Recently, the National Institute of Standards and Technology (NIST) requested comments to its Resource Guide for implementing the HIPAA Security Rule. (i.e., SP 800-66). This Guide, first released in 2008, summarizes the HIPAA Security Rule standards and explains the structure and organization of the Security Rule.

Since the Guide’s original publication, cyberattacks and threat conditions have changed significantly. As such, NIST is seeking stakeholder input to improve the Guide. Namely, it wants to understand how covered entities and business associates have used and applied the Guide in implementation of cybersecurity programs. NIST’s three key objectives with the Guide are to:

  • educate readers about information security terms used in HIPAA Security Rule,
  • amplify awareness of non-NIST resources relevant to the HIPAA Security Rule, and
  • provide detailed implementation guidance for covered entities and business associates.

Specifically, NIST has asked for feedback about what components of the Guide are used, including which aspects are least helpful and what sections might be missing. NIST also wants to understand how the Guide could be more useful and relatable to a variety of audiences, such as small health care providers, health plans, and health care clearinghouses (among others). NIST is also looking for information about how the guide is used in a practical manner to implement a data security program. For example, organizations submitting comments may want to provide input about the tools, resources, or techniques used to implement the HIPAA Security Rule.

Putting it Into Practice: The NIST website provides a more detailed list of suggested areas for feedback. NIST invites comments through June 15, 2021 at In the subject field, comments should be labeled as “Resource Guide for Implementing the HIPAA Security Rule Call for Comments”.  After that date, a revised version will be provided for public review and comment.