Privacy & Information Security Law Blog

On February 16, 2024, the U.S. Department of Health and Human Services' Office for Civil Rights (“OCR”) and the National Institute of Standards and Technology (“NIST”) published a final version of Special Publication 800-66 Revision 2, “Implementing the Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule: A Cybersecurity Resource Guide.” The publication features guidance and recommendations for cybersecurity measures for HIPAA covered entities to consider in the development of their information security programs, a requirement of HIPAA’s Security Rule. The final version provides methodologies for HIPAA covered entities to conduct risk assessments and introduces processes for entities to utilize to manage identified risks. The joint OCR/NIST guidance is intended to bolster the healthcare sector’s cybersecurity risk mitigation efforts.