As our partner Mark McCreary writes in his post describing the “Framework for Improving Critical Infrastructure Cybersecurity” published by the National Institute of Standards and Technology (NIST):

The Framework is designed to work with businesses to reach a sufficient level of cybersecurity protection regardless of size, sector, or level of security.  The Framework consists of three parts (1) The Framework Core, (2) The Framework Implementation Tiers, and (3) The Framework Profiles.  The Framework Core is a grouping of cybersecurity activities based on industry indicators, desired outcomes, and practices.  It assists businesses in developing Framework Profiles, which are used to create cybersecurity plans.

So how can a health care covered entity (such as a health care provider or health plan) or business associate use the Framework to help with HIPAA compliance?

1.  Review health industry-specific guidance available on NIST’s Framework website, such as that issued by the Health Information Trust Alliance (HITRUST).

2.  Review the Framework and Framework’s FAQs to build a Framework Core that applies in the context of your business activities — for example, include Framework outcome language such as “physical devices and systems within the organization are inventoried” and a Framework category for “Electronic Health Record Access Control”.

3.  Realize that the Framework can be used to improve or strengthen your PHI security by layering it over or weaving it into your HIPAA Privacy and Security Policies and Procedures.