The HHS Office for Civil Rights (OCR) and the National Institute of Standards and Technology (NIST) published the final version of Special Publication (SP) 800-66 Revision 2, aimed at helping covered entities and business associates better understand and comply with the HIPAA Security Rule. The final version serves as a resource guide and maps the HIPAA Security Rule’s standards to the NIST Cybersecurity Framework subcategories.

Throughout the document, NIST and HHS provided suggestions for cybersecurity measures that can help covered entities and business associates assess and manage risks to electronic protected health information (ePHI).

The new publication includes a detailed explanation of risk management requirements under HIPAA and walks covered entities through the process of determining risks to ePHI in accordance with organizational risk tolerance that marketing agencies and communications companies can use this guidance to inform risk mitigation strategies and compliance efforts.

The list includes links to key guidance documents such as NIST’s Cybersecurity and Privacy Reference Tool which clearly and concisely outlines HIPAA Security Rule regulations.

The joint publication by NIST and OCR is the latest in a string of new guidance and efforts by federal entities to bolster healthcare cybersecurity following the release of HHS’ healthcare cybersecurity strategy and Biden Administration’s National Cybersecurity Strategy.

For questions or more information about CHC’s health data privacy resources, please contact Jim Potter, CHC Executive Director at jpotter@cohealthcom.org.