Last week, the HHS Office for Civil Rights (OCR) released a crosswalk between the requirements of the HIPAA Security Rule and the NIST Cybersecurity Framework. The crosswalk – which was developed in conjunction with the National Institute of Standards and Technology (NIST) and the HHS Office of the National Coordinator for Health IT – maps each administrative, physical and technical safeguard standard and implementation specification of the HIPAA Security Rule to the relevant subcategory in the Cybersecurity Framework.
HHS notes that, because of the granularity of the NIST Cybersecurity Framework’s subcategories, some HIPAA Security Rule requirements may map to more than one of the Cybersecurity Framework’s subcategories. However, HIPAA covered entities and business associates, who are required to comply with the Security Rule, should not assume alignment of their information security program to the Cybersecurity Framework ensures full compliance with the Security Rule. The HIPAA Security Rule is designed to be flexible, scalable and technology neutral – and accommodates integration with various information security frameworks, including the Cybersecurity Framework, but does not require regulated entities to integrate the Cybersecurity Framework into their security management program. HHS indicates that organizations that have aligned their information security programs to either the Cybersecurity Framework or the Security Rule may find the crosswalk useful in identifying potential gaps in their programs and in managing the risks in their information security environments.
The crosswalk also responds to calls in the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and the Cybersecurity Information Sharing Act of 2015 for guidance on the implementation of NIST frameworks.