On July 21, 2022, the National Institute of Standards and Technology (“NIST”) released an updated draft of its HIPAA Security Rule guidance. The draft guidance, titled “Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide” (NIST Special Publication 800-66, Revision 2), is designed to assist HIPAA regulated entities “maintain the confidentiality, integrity and availability of electronic protected health information (ePHI).” NIST issued the updated draft guidance to align it with other NIST cybersecurity guidance documents that have been published since the original HIPAA Security Rule guidance was issued in 2008.

The draft guidance does not provide a checklist for HIPAA regulated entities to follow, but rather aims to improve risk management surrounding ePHI. While the draft guidance does not completely overhaul the prior version, it does place more emphasis on risk assessment and management of ePHI than the prior version.

NIST is seeking comments on the draft updated guidance until September 21, 2022. Individuals can submit their comments via email to sp800-66-comments@nist.gov.