Triware Networld Systems 

27 Years Of Around The Clock Superior Network Systems Service & Support!


   Back ] Up ] Next ]



Information Security & Privacy Regulatory Compliance: NIST Support for HIPAA

The National Institute of Standards and Technology (NIST) has done something wonderful with Health Insurance Portability and Accountability Act (HIPAA) security standards: they have made them easier to understand!

Let us not get ahead of ourselves as you (your organization) may not need to worry about HIPAA in the first place. To determine if you are required to meet HIPAA standards, here is a link to four charts for your reference.

If, after reviewing these charts and answering the questions they contain, you do not answer yes to any of them, then congratulations! You do not need to read any further.

More than likely you are a covered entity under HIPAA, and so we will delve into yet another regulation you will want to learn about.

NIST is a government entity that, among other things, provides standards for U.S. industry.  They have taken the time to create a special publication (SP800-66) which addresses the HIPAA security rule.  The HIPAA security rule (passed in 2003) is a 49-page document in the Federal Register.  Because it is such a lengthy and at times complex piece of legislation, the NIST publication is an invaluable resource for anyone who needs to comply with HIPAA. 

HIPAA is actually concerned with several themes to help promote efficiency in the healthcare industry; these themes are known as Titles, in HIPAA parlance.  Our concern in this article will be to address the Title II Security Rule and perhaps touch on the Title II Privacy Rule.   Titles like Health Care Access (Title I) and Revenue Offsets (Title V) will not be discussed in this article.

When looking for the Security Rule, one should look to Medicaid:

Information regarding enforcement of the Privacy Rule by the Office of Civil rights can be found here:

Although neither of the rules is overly complex, they can be a burden on a small medical office or a large corporation that is administrating a health plan.   As stated, the NIST SP 800-66 document goes a long way to alleviating the burden.  Here is an example:


Integrity (§ 164.312(c)(1))

HIPAA Standard: Implement policies and procedures to protect electronic-protected health information from improper alteration or destruction

Key Activities


Sample Questions


1. Identify All Users Who Have Been Authorized to Access EPHI99



• Identify all approved users with the ability to alter or destroy data, if reasonable and appropriate.

• Address this Key Activity in conjunction with the identification of unauthorized sources in Key Activity 2, below.



• How are users authorized to access the information?

• Is there a sound basis established as to why they need the access?101

• Have they been trained on how to use the information?102

• Is there an audit trail established for all accesses to the information?103


In addition to citing the rule and providing a description of the key activities necessary to comply with the rule, the NIST document identifies those activities that MUST be employed and those activities that SHOULD be employed.  This information helps prioritize the various activities, to bring a HIPAA program on line in the shortest possible timeframe.

In addition to listing the activities and controls necessary for an effective HIPAA-compliant security program, the NIST document provides information on how to conduct an information security risk assessment.   This in my opinion provides a strong enough framework that if one was to expand the document to other information assets, intellectual property for example; one would have an above-average information security program.

Medical records are extremely sensitive documents, and the Privacy Rule addresses that can and cannot have access to them and what they can and cannot do with the medical information they are allowed access to.  The good news, if you’re an employer, is that the Privacy Rule does not generally interfere with your handling of HR records.  However if you transmit HR records electronically, you could run afoul of the Security Rule.  If you deal regularly with medical records (as opposed to strictly HR records) you will have additional restrictions placed on how you can handle them, and what information you may provide to employers, family members and law enforcement, all of which is delineated in the Privacy Rule.

HIPAA is still a hot topic among employers and those who deal regularly with medical records.   As we’ve outlined, NIST has provided a document that can give you a fighting chance toward understanding how to create an information security infrastructure that is HIPAA compliant.

The NIST Special Publication 800-66 can be acquired here:

By John Barchie, Senior Information Security Governance Fellow

John Barchie Biography

John Kenneth Barchie, CISM, CISSP, CNE, MCSE is an Information Technology and Information Security Expert with over 15 years in the high-tech and financial industries. John has been engaged to manage, audit, review and improve over 200 information technology departments and to charter corporate security functions.

Back to Top

Sign up for TNS News Letter

Information Request Form

Select the items that apply, and then let us know how to contact you.

Request a Senior Partner contact me
Request a Web Meeting and / or Web Demo
Refresh >>
Enter code

Business Partners


© Copyrights Triware Networld Systems, L.L.C. ® 1991-2018