NIST 800-66

What Is NIST 800-66

NIST Special Publication 800-66, now in Revision 2 (SP 800-66r2), is a Cybersecurity Resource Guide published by the National Institute of Standards and Technology. Its full title is Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide. Its aim is to help covered entities and business associates of all sizes interpret, plan, and perform the activities needed to comply with the HIPAA Security Rule, especially around electronic Protected Health Information (ePHI). 

Why NIST 800-66 Matters to Businesses

Legal & Regulatory Requirements

• HIPAA (the Health Insurance Portability and Accountability Act) requires covered entities (health care providers, health plans, healthcare clearinghouses) and their business associates (vendors or partners handling ePHI) to meet the Security Rule. NIST 800-66 provides guidance to do so.
• Revision 2, published February 14, 2024, updates the guidance. It was developed in collaboration with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights.

What Businesses Are Required to Do

• Entities must ensure they protect the confidentiality, integrity, and availability of ePHI, including threats and vulnerabilities that are reasonably anticipated. 
• Must conduct risk assessments, risk management, and evaluate which safeguards (administrative, physical, technical) are reasonable and appropriate. Some safeguards are required, others are addressable under HIPAA (addressable means you must assess whether they are appropriate, and if not, document alternatives). NIST 800-66 helps with those determinations.

Implementation & Documentation Requirements

• Create and maintain documentation that demonstrates how Security Rule standards and implementation specifications have been satisfied or, where an implementation specification is “addressable,” how it was assessed and what alternative was used, if any.
• Perform risk analysis and risk management as core activities. Identify where ePHI is created, received, maintained, transmitted. Map flows, storage, access. Assess threats and vulnerabilities.
• Establish policies, procedures, technical safeguards (e.g. access controls, encryption, audit/logging) to satisfy HIPAA Security Rule standards.
• Maintain documentation of workforce training, contingency plans, breach notification, business associate contracts, and any changes in environment that affect risk.

Why It Matters Beyond Compliance

• Helps reduce risk of data breach, fines, reputational harm.
• Demonstrates due diligence and security maturity to partners, insurers, regulators.
• Facilitates audit readiness and smoother regulatory oversight.

How NIST 800-66 Works: Process, Structure & Key Concepts

Structure of SP 800-66

• The publication is a guide, not a regulation itself. It helps interpret HIPAA Security Rule, provides typical activities, sample questions, mappings of HIPAA standards to other frameworks (such as NIST 800-53 Controls and the NIST Cybersecurity Framework). 
• It categorizes safeguards into administrative, physical, and technical categories, consistent with the HIPAA Security Rule.

Key Process for Implementation

A suggested process (common in guidance and in practice) includes:

1. Scope and Inventory

• Identify all systems, processes, and people that handle ePHI. Map where ePHI is stored, transmitted, or processed.

2. Risk Assessment

• Understand threats, vulnerabilities, environmental factors. Evaluate likelihood and impact.

3. Control Selection / Safeguards

• Decide which administrative, technical, physical safeguards are required or addressable. For addressable ones, assess whether reasonable and appropriate or choose alternatives.

4. Documentation

• Systematically document policies, procedures, chosen safeguards, any implementation specifications, any alternative(s) for addressable specifications, workforce responsibilities, incident response, business associate obligations.

5. Implementation

• Deploy the required and chosen safeguards. Conduct workforce training. Secure systems and networks. Control access. Log and monitor.

6. Monitoring & Review

• Periodically evaluate the effectiveness of the safeguards. Update risk assessments when changes occur (new systems, threat environment, or as incidents occur).

7. Continuous Improvement

• Use metrics, audits, findings to enhance program. Fix issues via corrective actions.

Mapping & Crosswalking

• SP 800-66r2 provides mappings from HIPAA Security Rule standards/implementation specifications to NIST 800-53r5 controls and to the Cybersecurity Framework subcategories. This helps organizations using more than one framework reduce duplication and align efforts.

Real-World Examples & Use Cases

• A small clinic that uses electronic health records (EHR) software: It must ensure that ePHI is encrypted at rest and in transit, restrict access to only authorized personnel, train staff, document policies, and contracts with vendors who may process patient data.

• A telehealth provider serving patients remotely: Needs to secure transmission of ePHI over networks, secure devices used by remote providers, establish secure authentication, maintain audits of access, and ensure business associate agreements for third-party tools.

• A business associate vendor (e.g. billing service, cloud storage provider) that stores or processes ePHI on behalf of covered entities: must adhere to HIPAA Security Rule via implementing reasonable & appropriate safeguards, documenting addressable control decisions, and having contractual agreements.

• A large hospital system integrating SP 800-66r2 to standardize across multiple departments, implementing the mappings to NIST 800-53 to align its programs with broader compliance or regulatory oversight.

How Apptega Supports NIST 800-66 & HIPAA Security Rule Compliance

• Apptega’s Framework Library includes NIST 800-66 Rev. 2 as one of its frameworks to guide HIPAA Security Rule compliance, with resources for safeguarding ePHI. 
• The HIPAA Compliance Guide from Apptega helps organizations organize programs around best practices, interpret Security Rule requirements, document evidence, track policies and controls.
• Using Apptega’s platform, businesses can automate assessments, collect evidence, map between frameworks (e.g. between HIPAA Security Rule/NIST 800-66 and NIST 800-53), store support documentation, manage tasks and corrective actions.

‍