HHS OCR maps HIPAA Security Rule to NIST Cybersecurity Framework

The Department of Health and Human Services' Office for Civil Rights has released a "crosswalk" between the National Institute of Standards and Technology's cybersecurity framework and the HIPAA Security Rule to help healthcare organizations improve their cybersecurity preparedness.

It maps the HIPAA Rule standards and implementation specifications to those of NIST, as well as other commonly used security frameworks--such as Control Objectives for Information and Related Technology (COBIT) and the International Organization for Standardization (ISO).

"Although the security rule does not require use of the NIST Cybersecurity Framework, and use of the framework does not guarantee HIPAA compliance, the crosswalk provides an informative tool for entities to use to help them more comprehensively manage security risks in their environments," OCR says in an announcement.

Organizations that have implemented one or the other may find the mappings useful in identifying gaps that need to be addressed, OCR adds.

The College of Healthcare Information Management Executives and the Association for Executives in Healthcare Information Security recently called for more work on the NIST framework. It said that HIPAA's lack of prescriptive approaches for managing risk limits use of the NIST framework, and called for NIST and other agencies providing security guidance to work with OCR to provide more certainty around what constitutes HIPAA compliance.

OCR on Thursday also reiterated patents' right to copies of their medical records, and in a new Frequently Asked Questions document states that providers should provide medical records free of charge in most cases, particularly for patients who might not be able to afford it. It released guidance last month about the access providers are required to offer.

To learn more:
- here's the crosswalk (.pdf)
- read the announcement
- check out the FAQs