The U.S. Department of Health and Human Services (HHS) wants entities that handle health data to look outside the health sector when they’re thinking about how to protect the data.
The HHS Office for Civil Rights (HHS OCR) is pushing the organizations to read the National Institute of Standards and Technology (NIST) security guidelines.
HHS has developed its own Health Insurance Portability and Accountability Act (HIPAA) Security Rule. That rule, which is meant to be flexible and general enough to fit with any technology, applies to hospitals, doctors, health insurers, insurance brokers, and other people and organizations that handle personal health data.
NIST released a more technical, more detailed Cybersecurity Framework in February 2014.
The entities that handle protected health information still need to meet the HIPAA security requirements, but they ought to look hard at the NIST framework, to see whether there are any gaps between what their organizations are doing and what NIST recommends, HHS OCR officials say in an announcement of the availability of a new HIPAA-NIST standards comparison chart.
The HIPAA Security Rule does not require the affected organizations to use the NIST framework, and using the NIST framework does not necessarily mean that an organization is complying with every part of the HIPAA requirements, HHS OCR officials say.
But studying the comparison chart may be a good way for organizations that handle protected health information to find security gaps, officials say.
“Addressing these gaps can bolster their compliance with the Security Rule,” officials say.
In one column, for example, HHS OCR shows that a HIPAA subcategory rule for “asset management” requires an organization to inventory its physical devices and systems. In a “relevant control mappings” column, officials give a long list of the HIPAA Security Rule regulation sections, NIST framework sections, and other relevant standards sections that apply to device inventories.
The chart provides similar types of information for matters such as making systems as resilient as possible and identifying internal and external threats.
Are you following us on Facebook?