Cybersecurity and the HIPAA Security Rule

The NIST[1] and the OCR[2] has published its final version of guidance to increase cybersecurity and compliance with the HIPAA Security Rule.

The new guidance gives tailored direction to covered entities to improve cybersecurity risk assessment and management. It replaces the July 2022 cybersecurity HIPAA guidance draft.

Security Rule Highlights

The Security Rule:

    • is “flexible, scalable, and technology-neutral….there is no one single compliance approach that will work for all regulated entities” and
    • addresses covered entities based on their size, nature, and unique security risks.

For example, plan sponsors are given individual guidance that are specified in tables “designated to initiate the thought process for regulated entities to implement the requirements of the Security Rule.”

This Guidance is meant to be used as a resource to assist regulated entities be compliant with the HIPAA Security Rule and with cybersecurity.

Additional Highlights

  • Risk assessments should be customized to effectively identify risk for a plan sponsor.
  • Plan sponsors can use risk management and cybersecurity methods that effectively safeguard their ePHI that are appropriate to their organization.
  • The guidance gives various security measures for each standard of the Security Rule.

What else?

The guidance also emphasizes the importance of general cybersecurity training for the entire organization.  It also emphasizes the importance of ensuring that HIPAA security standards work within the existing IT architecture.  As far as workforce security, the guidance recognizes that training should coincide with position’s job descriptions and responsibilities.  For example, if the organization has a self-insured health plan and is a manufacturer, should the entire organization receive HIPAA training or should the identified positions receive HIPAA training based on its roles and responsibilities that correlate with access to ePHI.

The guidance extends past the HIPAA Security Rule to highlight an organization’s business need to safeguard data as “mission-critical.”  It cites ransomware attacks and large data breaches that cost millions of dollars that makes the safeguarding of data a business necessity.  While the guidance cites patient protection, the application of such guidance may be applied across various industries that have federal mandates to protect data.



[1] National Institute of Standards and Technology

[2] HHS Office of Civil Rights

Leave a Reply

Your email address will not be published. Required fields are marked *