The National Institute of Standards and Technology (NIST) has published the final version of its guidance on implementing the HIPAA Security Rule. The document, Special Publication 800-66r2: Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide, was developed by NIST in collaboration with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and guides HIPAA-covered entities and business associates through conducting a risk analysis to identify risks and vulnerabilities to electronic protected health information. The document also identifies activities that HIPAA-regulated entities should consider as part of their information security program and offers guidance on achieving and maintaining compliance with the HIPAA Security Rule and improving cybersecurity posture.

The HIPAA Security Rule sets minimum standards for security and has been in effect since April 2005. Despite being in effect for more than 2 decades, HIPAA-regulated entities are still struggling with compliance. Both sets of HIPAA audits conducted by OCR in 2011 and 2016/2017 identified widespread noncompliance with the HIPAA Security Rule. The second phase of HIPAA audits showed compliance had improved since the first phase of audits, but none of the 63 audited entities achieved the top rating of 1 for risk analysis. A rating of 1 indicates the entity is fully compliant with the goals and objectives of the risk analysis standard of the HIPAA Security Rule. The majority (41) achieved a rating of 3 or 4, meaning minimal or negligible efforts have been put into compliance with the standard. It was worse for risk management, with 44 of the 63 audited entities receiving a 4 or 5 rating. A rating of 5 means the entity did not provide OCR with evidence of a serious attempt to comply with the risk management standard of the HIPAA Security Rule.

While compliance with the HIPAA Security Rule should have improved in the 7 years since the last round of HIPAA audits, the number of healthcare data breaches now being reported suggests otherwise. In 2017, 368 data breaches of 500 or more records were reported to OCR, and 5,131,289 healthcare records were breached. In 2023, 725 data breaches were reported, and more than 133 million records were breached. Hackers have increased their attacks on the healthcare sector in recent years but the number of successful attacks strongly suggests that HIPAA-regulated entities are not fully complying with the risk analysis and risk management provisions of the HIPAA Security Rule.

In February 2023, OCR announced that it is seeking feedback on its audit program which suggests that the HIPAA audit program is about to be resurrected. With OCR in desperate need of funding, the next round of audits may also result in fines for noncompliance. HIPAA-regulated entities should therefore consume the guidance and apply the recommendations to their information security programs.

The post NIST Finalizes HIPAA Security Rule Implementation Guidance appeared first on HIPAA Journal.