The U.S. Department of Health and Human Services (HHS) wants entities that handle health data to look outside the health sector when they’re thinking about how to protect the data.
The HHS Office for Civil Rights (HHS OCR) is pushing the organizations to read the National Institute of Standards and Technology (NIST) security guidelines.
See also: Data security gurus to corporate lawyers: Get to know the FBI
HHS has developed its own Health Insurance Portability and Accountability Act (HIPAA) Security Rule. That rule, which is meant to be flexible and general enough to fit with any technology, applies to hospitals, doctors, health insurers, insurance brokers, and other people and organizations that handle personal health data.
NIST released a more technical, more detailed Cybersecurity Framework in February 2014.
The entities that handle protected health information still need to meet the HIPAA security requirements, but they ought to look hard at the NIST framework, to see whether there are any gaps between what their organizations are doing and what NIST recommends, HHS OCR officials say in an announcement of the availability of a new HIPAA-NIST standards comparison chart.
The HIPAA Security Rule does not require the affected organizations to use the NIST framework, and using the NIST framework does not necessarily mean that an organization is complying with every part of the HIPAA requirements, HHS OCR officials say.
But studying the comparison chart may be a good way for organizations that handle protected health information to find security gaps, officials say.