers are more comfortable working with organizations using the NIST framework.
NIST HIPAA Compliance: The NIST HIPAA Crosswalk
NIST also provides a “crosswalk” that “maps” NIST guidelines to specific Security Rule standards. This way, a user can look up NIST guidance on a particular topic – say, automatic login, and be informed as to what the HIPAA standard addressing automatic login is. The NIST guidance is usually much more specific than the equivalent Security Rule requirement, and therefore serves as a blueprint for Security Rule compliance.
Organizations that have already aligned their security programs to either the NIST Cybersecurity Framework or the HIPAA Security Rule can use the crosswalk to identify potential gaps in their programs. Addressing these gaps will strengthen Security Rule compliance, and the ability to effectively secure ePHI and other critical information and business processes.
For example, if a covered entity has an existing security policy providing for risk management, the policy may not be very detailed, because the Security Rule does not provide much information as to what risk management actually is or does. The covered entity can use the NIST crosswalk to determine which pieces of the NIST Cybersecurity Framework it is already meeting and which it should incorporate into its overall risk management program. Having a more thorough risk management program will provide greater protection to an organization in the event of an emergency, which will in turn allow the organization to retain a competitive edge over organizations that have not used the crosswalk.
The crosswalk maps all administrative, physical, and technical safeguard standards and implementation specifications in the HIPAA Security Rule to a corresponding NIST Cybersecurity Framework Subcategory, allowing for enhanced compliance with the entire Security Rule. Previously, other NIST-like standards addressed only one aspect or element of HIPAA Security Rule compliance, resulting in programs that were strong in some compliance areas and weaker in others.