Information Shield Supports New NIST-HIPAA Guidelines

In February, the National Institute of Standards (NIST) released the updated version of agency guidance for implementing the HIPAA Security and Privacy Rule. NIST SP 800-66r2, Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, is the second version and contains updated guidance on how Covered Entities can comply with HIPAA.

HIPAA enforcement actions against Covered Entities by the OCR are among the most publicized events because of public reporting requirements. Since the compliance date of the Privacy Rule in April 2003, OCR has received over 348,877 HIPAA complaints and has initiated over 1,182 compliance reviews, with over ninety-nine percent of these cases (345,998) resolved.

Healthcare organizations (CA) and their Business Associates (BA) can dramatically reduce the likelihood of compliance sanctions by implementing a defensible cyber security program that addresses all key areas of HIPAA. Information Shield helps automate HIPAA Security and Privacy Rule compliance via our ComplianceShield platform. In this article we show how specific Information Shield functions help streamline and support HIPAA compliance.

HIPAA Requirement

3.1. HIPAA Risk Assessment Requirements

HIPAA compliance requires two formal processes for risk management: Risk Assessment and Risk Management.

5.1.1. Security Management Process (§ 164.308(a)(1))

HIPAA requires organizations to develop and document a formal cyber security program that manages ongoing risk and compliance. Management accountability is required.

5.5.1. Policies and Procedures (§ 164.316(a))

HIPAA requires development, deployment and ongoing update of written information security policies. Policies must cover all (R) required and (A) addressible controls.

5.5.2 Documentation Requirements

HIPAA requires organizations to keep a record of information security policies and related document for up to 6 years.

5.1.2. Assigned Security Responsibility (§164.308(a)(2))

Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the covered entity or business associate.

5.1.3. Workforce Security (§ 164.308(a)(3))

HIPAA requires that personnel security is part of hiring, management and employment termination. Employment screening and termination are key controls.

5.1.5. Security Awareness and Training (§ 164.308(a)(5))61

HIPAA requires the organization to implement a security awareness and training program for all members of its workforce (including management)

5.1.6. Security Incident Procedures (§ 164.308(a)(6))68

HIPAA requires organizations to define policies and procedures to respond to security incidents. Incidents and possible breaches must be reported to government entities.

5.1.7. Contingency Plan (§ 164.308(a)(7))72

HIPAA requires organizations to prepare for disasters and other business disruptions including the development and testing if contingency plans

5.1.8. Evaluation (§ 164.308(a)(8))78

HIPAA requires organizations to perform ongoing measurement and evaluation of the information security program.

5.1.9. Business Associate Contracts and Other Arrangements (§ 164.308(b)(1))82

HIPAA requires that organizations assess and validate the cyber security posture of third-party vendors (Business Associates)

5.2-5.4 Physical, Technical and Organizational Controls

HIPAA requires organizations to adopt formal controls to protect information and systems. Controls span all aspects of security including logical and physical access controls, asset management and personnel management.

ComplianceShield Solution

Cyber Risk Assessment Wizard

ComplianceShield has a built-in Library of Assets, Threats and Risk Events driven by our Risk Assessment Wizard.

Automate HIPAA Security Management

Use our Compliance Wizard to dramatically simplify the process of developing and managing a HIPAA Control Baseline.  Within minutes you have a custom security program baseline based on our best-practices security library.

Develop HIPAA Information Security Policies

ComplianceShield contains 50 pre-written security policy templates covering all HIPAA Controls. Common Policy Library (CPL) documents are mapped to multiple frameworks.

Policy Document Version Management

ComplianceShield enables the creation, update and ongoing management of policy documents. Revision history and updates are recording in audit logs.

Security Roles and Responsibilities Library

ComplianceShield helps demonstrate management accountability by assigning and tracking Controls base on security roles. A built-in Library of 20 pre-written job descriptions help document the security program.

Workforce Security Policy Awareness and Tracking

Automatically distribute policies, procedures and training directly to users based on their role within the organization. Verify user understanding by tying assessments to specific policies. 

Security Awareness and Training Automation

Use our built-in security awareness training library to educate each user on basic security awareness principles.  Easily distribute and track training via our User Portal.

Security Incident Reporting and Management

Manage your entire incident reporting, management and response tasks through a simple, integrated interface. Built-in incident types support annual review and analysis of cyber incidents.


Disaster Recovery Plans and Procedures

ComplianceShield has built-in templates for developing and testing Business Continuity Plans.

HIPAA Program Evaluation

Easily view the information security posture of your entire organization in a single compliance dashboard. Validate your compliance program by using our IT Risk Scoring report

HIPAA Vendor Risk Management

ComplianceShield automates the entire vendor risk management process. Includes our Common Vendor Assessments (CVA) to assess the cyber risk of Business Associates.

Common Control Library (CCL)

Our unique Common Control Library (CPL) has over 400 management and technical controls addressing the latest technologies, threats and regulatory requirements. All Controls are mapped to multiple regulatory requirements.


Organizations interested in streamlining HIPAA compliance can get a FREE trial of ComplianceShield.