The National Institute of Standards and Technology (NIST) is inviting comments on updating its resource guide for implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. NIST's resource guide was published in 2008. The public is invited to provide input by June 15, 2021. NIST seeks comments on how health care organizations and business associates are using the resource guide to assist in complying with the HIPAA Security Rule. NIST also invites comment on how organizations assess risk to electronic protected health information (ePHI), how health care organizations manage concerns regarding business associates' compliance with the Security Rule, and how organizations document implementation of recognized security practices.
The topic of how recognized security practices are implemented should be particularly important for health care organizations and business associates. Effective January 5, 2021, the Health Information Technology for Economic and Clinical Health Act (the HITECH Act) was amended by P.L. 116-321 to provide that in conducting audits of Security Rule compliance and assessing fines, the Department of Health and Human Services shall consider whether the organization has demonstrated that it had recognized security practices in place. The term "recognized security practices" is defined to include standards, guidelines and best practices developed by NIST.