September 10, 2015

QUESTION:        Our hospital is doing a HIPAA security risk assessment and was told we have to follow guidance issued by the National Institute of Standards and Technology (“NIST”). Is that something we have to do?

ANSWER:            No. You can use the NIST publications as a guide, but you don’t have to. The HIPAA Security Rule itself does not reference the NIST guide at all, although some NIST documents are mentioned in the Preamble to that rule. The HHS Office of Civil Rights has published several papers providing useful guidance on complying with the security rule, which can be found at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule. In one of them, OCR says:

Although only federal agencies are required to follow federal guidelines like the NIST 800 series, non-federal covered entities may find their content valuable when performing compliance activities. As stated in the CMS frequently asked questions (FAQs) on the HIPAA Security Rule,

“Covered entities may use any of the NIST documents to the extent that they provide relevant guidance to that organization’s implementation activities. While NIST documents were referenced in the preamble to the Security Rule, this does not make them required. In fact, some of the documents may not be relevant to small organizations, as they were intended more for large, governmental organizations.

The Security Rule does not prescribe a specific risk analysis or risk management methodology. This paper is not intended to be the definitive guidance on risk analysis and risk management. Rather, the goal of this paper is to present the main concepts of the risk analysis and risk management processes in an easy-to-understand manner. Performing risk analysis and risk management can be difficult due to the levels of detail and variations that are possible within different covered entities. Covered entities should focus on the overall concepts and steps presented in this paper to tailor an approach to the specific circumstances of their organization.

Therefore, while the NIST publications might help you in doing the risk assessment, they are not binding on you.