HIPAA Security Rule Guidance Sought

Tiger Team Wants HHS to Offer Updated, Detailed Guidance
HIPAA Security Rule Guidance Sought
The Department of Health and Human Services should provide regularly updated, detailed guidance on all aspects of HIPAA security rule compliance, the Privacy and Security Tiger Team plans to recommend.

At a Nov. 15 meeting, members of the team, which advises HHS on a variety of issues, lamented that federal authorities have not provided enough updated guidance on how to maintain healthcare information security. As an example of valuable guidance, team leaders pointed to the National Institute of Standards and Technology's updated guidance for compliance with the Federal Information Security Management Act through its 800-53 special publication, updated every two years. Although FISMA only applies to federal agencies, many private sector firms use the updated 800-53 guidance.

"Healthcare lacks the equivalent of 800-53," said team member Dixie Baker, a senior vice president at Science Applications International Corp.

Both 800-53 and the ISO (International Organization for Standardization) 270001 standards are much more detailed than the Health Insurance Portability and Accountability Act's security rule, according to the team. For example, while 800-53 and ISO both describe network external boundary protections, the HIPAA security rule does not specifically require boundary controls.

The tiger team will continue work on a recommendation calling for HHS to "adopt a consistent, more dynamic process" for regularly updating security guidance, hoping for detailed updates along the lines of 800-53. "Let's start with an educational effort and documents that really give guidance," said team member Neil Calman, M.D., of the Institute for Family Health.

Gap Analysis

At the Nov. 15 meeting, Kevin Stine, an information security specialist at NIST, offered a preliminary "gap analysis" comparing HIPAA security rule requirements to the details included in 800-53 and ISO 27001. The tiger team plans to ask HHS to evaluate this gap analysis in more detail as a way to help develop HIPAA compliance guidance.

The team's final, refined recommendations will be presented to the Health IT Policy Committee, which will then vote on whether to endorse them for HHS consideration.

Meanwhile, as reported earlier, NIST soon will offer a HIPAA Security Toolkit to help with compliance.

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.