NIST Special Publication 800-66 Rev 1 and How it Applies to HIPAA

             For this blog (#4), I decided to write about a National Institute of Standards and Technology (NIST) publication, in particular NIST Special Publication 800-66 Revision 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, which can be found here: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-66r1.pdf. I have talked plenty about breaches to the health care industry in my past post, and why companies should follow HIPAA rules. I have also discussed the consequences and punishments for not following it. What I haven’t really discussed though is how companies should implement the HIPAA security rule. So, this is where this blog will focus on.

              The publication starts with a background. It states which entities does the Security Rule apply to. This includes health care providers, health plans, healthcare clearinghouses, and Medicare prescription drug card sponsors. It also discussed the NIST management framework (as shown below) and how it links to the Security Rule. It does this by providing a wonderful table that describes not only the phases and descriptions of the Risk Management Framework (RMF) steps, but also how it links to the Security Rule in particular. For example, in step one, categorize information systems, the link to the security rule is: “Identify assets and information systems that create, receive, transmit, or maintain EPHI”. 

Figure 1 NIST Risk Management Framework (NIST, 2008)

It then provides several different considerations when applying the HIPAA Security Rule. This is broken down into several sections: Administrative Safeguards, Physical Safeguards, Technical Safeguards, Organizational Requirements and Policies and Procedures and Documentation Requirements. All of these sections are then broken into smaller sections. I will discuss a little about each section to provide an overview of what this document provides.

              The administrative safeguards include nine separate subjects with topics such as: security management process, assigned security responsibility, workforce security, contingency plan, etc. Each section has key activities that must be implemented to prevent, detect, contain, and correct security violations which is the HIPAA standard. One of the key activities in the security management process is to develop appropriate standard operating procedures. The description is to “Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports” https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-66r1.pdf. The guide also provides sample questions to help implement these activities. Such as “How will exception reports or logs be reviewed”. All the remaining sections and subjects are broken into a table form that provide an easy way to ensure compliance. An example of the table is shown below.

Also, not that above each section, there is the specific HIPAA standard that the key activities correspond to. The above is from the Assigned Security Responsibility section. This entire document does this for all the HIPAA standards that must be followed.
              There are four physical safeguards that are mentioned in the document. One of the most important in my opinion is the facility access controls. Protecting physical access to information is just as important as technical access. Typically, when you go to a doctor’s office, they take all your information down and add it to your chart. Often, the nurses then put it outside for the doctor to grab before they come in. Now as I have never actually looked there, I could only imagine it could provide some usual information to someone who just went through taking them as they moved along. This is why controlling access to floors are wings is important. This is what this section does. One of the key tasks is to develop access control and validation procedures. Basically, how does an organization validate those who need access. The rest of the physical control section deals with workstation use and security as well as device and media controls.

              Finally, as far as controls are concerned there are the technical controls. There are five separate controls that should be implemented. One that I want to discuss is the audit controls section. The reason I mention this is because this document is very helpful to an organization in that it provides an auditing section which helps an organization actually audit their system. One key task is to develop appropriate standard operating procedures. This is made easier because a lot of these procedures can be made by using this NIST publication.

              The last two sections are the organizational requirements, which deal primarily with contracts and group health plans, and policies and procedures documentation requirements. This section is of particular importance because following policies and procedures is the way to ensure that these controls are being implemented and followed. The documentation is also proof that the organization is doing this. One of the most important aspect key activity to both of these subsections it the updating of the policies and procedures and documentation. It is completely useless to create a policy and procedure or document it and never look at it again.

This NIST SP is extremely useful to any health organization. The description of the key activities and associated sample questions can help any organization implement the HIPAA standards. It should also help when it comes to auditing to ensure that a company is following the guidelines because this is almost a checklist. It makes little sense for a company or organization not to follow these guidelines.