Your Roadmap to Risk Reduction!
The Continuum GRC ITAM SaaS platform has hundreds of plugin modules available, such as:
HIPAA NIST 800-66 Compliance
The HIPAA attestation is the only authorized compliance assessment for healthcare providers and provides the highest standard of assurance to your customers.
Buyer Beware! HITRUST is not the official standard recognized by HHS.
Modules include:
- HIPAA NIST 800-66 System Security Plan (SSP)
- HIPAA NIST 800-66 Security Assessment Report (SAR)
- HITECH – Health Information Technology for Economic and Clinical Health (HITECH) Act
- Meaningful Use Stage 1
- Meaningful Use Stage 2
- Meaningful Use Stage 3
- Federal Information Processing Standard (FIPS) 199 Categorization
FREE HIPAA Business Associate Agreement (BAA)
If you are in need of a HIPAA-compliant Business Associate Agreement (BAA), we can provide one to you for free. Create an account in the ITAM IT audit software demonstration system and subscribe to the HIPAA Business Associate Contract. After answering a few simple questions you will be able to immediately download a perfectly prepared HIPAA Business Associate Agreement (BAA) that may be given to your business associates.
What are you waiting for?
Understanding the HIPAA Security Rule
The HIPAA Security Rule is about establishing systems to maintain the confidentiality and integrity of electronic protected health information (ePHI). Any kind of health information that’s transmitted electronically by health care providers, clearinghouses, or health plans overall must meet certain security standards.
The Security Rule mandates certain safeguards for HIPAA-covered entities. These fall on the administrative end, technology and infrastructure, and any kind of physical access to health information.
Compliance may involve a risk assessment and a review of existing security policies, and requirements for notification around any data breaches. The standards are flexible, so that covered entities can adapt them to their particular needs.
NIST 800-66 Compliance Checklist
NIST 800-66 is a guide used by entities that must adhere to the HIPAA Security Rule. The guide outlines the procedures and standards to follow to secure electronic protected health information. These security standards are designed specifically for the healthcare space to ensure they’re in HIPAA compliance.
The checklist helps the regulated entity better review its risk management framework, cybersecurity controls, and alignment with established best practices on cybersecurity frameworks.
Working through this risk management checklist helps the organization identify and manage risks and then implement security controls. It also helps in preparing for HIPAA compliance audits.
SAI360 Supports NIST SP 800-66
SAI360 supports NIST SP 800-66 with a security platform that makes it easier to manage the required cybersecurity practices required for HIPAA compliance when handling electronic Personal Health Information (ePHI). It centralizes all risk assessments, data, and testing, and streamlines compliance efforts via automated workflows.
SAI360 automates the testing of security controls, helps enforce security policies around HIPAA, and creates a central record of compliance activities through real-time reporting. This allows for proactive risk management practices and simplifies the preparation for audits.
The automated workflows of this platform simplify processes and reduce the risk of errors.
FAQ
Who needs to comply with HIPAA 800-66?
The entities who must comply with NIST SP 800-66 include healthcare providers, health plans, and any healthcare clearinghouses. HIPAA business associates with a contract to create, receive, transmit, or maintain protected health information (PHI) on behalf of a client must also be covered. They must also adhere to cybersecurity best practices.
What are the key components of a HIPAA 800-66 audit?
The audit will look at an organization’s policies, procedures, and controls around protecting ePHI at every stage. This includes transmission, backup, storage, even disposal. The audit reviews both physical and technical safeguards around this sensitive data. The security assessment will look at access controls, workstation and device controls, and the like.
How does HIPAA 800-66 relate to other HIPAA compliance requirements?
HIPAA 800-66 essentially serves to take other legal HIPAA compliance rules and translate them into practical IT and risk management practices. It outlines the appropriate safeguards and technology needed to protect sensitive personal health information. It’s a tool that helps implement the Security Rule more effectively.
What are the main differences between HIPAA and NIST 800-66?
HIPAA is the overall federal law around the privacy and security of personal health information. NIST 800-66 helps healthcare organizations and their associates enforce HIPAA security through a set of practical standards and provides guidance for technical and physical risk management practices and protocols. It primarily focuses on an appropriate cybersecurity framework.
How can HIPAA 800-66 audit services help my organization?
Using the guidelines of NIST 800-66, an audit identifies vulnerabilities in systems and processes that could expose patient data. It suggests security controls (especially with the technology your organization uses). Overall, regular audits demonstrates due diligence and reduces your risks, from data breaches, reputational damage or legal exposure.
How often should I conduct a HIPAA 800-66 compliance audit?
There are no specific guidelines, but demonstrating ongoing compliance is recommended, using regular training refreshers for staff to stay current on the latest privacy and security protocols. Logs and documentation should regularly reviewed and then maintained for a minimum of six years. Security incidents may trigger a request for an audit from related agencies.
You are just a conversation away from putting the power of Continuum GRC to work for you.
Contact us using the form below or calling us at 1-888-896-6207 for immediate assistance.
About this standard
The NIST Special Publication 800-66, titled An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, is a guidance document published by the National Institute of Standards and Technology (NIST). It is designed to assist organizations in implementing the HIPAA Security Rule (45 CFR Part 160 and Subparts A and C of Part 164) by providing a structured approach to managing the security of electronic protected health information (ePHI). While not a regulation itself, NIST 800-66 serves as a key resource for achieving compliance with the HIPAA Security Rule, which is enforced by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Below is a compliance overview of NIST 800-66, focusing on its purpose, structure, and application in the context of HIPAA compliance.
Purpose of NIST 800-66
NIST 800-66 aims to:
- Provide practical guidance for covered entities (e.g., healthcare providers, health plans, healthcare clearinghouses) and business associates with ePHI.
- Help organizations understand and implement the HIPAA Security Rule’s administrative, physical, and technical safeguards.
- Offer a risk-based approach to assess and mitigate threats to ePHI, aligning with NIST’s broader cybersecurity frameworks.
- Support compliance with HIPAA by mapping its requirements to NIST security controls and best practices.
Scope and Applicability
- Target Audience: Applies to HIPAA-covered entities and their business associates (e.g., third-party vendors, IT service providers) that create, receive, maintain, or transmit ePHI.
- Focus: Focuses on protecting ePHI, defined as individually identifiable health information transmitted or maintained in electronic form.
- Non-Mandatory Guidance: Unlike the HIPAA Security Rule, NIST 800-66 is not legally binding but is widely regarded as a best practice for achieving HIPAA compliance.
Key Components of NIST 800-66
NIST 800-66 provides a framework for implementing the HIPAA Security Rule by breaking down its requirements and offering actionable steps. The document, updated in October 2008 (Revision 1), includes the following key components:
- Overview of the HIPAA Security Rule:
- The HIPAA Security Rule mandates that covered entities and business associates implement safeguards to ensure the confidentiality, integrity, and availability of ePHI.
- It requires a flexible, risk-based approach, allowing organizations to tailor safeguards to their size, complexity, and capabilities.
- NIST 800-66 explains the rule’s administrative, physical, and technical safeguards and provides context for their implementation.
- Risk Management Framework:
- NIST 800-66 emphasizes a risk-based approach to security, aligning with NIST’s Risk Management Framework (RMF) in NIST SP 800-39 and NIST SP 800-30 (Guide for Conducting Risk Assessments).
- Key steps include:
- Identify Risks: Assess threats and vulnerabilities to ePHI (e.g., unauthorized access, malware, physical theft).
- Evaluate Risks: Determine the likelihood and impact of risks to ePHI.
- Implement Controls: Select and apply appropriate safeguards to mitigate identified risks.
- Monitor and Review: Continuously monitor the effectiveness of controls and update the security program as needed.
- Mapping to HIPAA Security Rule Standards:
- NIST 800-66 organizes the HIPAA Security Rule’s standards and implementation specifications into actionable guidance.
- Each standard (e.g., Security Management Process, Access Control) is accompanied by:
- Key Activities: Steps to implement the standard (e.g., conducting risk assessments, developing policies).
- Sample Questions: Questions to guide organizations in evaluating compliance (e.g., “Does your organization have policies for granting access to ePHI?”).
- References to NIST Standards: Links to relevant NIST publications (e.g., NIST SP 800-53 for security controls) for deeper technical guidance.
- Administrative Safeguards:
- Security Management Process: Conduct risk assessments, implement risk management strategies, and maintain policies to prevent, detect, and respond to security violations.
- Assigned Security Responsibility: Designate a security official to oversee the security program.
- Workforce Security: Ensure employees have appropriate access to ePHI and receive security training.
- Information Access Management: Establish policies for authorizing and restricting access to ePHI.
- Security Awareness and Training: Provide regular training on security policies and procedures.
- Security Incident Procedures: Develop and implement procedures to respond to and report security incidents.
- Contingency Planning: Create plans for data backup, disaster recovery, and emergency operations.
- Evaluation: Periodically assess the security program’s effectiveness.
- Business Associate Contracts: Ensure contracts with business associates include provisions to protect ePHI.
- Physical Safeguards:
- Facility Access Controls: Limit physical access to facilities housing ePHI (e.g., locks, keycards).
- Workstation Use and Security: Implement policies for secure use and protection of workstations accessing ePHI.
- Device and Media Controls: Manage the receipt, removal, and disposal of hardware and media containing ePHI (e.g., secure disposal of hard drives).
- Technical Safeguards:
- Access Control: Implement technical measures like user authentication, role-based access, and emergency access procedures.
- Audit Controls: Use hardware, software, or procedural mechanisms to record and examine ePHI access.
- Integrity: Protect ePHI from improper alteration or destruction (e.g., checksums, digital signatures).
- Person or Entity Authentication: Verify the identity of users or systems accessing ePHI (e.g., passwords, biometrics).
- Transmission Security: Ensure ePHI is encrypted during transmission over networks (e.g., TLS, VPNs).
- Implementation Specifications:
- The HIPAA Security Rule includes required and addressable specifications:
- Required: Must be implemented (e.g., risk analysis, encryption for data in transit).
- Addressable: Must be implemented if reasonable and appropriate; otherwise, document why they are not implemented and adopt alternative measures (e.g., encryption for data at rest).
- NIST 800-66 provides guidance on evaluating whether addressable specifications are applicable.
- The HIPAA Security Rule includes required and addressable specifications:
- Appendices and Resources:
- Appendix D: Maps HIPAA Security Rule standards to NIST SP 800-53 controls, facilitating alignment with broader cybersecurity frameworks.
- Appendix E: Lists additional NIST publications for technical guidance (e.g., NIST SP 800-88 for media sanitization).
- Glossary and Acronyms: Clarifies key terms used in the HIPAA Security Rule and NIST frameworks.
Key Compliance Steps
To align with NIST 800-66 and achieve HIPAA Security Rule compliance:
- Conduct a Risk Assessment: Identify and prioritize risks to ePHI using NIST 800-30 guidelines.
- Develop Policies and Procedures: Create a comprehensive security program addressing administrative, physical, and technical safeguards.
- Designate a Security Official: Appoint a qualified individual to oversee compliance efforts.
- Implement Safeguards: Deploy controls like encryption, access controls, and audit logging based on risk assessment findings.
- Train Workforce: Provide regular security awareness training to employees and contractors.
- Monitor and Test: Conduct periodic testing (e.g., vulnerability scans, penetration testing) and monitor systems for unauthorized access.
- Manage Business Associates: Ensure third-party vendors comply with HIPAA through business associate agreements (BAAs).
- Document Compliance: Maintain documentation of risk assessments, policies, and incident responses for at least six years.
- Respond to Incidents: Develop and test an incident response plan to address breaches or security incidents.
- Periodically Review: Update the security program based on changes in technology, risks, or regulations.
Enforcement and Penalties
- HHS OCR Enforcement: The OCR enforces the HIPAA Security Rule, not NIST 800-66 directly. Non-compliance can result in:
- Civil penalties range from $137 to $2.1 million per year per violation (adjusted for inflation as of 2025).
- Criminal penalties for willful violations, including fines and imprisonment.
- Corrective action plans, settlements, or reputational damage.
- Examples: OCR settlements often involve significant fines, such as the $16 million Anthem settlement (2018) for inadequate safeguards leading to a data breach.
- Breach Notification: Under the HIPAA Breach Notification Rule, organizations must report breaches of unsecured ePHI to affected individuals, HHS, and, in some cases, the media.
Challenges
- Complexity: Aligning with both HIPAA and NIST frameworks requires technical expertise and resources, especially for small organizations.
- Addressable Specifications: Determining whether addressable specifications are “reasonable and appropriate” can be subjective and requires documentation.
- Third-Party Risks: Ensuring business associates comply with HIPAA adds complexity to vendor management.
- Evolving Threats: Keeping up with emerging cybersecurity threats (e.g., ransomware) demands continuous updates to safeguards.
- Regulatory Overlap: Organizations subject to other regulations (e.g., FTC Safeguards Rule, FINRA) must navigate overlapping requirements.
Benefits of Compliance
- Patient Trust: Robust safeguards enhance confidence in the organization’s handling of sensitive health information.
- Risk Mitigation: A risk-based approach reduces the likelihood and impact of data breaches.
- Regulatory Compliance: Adherence avoids costly penalties and OCR enforcement actions.
- Alignment with Standards: NIST 800-66 facilitates integration with broader cybersecurity frameworks like NIST SP 800-53 or FedRAMP.
Recent Developments (as of August 2025)
- Increased OCR Enforcement: The OCR has intensified audits and penalties for HIPAA violations, particularly for inadequate risk assessments and encryption.
- Cybersecurity Focus: Growing emphasis on ransomware protection, multifactor authentication (MFA), and encryption in response to rising healthcare data breaches.
- Alignment with NIST Updates: NIST 800-66 aligns with NIST SP 800-53 Revision 5 (released 2020), incorporating modern controls like supply chain risk management and privacy protections.
- Automation Trends: Organizations are adopting tools like OSCAL (Open Security Controls Assessment Language) to streamline HIPAA compliance documentation.
How to Get Started
- Review NIST SP 800-66 Revision 1 (available on nist.gov) and the HIPAA Security Rule on hhs.gov.
- Use NIST’s HIPAA Security Rule Toolkit for templates and resources to conduct risk assessments and develop policies.
- Consult NIST SP 800-30 for detailed risk assessment guidance.
- Engage cybersecurity or compliance experts to tailor the security program.
Conclusion
NIST 800-66 is a critical resource for implementing the HIPAA Security Rule, providing a structured, risk-based approach to protecting ePHI. It guides organizations through administrative, physical, and technical safeguards, aligning HIPAA requirements with NIST’s cybersecurity frameworks. Compliance involves conducting risk assessments, implementing controls, and maintaining ongoing monitoring, with significant penalties for non-compliance.