NIST Prepares HIPAA Security Toolkit

Targets December Release for Compliance Helper
NIST Prepares HIPAA Security Toolkit
The National Institute of Standards and Technology hopes to unveil a free HIPAA Security Rule Toolkit by December to help healthcare organizations achieve compliance.

Exeter Government Services, a Gaithersburg, Md.-based consulting firm, is developing the toolkit under a contract with NIST. It's a downloadable interactive application that poses a series of questions and offers activities regarding 42 implementation specifications for the HIPAA security rule, says J.P. Chalpin, director of engineering at Exeter. A prototype already includes some 1,000 questions organized in what amount to decision trees that point the user to appropriate issues to resolve.

The Department of Health and Human Services' Office for Civil Rights is still working on a final version of HITECH Act-mandated modifications to the HIPAA security rule, as well as HIPAA privacy and enforcement provisions. Exeter will collaborate with NIST to update the toolkit as necessary in light of the final modifications, says Kevin Stine, NIST information security specialist.

The partners described the project Wednesday at a HIPAA security conference in Washington co-sponsored by OCR and NIST. Also at the show, an OCR official said the final rule containing the HIPAA modifications would be released as part of an omnibus package of regulations sometime this year (see: HITECH Mandated Regs Still In Works).

The toolkit "will help organizations better understand the requirements of the HIPAA security rule," Chalpin says, but it will not enable users to produce definitive proof of compliance. It will, however, prove helpful in supporting risk assessments, he adds. Plus, he says the application will help organizations produce information "that you'll need to have available if the government comes knocking" to check HIPAA compliance.

Content in the toolkit will be available for re-use by others in their own applications, Chalpin says. The content covers basic security practices, such as access control, backups and physical security; factors involved in handling security failures, such as legal issues to address after a breach incident; risk management issues; and personnel issues.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.