NIST Finalizes SP 800-66 Rev. 2 for HIPAA Security Rule — February 21, 2024
The updated guidance aligns HIPAA Security Rule safeguards with NIST’s latest cybersecurity resources for healthcare entities.
Executive briefing: On NIST published the final version of Special Publication 800-66 Revision 2, updating its implementation resource for the HIPAA Security Rule. The refresh maps administrative, physical, and technical safeguards to contemporary cybersecurity practices.
What’s new
- Integration with NIST frameworks. The guide references the Cybersecurity Framework 2.0, SP 800-53 Rev.5, and the Privacy Framework to help regulated entities harmonize controls.
- Expanded risk management guidance. Revision 2 clarifies how to perform risk analyses, document risk management plans, and incorporate business associate oversight.
- Practical implementation tips. Updated tables translate HIPAA requirements into discrete tasks, checklists, and resources tailored to covered entities and business associates.
Why it matters
- Healthcare resilience. Rising ransomware and extortion pressures demand alignment between HIPAA compliance, HHS cybersecurity performance goals, and zero trust initiatives.
- Audit-ready documentation. The publication offers templates and references organizations can use to demonstrate due diligence during OCR investigations.
- Third-party governance. Business associates gain clearer expectations for safeguarding protected health information across cloud, IoT, and telehealth workflows.
Action checklist
- Review SP 800-66 Rev.2 control mappings and update HIPAA risk analysis documentation accordingly.
- Align incident response, contingency planning, and access management policies with referenced NIST controls.
- Engage business associates to confirm adoption of recommended safeguards and reporting obligations.