Information Security & Privacy Regulatory Compliance:
NIST Support for HIPAA
The National Institute
of Standards and Technology (NIST) has done something wonderful with
Health Insurance Portability and Accountability Act (HIPAA) security
standards: they have made them easier to understand!
Let us not get ahead
of ourselves as you (your organization) may not need to worry about
HIPAA in the first place. To determine if you are required to meet
HIPAA standards, here is a link to four charts
for your reference.
If, after reviewing
these charts and answering the questions they contain, you do not
answer yes to any of them, then congratulations! You do not need to
read any further.
More than likely you
are a covered entity under HIPAA, and so we will delve into yet
another regulation you will want to learn about.
NIST is a government
entity that, among other things, provides standards for U.S.
industry. They have taken the time to create a special publication
(SP800-66) which addresses the HIPAA security rule. The HIPAA
security rule (passed in 2003) is a 49-page document in the Federal
Register. Because it is such a lengthy and at times complex piece
of legislation, the NIST publication is an invaluable resource for
anyone who needs to comply with HIPAA.
HIPAA is actually
concerned with several themes to help promote efficiency in the
healthcare industry; these themes are known as Titles, in HIPAA
parlance. Our concern in this article will be to address the Title
II Security Rule and perhaps touch on the Title II Privacy Rule.
Titles like Health Care Access (Title I) and Revenue Offsets (Title
V) will not be discussed in this article.
When looking for the
Security Rule, one should look to Medicaid:
enforcement of the Privacy Rule by the Office of Civil rights can be
Although neither of
the rules is overly complex, they can be a burden on a small medical
office or a large corporation that is administrating a health
plan. As stated, the NIST SP 800-66 document goes a long way to
alleviating the burden. Here is an example:
Integrity (§ 164.312(c)(1))
Implement policies and procedures to
protect electronic-protected health information from improper
alteration or destruction
1. Identify All Users Who Have Been
Authorized to Access EPHI99
• Identify all approved users with the
ability to alter or destroy data, if reasonable and
• Address this Key Activity in
conjunction with the identification of unauthorized
sources in Key Activity 2, below.
• How are users authorized to access the
• Is there a sound basis established as
to why they need the access?101
• Have they been trained on how to use
• Is there an audit trail established for
all accesses to the information?103
In addition to
citing the rule and providing a description of the key activities
necessary to comply with the rule, the NIST document identifies
those activities that MUST be employed and those activities that
SHOULD be employed. This information helps prioritize the various
activities, to bring a HIPAA program on line in the shortest
In addition to listing
the activities and controls necessary for an effective
HIPAA-compliant security program, the NIST document provides
information on how to conduct an information security risk
assessment. This in my opinion provides a strong enough framework
that if one was to expand the document to other information assets,
intellectual property for example; one would have an above-average
information security program.
Medical records are
extremely sensitive documents, and the Privacy Rule addresses that
can and cannot have access to them and what they can and cannot do
with the medical information they are allowed access to. The good
news, if you’re an employer, is that the Privacy Rule does not
generally interfere with your handling of HR records. However if
you transmit HR records electronically, you could run afoul of the
Security Rule. If you deal regularly with medical records (as
opposed to strictly HR records) you will have additional
restrictions placed on how you can handle them, and what information
you may provide to employers, family members and law enforcement,
all of which is delineated in the Privacy Rule.
HIPAA is still a hot
topic among employers and those who deal regularly with medical
records. As we’ve outlined, NIST has provided a document that can
give you a fighting chance toward understanding how to create an
information security infrastructure that is HIPAA compliant.
Special Publication 800-66 can be acquired here:
By John Barchie,
John Barchie Biography
Back to Top
Information Request Form
Select the items that apply, and then let us know how to contact you.