Appendix F: HIPAA Security Rule Mapping
Health Care and Public Health Sector Cybersecurity Framework Implementation Guide
The sensitive health information maintained by health care providers and health plans has become an increasingly attractive target for cyberattacks. The need for health care organizations to up their game on health data security has never been greater.
To help health care organizations covered by the HIPAA Rules to bolster their security posture, the HHS Office for Civil Rights (OCR) developed a crosswalk with NIST and the Office of the National Coordinator (ONC) for Health IT, that identifies “mappings" between the NIST Framework for Improving Critical Infrastructure Cybersecurity (the Cybersecurity Framework) and the HIPAA Security Rule. The crosswalk also includes mappings to other commonly used security frameworks.
Organizations that have already aligned their security programs to either the NIST Cybersecurity Framework or the HIPAA Security Rule may find this crosswalk helpful in identifying potential gaps in their programs. Taking specific action to address these gaps can bolster compliance with the Security Rule and improve an entity's ability to secure ePHI from a broad range of threats. The HIPAA Security Rule is designed to be flexible, scalable, and technology-neutral, which enables it to accommodate integration with more detailed frameworks such as the NIST Cybersecurity Framework. Although the Security Rule does not require use of the NIST Cybersecurity Framework and use of the Framework does not guarantee HIPAA Security Rule compliance, the crosswalk provides an informative tool for entities to use to help them more comprehensively manage security risks in their environments.
In addition, Congress, in both the HITECH Act of 2009 as well as the Cybersecurity Information Sharing Act of 2015 (CISA), called for guidance on implementation of NIST frameworks. In response, this crosswalk provides a helpful roadmap for HIPAA covered entities and their business associates to understand the overlap between the NIST Cybersecurity Framework, the HIPAA Security Rule, and other security frameworks that can help entities safeguard health data in a time of increasing risks. The crosswalk also supports and encourages HIPAA Rules covered entities and their business associates to enhance their security programs, increase cybersecurity awareness, and implement appropriate security measures to protect ePHI.