Hosted by JANUS Associates and released by The HHS Office for Civil Rights (OCR) and NIST is the final version of Special Publication (SP) 800-66 Rev 2, Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide. This revised publication includes resources for HIPAA-covered entities (most healthcare providers, health plans, and healthcare clearinghouses) and their business associates to help their understanding of the HIPAA Security Rule, drive compliance with the law, and bolster security. This is the latest action in this work for HHS, who released a Department-wide Cybersecurity strategy for the healthcare sector in December of 2023, and voluntary performance goals to enhance cybersecurity across the health sector in January 2024.

This publication provides an overview of the HIPAA Security Rule, strategies for assessing and managing risks to electronically protected health information (ePHI), suggestions for cybersecurity measures and solutions that HIPAA-covered entities and business associates might consider as part of an information security program, and resources for implementing the Security Rule. Specific topic areas include:

• Explanations of the HIPAA Security Rule’s Risk Analysis and Risk Management requirements.
• Key Activities to consider when implementing Security Rule requirements. 
• Actionable steps for implementing security measures.
• Sample questions to determine the adequacy of cybersecurity measures to protect ePHI.

In addition to the publication itself, NIST has also provided supplementary content on its website to further assist HIPAA-covered entities and business associates with strategies to improve their cybersecurity in specific areas including:

• Telehealth/Telemedicine
• Mobile Device Security 
• Ransomware & Phishing
• Medical Device Security
• Cloud Services
• Internet of Things Used in Healthcare
• Application Security
•  Supply Chain