Cyber threats and cybersecurity controls have evolved significantly over the past two decades since the HIPAA Security Rule were originally promulgated. During this same time, healthcare entities have increasingly become a prime target of hackers seeking to extort payment using ransomware, exfiltrate patient data to commit fraud, or disrupt operations in other nefarious ways.  Recognizing these challenges, some security professionals have sought further clarity on the HIPAA Security Rule that they deem to be “long in the tooth”. Yet, regulators have not made any significant modifications – perhaps driven by the original policy considerations of the HIPAA Security Rule that: “the standard should be comprehensive and coordinated to address all aspects of security”; that it be “scalable, so that it can be effectively implemented by covered entities of all types and sizes”; and that it “not be linked to specific technologies, allowing covered entities to make use of future technology advancements.”

As we previously discussed, the HITECH Act was recently modified to require that HIPAA regulators take into account “recognized security practices” in the context of investigation and enforcement actions. One such source of “recognized security practices” has historically been the National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-66, Revision 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Yet, this NIST guidance also appears to be “long in the tooth” as it was issued nearly 13 years ago in October of 2008.

In the absence of significant regulatory changes to the HIPAA Security Rule, NIST called for comments from healthcare industry stakeholders regarding how to revise guidance SP 800-66. This will help clarify what “recognized security practices” are in today’s highly digitized, increasingly distributed and technology-driven world. NIST’s move brings its considerable cybersecurity expertise and resources to bear on updating the guidance to address the current cybersecurity threat landscape that healthcare entities face.

Chiefly, NIST seeks to update the guidance to:

  • Increase awareness of relevant NIST cybersecurity resources,
  • Increase awareness of relevant non-NIST resources relevant to compliance with the HIPAA Security Rule, and
  • Provide HIPAA Security Rule implementation guidance that reflects the current cyber threat landscape and best practices.

NIST is encouraging comments on stakeholder experiences leveraging SP 800-66 in practice in an effort to identify gaps in the guidance. NIST is also curious to hear from stakeholders who found the guidance not to be applicable to their organization in order to determine ways to make it more useful, relatable, and actionable. Specifically, NIST is seeking information on useful tactics, tools, resources, and techniques that stakeholders have leveraged in their compliance efforts including, but not limited to:

  • managing both practical and compliance aspects of security,
  • assessing risks to ePHI such as determining if security measures are effective, and
  • documenting adequate implementation for purposes of compliance.

To gain out-of-the-box perspectives, NIST is also seeking comment on any recognized security practices that stakeholders employ which diverged from compliance with the HIPAA Security Rule. While stakeholders may not want to go on the record describing how their own security practices “diverge” from the HIPAA Security Rule, they may more generally discuss industry practices. In that regard, perhaps these comments will be most interesting of all, as they will illustrate if practical security has diverged in a way that requires regulators to revisit the HIPAA Security Rule.

NIST encourages submission of comments here through June 15, 2021. Feel free to contact EBG’s Privacy, Cybersecurity, and Data Asset Management Team if you are interested in developing and submitting comments to shape what will likely constitute “recognized security practices” for the foreseeable future.

Alaap B. Shah

Patricia Wagner

Back to Health Law Advisor Blog

Search This Blog

Blog Editors


Related Services



Jump to Page


Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.