I recently read that HIPAA regulations require organizations to follow NIST guidelines and standards. Is this true?...

How does HIPAA incorporate NIST guidelines? Should healthcare organizations follow the NIST regardless?

Although HIPAA does not directly require that covered entities follow NIST guidelines and standards, it references many of them as strong practices. NIST guidelines provide technical information and advice to organizations trying to meet common security objectives that overlap with those of HIPAA. NIST publications can therefore be valuable resources for organizations that must comply with HIPAA, helping them better understand their HIPAA obligations and how to meet them.

In particular, NIST offers its Special Publication 800-66, a document of over 50 pages entitled "An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule." Describing each HIPAA requirement in turn, this guide provides details on the administrative and technical safeguards that a HIPAA covered entity can put in place for compliance.

As NIST indicates, SP 800-66 was prepared for use by government agencies, and may be used by nongovernment agencies on a voluntary basis. The document contains a disclaimer stating that it is intended for federal organizations, and that it is not intended to be, nor should it be, construed or relied on as legal advice for any other organization or person. In other words, HIPAA is the still the law. The NIST publication is a helpful guide, but is one interpretation of the law, not the law itself. Consequently, it cannot be used as legal validation of a position or actions undertaken to comply with HIPAA.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Find out why HIPAA controls don't do enough for privacy and security

Learn how NIST standards can help with penetration testing

Find out how well the NIST Cybersecurity Framework is being received

This was last published in November 2016

Dig Deeper on HIPAA

  • All
  • News
  • Get Started
  • Evaluate
  • Manage
  • Problem Solve



Find more PRO+ content and other member only offers, here.

Related Q&A from Mike Chapple

Is a no-SMS 2FA policy a good idea for enterprises?

Now that NIST has deprecated the use of SMS 2FA, should nongovernment organizations follow suit? Expert Mike Chapple discusses the risks of SMS-based...continue reading

How does the Safeguards Rule pertain to SEC cybersecurity regulations?

The SEC claimed Morgan Stanley violated the Safeguards Rule, but what does that mean? Expert Mike Chapple discusses the federal regulation and what ...continue reading

Is destroying a decryption key a strong enough security practice?

Destroying a decryption key isn't the same as destroying the data, but which method is more secure? Expert Mike Chapple explains the best way to ...continue reading

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

SearchSecurity: Security Wire Daily News

The authors of the HIPAA wrote a law designed to protect the security and privacy of health information in many...

different locations. They identified healthcare providers, insurance companies and health information clearinghouses as the most likely places where protected information would reside and imposed requirements that covered entities must protect that information.

Today, Fitbits and other fitness trackers, like the Apple Watch and HealthKit, and online communities offer individuals the possibility to engage far more in managing their own health, generating additional personal health information. The authors of HIPAA never imagined this new world of consumer health technology and, as such, HIPAA generally does not apply in these cases.

The holes in HIPAA controls stem from the definition of HIPAA-covered entities. These entities fall into three categories: healthcare providers, health insurers and health information clearinghouses. HIPAA also covers the business associates of covered entities that exchange information with covered entities. Consumer health companies normally do not fit into these categories. For example, the maker of a fitness tracking device doesn't provide medical care to a patient or receive information from a medical professional, so there is no HIPAA-covered relationship.

What currently falls through the cracks?

Consumers and patients may incorrectly assume that HIPAA provides privacy and security for their health information, no matter how such information is gathered, distributed or used. As a result, they may agree to information practices of noncovered entities collecting their health information, incorrectly believing that they are protected by HIPAA. A 2014 study published in the Journal of the American Informatics Association suggested that less than one third of mobile health applications had privacy policies and that, on average, these policies were written at the reading level of a college senior.

Without the requirement to observe the HIPAA Security Rule, consumers have little insight into the quality of the security controls used by consumer health companies. These companies may gather substantial health information about individuals and in a generally unregulated fashion.

Should HIPAA controls apply to consumer health companies?

HIPAA is likely to be too onerous for many health-related applications. If HIPAA controls were imposed on fitness companies and similar businesses, the burden of compliance would prevent them from operating effectively and would limit the services that they make available to the public. These companies currently don't have the expertise required to comply with the many technical nuances of HIPAA and would be forced to hire compliance staffers and implement expensive controls that are probably overkill for many of their businesses.

This means that simply adding consumer health companies to the scope of HIPAA is not a viable solution. Indeed, the blanket application of HIPAA controls to consumer health companies would likely cause many of them to eliminate or reduce the services they provide or raise their costs to cover the new requirements. If Congress wishes to regulate consumer health technology, it must consider dedicated legislation that specifically addresses the nuances of this space.

Other ways to protect personal health information

Fortunately, there are other potential paths to protecting personal health information that does not currently fall under the auspices of HIPAA. Two of the current tools available to regulators include:

  • The FTC Act: The Federal Trade Commission applies statutes and rules that oblige businesses to protect consumer data, and to refrain from unfair or deceptive acts or practices. The FTC Act is the main federal statute regulating privacy and security practices for consumer health companies that do not fall under HIPAA and could be an area of increased focus for regulators.
    The FTC Health Breach Notification Rule: This rule requires that certain types of organizations dealing with personal health records notify individuals, the FTC, and possibly even the media if a health information breach occurs.

Currently, the United States does not have an overarching consumer privacy framework similar to the one found in the European Union. While it's unlikely that the U.S. will see this type of legislation in the near future, a general privacy framework would likely be the best solution to the issues the U.S. experiences with gaps in its current patchwork of laws.

Next Steps

Discover the effects of the FTC controlling cybersecurity regulations

Learn how to meet HIPAA requirements with personal cloud storage

Find out why wearable health devices and apps aid patient engagement

This was first published in September 2016



Find more PRO+ content and other member only offers, here.

SearchSecurity: Security Wire Daily News