To help organizations covered by the Health Insurance Portability and Accountability Act (HIPAA) to bolster their security posture, the Office for Civil Rights (OCR) has released a “crosswalk” developed with the National Institute of Standards and Technology (NIST) and the Office of the National Coordinator for Health IT (ONC), that identifies “mappings” between the NIST Framework for Improving Critical Infrastructure Cybersecurity (the Cybersecurity Framework) and the HIPAA Security Rule. The crosswalk also includes mappings to other commonly used security frameworks. Entities covered by HIPAA must implement strong data security safeguards in their environments, and in particular, comply with the HIPAA Security Rule to ensure the confidentiality, integrity, and availability of all of the electronic protected health information (ePHI) they create, receive, maintain or transmit.

Next Steps

  • Employers subject to HIPAA, including all self-funded plans, EAPs, FSA, HRA and HSAs, should ensure they are HIPAA-compliant.
  • For complete details, see “crosswalk” guidance.
  • For more information on how to ensure HIPAA compliance, and other resources, see Security Rule Guidance Material