HIPAA NIST 800-66 Compliance

The HIPAA attestation is the only authorized compliance assessment for healthcare providers and provides the highest standard of assurance to your customers.

Buyer Beware! HITRUST is not the official standard recognized by HHS.

Modules include:

HIPAA NIST 800-66 System Security Plan (SSP)
HIPAA NIST 800-66 Security Assessment Report (SAR)
HITECH – Health Information Technology for Economic and Clinical Health (HITECH) Act
Meaningful Use Stage 1
Meaningful Use Stage 2
Meaningful Use Stage 3
Federal Information Processing Standard (FIPS) 199 Categorization

FREE HIPAA Business Associate Agreement (BAA)

If you are in need of a HIPAA-compliant Business Associate Agreement (BAA), we can provide one to you for free. Create an account in the ITAM IT audit software demonstration system and subscribe to the HIPAA Business Associate Contract. After answering a few simple questions you will be able to immediately download a perfectly prepared HIPAA Business Associate Agreement (BAA) that may be given to your business associates.

What are you waiting for?

Understanding the HIPAA Security Rule

The HIPAA Security Rule is about establishing systems to maintain the confidentiality and integrity around electronic protected health information (ePHI). Any kind of health information that’s transmitted electronically by health care providers, clearinghouses, or health plans overall must meet certain security standards.

The Security Rule mandates certain safeguards for HIPAA-covered entities. These fall on the administrative end, technology and infrastructure, and any kind of physical access to health information.

Compliance may involve a risk assessment and a review of existing security policies, and requirements for notification around any data breaches. The standards are flexible, so that covered entities can adapt them to their particular needs.

NIST 800-66 Compliance Checklist

NIST 800-66 is a guide used by entities that must adhere to the HIPAA Security Rule. The guide outlines the procedures and standards to follow to secure electronic protected health information. These security standards are designed specifically for the healthcare space to ensure they’re in HIPAA compliance.

The checklist helps the regulated entity better review its risk management framework, cybersecurity controls, and alignment with established best practices on cybersecurity frameworks.

Working through this risk management checklist betters helps the organization identify and manage risks and then implement security controls. It also helps in preparing for HIPAA compliance audits.

SAI360 Supports NIST SP 800-66

SAI360 supports NIST SP 800-66 with a security platform that makes it easier to manage the required cybersecurity practices required for HIPAA compliance when handling electronic Personal Health Information (ePHI). It centralizes all risk assessments, data, and testing, and streamlines compliance efforts via automated workflows.

SAI360 automates the testing of security controls, helps enforce security policies around HIPAA, and creates a central record of compliance activities through real-time reporting. This allows for proactive risk management practices and simplifies the preparation around audits.

The automated workflows of this platform simplifies processes and reduces the risk of errors.

FAQ

Who needs to comply with HIPAA 800-66?

The entities who must comply with NIST SP 800-66 include healthcare providers, health plans, and any healthcare clearinghouses. HIPAA business associates with a contract to create, receive, transmit, or maintain protected health information (PHI) on behalf of a client must also be covered. They must also adhere to cybersecurity best practices.

What are the key components of a HIPAA 800-66 audit?

The audit will look at an organization’s policies, procedures, and controls around protecting ePHI at every stage. This includes transmission, backup, storage, even disposal. The audit reviews both physical and technical safeguards around this sensitive data. The security assessment will look at access controls, workstation and device controls, and the like.

How does HIPAA 800-66 relate to other HIPAA compliance requirements?

HIPAA 800-66 essentially serves to take other legal HIPAA compliance rules and translate them into practical IT and risk management practices. It outlines the appropriate safeguards and technology needed to protect sensitive personal health information. It’s a tool that helps implement the Security Rule more effectively.

What are the main differences between HIPAA and NIST 800-66?

HIPAA is the overall federal law around the privacy and security of personal health information. NIST 800-66 helps healthcare organizations and their associates enforce HIPAA security through a set of practical standards and provides guidance for technical and physical risk management practices and protocols. It primarily focuses on an appropriate cybersecurity framework.

How can HIPAA 800-66 audit services help my organization?

Using the guidelines of NIST 800-66, an audit identifies vulnerabilities in systems and processes that could expose patient data. It suggests security controls (especially with the technology your organization uses). Overall, regular audits demonstrates due diligence and reduces your risks, from data breaches, reputational damage or legal exposure.

How often should I conduct a HIPAA 800-66 compliance audit?

There are no specific guidelines, but demonstrating ongoing compliance is recommended, using regular training refreshers for staff to stay current on the latest privacy and security protocols. Logs and documentation should regularly reviewed and then maintained for a minimum of six years. Security incidents may trigger a request for an audit from related agencies.

You are just a conversation away from putting the power of Continuum GRC to work for you.

Your Roadmap to Risk Reduction!