Navigating the Update from NIST SP 800-66 Revision 1 to Revision 2: A Closer Look at HIPAA Security Rule Compliance

Latest Updates on File Folder

While the National Institute of Standards and Technology (NIST) recently released CSF v2.0 to much anticipation, the less publicized but equally significant release of NIST SP 800-66r2 in February 2024 marks a crucial update for healthcare information security. This update succeeds the original SP 800-66, published in October 2008, and focuses on implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. With the cybersecurity landscape continually evolving, SP 800-66r2 brings vital highlights and resources to the forefront, aiming to assist healthcare organizations in enhancing their security measures and compliance strategies. Let’s dive into this new publication’s key highlights and resources.

Key Differences and Notable Changes

From Revision 1 to Revision 2

Revision 1 provided essential guidance on the HIPAA Security Rule, focusing on security safeguards. It was a crucial resource for organizations seeking clarity on the Rule’s implementation.

Revision 2, in contrast, expands on the scope, offers practical advice, and provides resources for a better understanding and easier implementation of the HIPAA Security Rule. It emphasizes safeguarding ePHI and enhances the document’s clarity, utility, and convenience for entities implementing the HIPAA Security Rule.

Notable Updates Between the Revisions

  • Risk Management Guidance: SP 800-66r2 delves deeper into evaluating and mitigating risks associated with ePHI, offering detailed advice beyond the foundational guidance provided in the first revision.
  • Implementation Activities: The document outlines concrete actions that entities can undertake as part of their information security programs, emphasizing practical steps toward compliance.
  • Compliance Assistance: It introduces strategies to help entities meet the HIPAA Security Rule’s requirements more effectively.
  • Executive Summary and Introduction: Substantial revisions with an increased emphasis on protecting ePHI.
  • Security Rule Standards Table: Introduction in Rev 2 to enhance understanding and implementation, including the importance of Business Associate Agreements.
  • Risk Assessment and Management: Transition of these sections to align with SP 800-30 and the NIST IR 8286 series, emphasizing tailored risk management strategies.
  • Updated Appendices: The introduction of new appendices for risk assessment tables, explanations of the NIST Online Informative Reference (OLIR) Program, and a comprehensive list of resources.
  • Contingency Planning and Telework Security: Significant updates reflecting the need for robust cybersecurity measures in today’s evolving security landscape.

Resources for Practitioners

A considerable portion of the guidance in SP 800-66r2 is also accessible through NIST’s Cybersecurity and Privacy Reference Tool (CPRT).

This includes:

  • Key Activities and Sample Questions: Practical advice from Section 5 on implementing an effective information security program.
  • Mappings to Frameworks and Controls: Correlations between the HIPAA Security Rule standards, NIST Cybersecurity Framework Subcategories, and SP 800-53r5 security controls.
  • Relevant NIST Publications: A list of documents pertinent to the HIPAA Security Rule, serving as a valuable resource for enhancing cybersecurity posture.


The transition to NIST SP 800-66 Revision 2 signifies a progressive step in enhancing cybersecurity measures within organizations. This update addresses the current security challenges and offers practical solutions for securing critical systems and infrastructure. As entities navigate these changes, the detailed guidance and resources provided in Revision 2 serve as invaluable tools for achieving compliance and bolstering security postures.