March 2010
S M T W T F S
« Feb    
 123456
78910111213
14151617181920
21222324252627
28293031  

Legal Disclaimer

Your use of this Blog does not create an attorney-client relationship. Your e-mail or comments do not create an attorney-client relationship. We have no duty to keep confidential the information that is submitted to this blog. This blog is not a substitute for, nor does it constitute legal advice. Only an attorney who knows the details of your particular situation and is properly licensed in the applicable state (or states) is able to appropriately and properly address any legal issues you may have.

Blog Categories

HIPAA to NIST Crossreference — Roadmap to Compliance

Tower of Bable

Tower of Bable

The National Institute of Standards and Technology (NIST) is a non-regulatory federal agency within the U.S. Commerce Department’s Technology Administration.   NIST has issued standards for the implementation of information technology security.  It is also referenced in the preamble of the final rule.  One of the bases for the structure of the HIPAA Security Regulations is the NIST security standards.  NIST has also been reference by the HITECH Act under as a standards settings organization for HIPAA compliance.  Covered entities and business associate should utilize the NIST standards in developing methods to implement changes to their business practices to become compliant with the new HIPAA standards and other guidance issued or to be issued pursuant to the HITCH Act.  Below is a cross-reference of HIPAA provisions and the potentially relevant NIST publications which provides corresponding standards or information.

Safeguard: Administrative, Physical or Technical

Standards: The title of the HIPAA Security provision.

CFR Sections: Cite to the Code of Federal Regulations for the particular HIPAA Security provision.

Required – Addressable: This column pertains to implementation details.  The Security regulations have two types of provisions, required and addressable.  Covered entities are required to implement both the required and addressable provisions.  However, covered entities may meet a given “addressable” standard through alternative measures.  This must be documented.

NIST Publication Number: This column provides the number of the NIST publication in which similar information is found.

Publication Title: This column provides the NIST publication title for the document in which the corresponding information ex

Safeguard

Standards

CFR
Sections

Specifications

µ

NIST
Publication

Publication
Title

Administrative

Security
Management Process

164.308(a)(1)

Risk Analysis

(R)

NIST SP
800-14

Generally
Accepted Principles and Practices for Securing Information Technology Systems

Administrative

Security
Management Process

164.308(a)(1)

Risk
Management

(R)

NIST SP
800-18

Guide for
Developing Security Plans for Information Technology Systems

Administrative

Security
Management Process

164.308(a)(1)

Sanction
Policy

(R)

NIST SP
800-26

Security
Self-Assessment Guide for Information Technology Systems

Administrative

Security
Management Process

164.308(a)(1)

Information
System Activity Review

(R)

NIST SP
800-27

Engineering
Principles for Information Technology Security (Baseline for Achieving
Security)

Administrative

Security
Management Process

164.308(a)(1)

Information
System Activity Review

(R)

NIST SP
800-30

Risk
Management Guide for Information Technology Systems

Administrative

Security
Management Process

164.308(a)(1)

Information
System Activity Review

(R)

NIST SP
800-37

Guide for
the Security Certification and Accreditation of Federal Information Systems

Administrative

Security
Management Process

164.308(a)(1)

Information
System Activity Review

(R)

NIST SP
800-53

Recommended
Security Controls for Federal Information Systems

Administrative

Security
Management Process

164.308(a)(1)

Information
System Activity Review

(R)

NIST SP
800-60

Guide for
Mapping Types of Information and Information Systems to Security Categories

Administrative

Security
Management Process

164.308(a)(1)

Information
System Activity Review

(R)

FIPS 199

Standards
for Security Categorization of Federal Information and Information Systems

Administrative

Security
Management Process

164.308(a)(1)

Information
System Activity Review

(R)

NIST SP
800-12 chapter 5

An
Introduction to Computer Security: The NIST Handbook

Administrative

Assigned
Security Responsibility

164.308(a)(2)

Not
Applicable

(R)

NIST SP
800-14

Generally
Accepted Principles and Practices for Securing Information Technology Systems

Administrative

Assigned
Security Responsibility

164.308(a)(2)

Not
Applicable

(R)

NIST SP
800-26

Security
Self-Assessment Guide for Information Technology Systems

Administrative

Assigned
Security Responsibility

164.308(a)(2)

Not
Applicable

(R)

NIST SP
800-53

Recommended
Security Controls for Federal Information Systems

Administrative

Assigned
Security Responsibility

164.308(a)(2)

Not
Applicable

(R)

NIST SP
800-12 chapter 3

An
Introduction to Computer Security: The NIST Handbook

Administrative

Workforce
Security

164.308(a)(3)

Authorization
and/or Supervision

(A)

NIST SP
800-14

Generally
Accepted Principles and Practices for Securing Information Technology Systems

Administrative

Workforce
Security

164.308(a)(3)

Workforce
Clearance Procedure

(A)

NIST SP
800-26

Security
Self-Assessment Guide for Information Technology Systems

Administrative

Workforce
Security

164.308(a)(3)

Termination
Procedures

(A)

NIST SP
800-53

Recommended
Security Controls for Federal Information Systems

Administrative

Workforce
Security

164.308(a)(3)

Termination
Procedures

(A)

NIST SP
800-12 chapter 17

An
Introduction to Computer Security: The NIST Handbook

Administrative

Information
Access Management

164.308(a)(4)

Isolating
Healthcare Clearinghouse Function

(R)

NIST SP
800-14

Generally
Accepted Principles and Practices for Securing Information Technology Systems

Administrative

Information
Access Management

164.308(a)(4)

Access
Authorization

(A)

NIST SP
800-18

Guide for
Developing Security Plans for Information Technology Systems

Administrative

Information
Access Management

164.308(a)(4)

Access
Establishment and Modification

(A)

NIST SP
800-53

Recommended
Security Controls for Federal Information Systems

Administrative

Information
Access Management

164.308(a)(4)

Access
Establishment and Modification

(A)

NIST SP
800-63

Recommendation
for Electronic Authentication

Administrative

Information
Access Management

164.308(a)(4)

Access
Establishment and Modification

(A)

NIST SP
800-12 chapter 17

An
Introduction to Computer Security: The NIST Handbook

Administrative

Security
Awareness and Training

164.308(a)(5)

Security
Reminders

(A)

NIST SP
800-14

Generally
Accepted Principles and Practices for Securing Information Technology Systems

Administrative

Security
Awareness and Training

164.308(a)(5)

Protection
from Malicious Software

(A)

NIST SP
800-16

IT
Security Training Requirements: Role and Performance Based Model

Administrative

Security
Awareness and Training

164.308(a)(5)

Log-in
Monitoring

(A)

NIST SP
800-53

Recommended
Security Controls for Federal Information Systems

Administrative

Security
Awareness and Training

164.308(a)(5)

Password
Management

(A)

NIST SP
800-12 chapter 13

An
Introduction to Computer Security: The NIST Handbook

Administrative

Security
Incident Procedures

164.308(a)(6)

Response
and Reporting

(R)

NIST SP
800-14

Generally
Accepted Principles and Practices for Securing Information Technology Systems

Administrative

Security
Incident Procedures

164.308(a)(6)

Response
and Reporting

(R)

NIST SP
800-53

Recommended
Security Controls for Federal Information Systems

Administrative

Security
Incident Procedures

164.308(a)(6)

Response
and Reporting

(R)

NIST SP
800-61

Computer
Security Incident Handling Guide

Administrative

Security
Incident Procedures

164.308(a)(6)

Response
and Reporting

(R)

NIST SP
800-12 chapter 12

An
Introduction to Computer Security: The NIST Handbook

Administrative

Contingency
Plan

164.308(a)(7)

Data
Backup Plan

(R)

NIST SP
800-14

Generally
Accepted Principles and Practices for Securing Information Technology Systems

Administrative

Contingency
Plan

164.308(a)(7)

Disaster
Recovery Plan

(R)

NIST SP
800-18

Guide for
Developing Security Plans for Information Technology Systems

Administrative

Contingency
Plan

164.308(a)(7)

Emergency
Mode Operation Plan

(R)

NIST SP
800-26

Security
Self-Assessment Guide for Information Technology Systems

Administrative

Contingency
Plan

164.308(a)(7)

Testing
and Revision Procedure

(A)

NIST SP
800-30

Risk
Management Guide for Information Technology Systems

Administrative

Contingency
Plan

164.308(a)(7)

Applications
and Data Criticality Analysis

(A)

NIST SP
800-53

Recommended
Security Controls for Federal Information Systems

Administrative

Contingency
Plan

164.308(a)(7)

Applications
and Data Criticality Analysis

(A)

NIST SP
800-34

Contingency
Planning Guide for Information Technology Systems

Administrative

Contingency
Plan

164.308(a)(7)

Applications
and Data Criticality Analysis

(A)

NIST SP
800-12 chapter 11

An
Introduction to Computer Security: The NIST Handbook

Administrative

Evaluation

164.308(a)(8)

Not
Applicable

(R)

NIST SP
800-14

Generally
Accepted Principles and Practices for Securing Information Technology Systems

Administrative

Evaluation

164.308(a)(8)

Not
Applicable

(R)

NIST SP
800-37

Guide for
the Security Certification and Accreditation of Federal Information Systems

Administrative

Evaluation

164.308(a)(8)

Not
Applicable

(R)

NIST SP
800-55

Security
Metrics Guide for Information Technology Systems

Administrative

Evaluation

164.308(a)(8)

Not
Applicable

(R)

NIST SP
800-26

Security
Self Assessment Guide for IT Systems

Administrative

Evaluation

164.308(a)(8)

Not
Applicable

(R)

NIST SP
800-53/FIPS 200

Recommended
Security Controls for Federal IT Systems

Administrative

Evaluation

164.308(a)(8)

Not
Applicable

(R)

NIST SP
800-12 chapter 9

An
Introduction to Computer Security: The NIST Handbook

Administrative

Business
Associate Contracts

164.308(b)(1)

Written
Contract or Other Arrangement

(R)

NIST SP
800-14

Generally
Accepted Principles and Practices for Securing Information Technology Systems

Administrative

and Other
Arrangements

164.308(b)(1)

Written
Contract or Other Arrangement

(R)

NIST SP
800-36

Guide to
Selecting Information Security Products

Administrative

and Other
Arrangements

164.308(b)(1)

Written
Contract or Other Arrangement

(R)

NIST SP
800-53

Recommended
Security Controls for Federal Information Systems

Administrative

and Other
Arrangements

164.308(b)(1)

Written
Contract or Other Arrangement

(R)

NIST SP
800-64

Security
Considerations in the Information Systems Development Life Cycle
 

and Other
Arrangements

164.308(a)(8)

Not
Applicable

 

NIST SP
800-12 chapter 8

An Introduction
to Computer Security: The NIST Handbook

Physical

Facility
Access Controls

164.310(a)(1)

Contingency
Operations

(A)

NIST SP
800-14

Generally
Accepted Principles and Practices for Securing Information Technology Systems

Physical

Facility
Access Controls

164.310(a)(1)

Facility
Security Plan

(A)

NIST SP
800-18

Guide for
Developing Security Plans for Information Technology Systems

Physical

Facility
Access Controls

164.310(a)(1)

Access
Control and Validation Procedures

(A)

NIST SP
800-26

Security
Self-Assessment Guide for Information Technology Systems

Physical

Facility
Access Controls

164.310(a)(1)

Maintenance
Records

(A)

NIST SP
800-30

Risk
Management Guide for Information Technology Systems

Physical

Facility
Access Controls

164.310(a)(1)

Maintenance
Records

(A)

NIST SP
800-34

Contingency
Planning Guide for Information Technology Systems

Physical

Facility
Access Controls

164.310(a)(1)

Maintenance
Records

(A)

NIST SP
800-53

Recommended
Security Controls for Federal Information Systems

Physical

Facility
Access Controls

164.310(a)(1)

Maintenance
Records

(A)

NIST SP
800-12 chapter 15

An
Introduction to Computer Security: The NIST Handbook

Physical

Workstation
Use

164.310(b)

Not
Applicable

(R)

NIST SP
800-14

Generally
Accepted Principles and Practices for Securing Information Technology Systems

Physical

Workstation
Use

164.310(b)

Not
Applicable

(R)

NIST SP
800-53

Recommended
Security Controls for Federal Information Systems

Physical

Workstation
Use

164.310(b)

Not
Applicable

(R)

NIST SP
800-12 chapter 15 & 16

An
Introduction to Computer Security: The NIST Handbook

Physical

Workstation
Security

164.310(c)

Not
Applicable

(R)

NIST SP
800-14

Generally
Accepted Principles and Practices for Securing Information Technology Systems

Physical

Workstation
Security

164.310(c)

Not
Applicable

(R)

NIST SP
800-53

Recommended
Security Controls for Federal Information Systems

Physical

Workstation
Security

164.310(c)

Not
Applicable

 

NIST SP
800-12 chapter 15

An
Introduction to Computer Security: The NIST Handbook

Physical

Device and
Media Controls

164.310(d)(1)

Media
Disposal

(R)

NIST SP
800-14

Generally
Accepted Principles and Practices for Securing Information Technology Systems

Physical

Device and
Media Controls

164.310(d)(1)

Media
Re-use

(R)

NIST SP
800-34

Contingency
Planning Guide for Information Technology Systems

Physical

Device and
Media Controls

164.310(d)(1)

Media
Accountability

(A)

NIST SP
800-53

Recommended
Security Controls for Federal Information Systems

Physical

Device and
Media Controls

164.310(d)(1)

Data
Backup and Storage (during transfer)

(A)

NIST SP
800-12 chapter 14

An
Introduction to Computer Security: The NIST Handbook

Technical

Access
Control

164.312(a)(1)

Unique
User Identification

(R)

NIST SP
800-14

Generally
Accepted Principles and Practices for Securing Information Technology Systems

Technical

Access
Control

164.312(a)(1)

Emergency
Access Procedure

(R)

NIST SP
800-53

Recommended
Security Controls for Federal Information Systems

Technical

Access
Control

164.312(a)(1)

Automatic
Logoff

(A)

NIST SP
800-56

Recommendation
on Key Establishment Schemes

Technical

Access
Control

164.312(a)(1)

Encryption
and Decryption (data at rest)

(A)

NIST SP
800-57

Recommendation
on Key Management

Technical

Access
Control

164.312(a)(1)

Encryption
and Decryption (data at rest)

(A)

NIST SP
800-63

Recommendation
for Electronic Authentication

Technical

Access
Control

164.312(a)(1)

Encryption
and Decryption (data at rest)

(A)

FIPS 140-2

Security
Requirements for Cryptographic Modules

Technical

Access
Control

164.312(a)(1)

Encryption
and Decryption (data at rest)

(A)

NIST SP
800-12 chapter 17

An
Introduction to Computer Security: The NIST Handbook

Technical

Audit
Controls

164.312(b)

Not
Applicable

(R)

NIST SP
800-14

Generally
Accepted Principles and Practices for Securing Information Technology Systems

Technical

Audit
Controls

164.312(b)

Not
Applicable

(R)

NIST SP
800-53

Recommended
Security Controls for Federal Information Systems

Technical

Audit
Controls

164.312(b)

Not
Applicable

(R)

NIST SP
800-12 chapter 18

An
Introduction to Computer Security: The NIST Handbook

Technical

Integrity

164.312(c)(1)

Protection
Against Improper Alteration or Destruction of Data

(A)

NIST SP
800-42

Guideline
on Network Security Testing

Technical

Integrity

164.312(c)(1)

Protection
Against Improper Alteration or Destruction of Data

(A)

NIST SP
800-44

Guidelines
on Securing Public Web Servers

Technical

Integrity

164.312(c)(1)

Protection
Against Improper Alteration or Destruction of Data

(A)

NIST SP
800-53

Recommended
Security Controls for Federal Information Systems

Technical

Integrity

164.312(c)(1)

Protection
Against Improper Alteration or Destruction of Data

(A)

NIST SP
800-14

Generally
Accepted Principles & Practices for Securing IT Systems

Technical

Integrity

164.312(c)(1)

Protection
Against Improper Alteration or Destruction of Data

(A)

NIST SP
800-12 chapter 5

An
Introduction to Computer Security: The NIST Handbook

Technical

Person or
Entity Authentication

164.312(d)

Not
Applicable

(R)

NIST SP
800-14

Generally
Accepted Principles and Practices for Securing Information Technology Systems

Technical

Person or
Entity Authentication

164.312(d)

Not
Applicable

(R)

NIST SP
800-53

Recommended
Security Controls for Federal Information Systems

Technical

Person or
Entity Authentication

164.312(d)

Not
Applicable

(R)

NIST SP
800-63

Recommendation
for Electronic Authentication

Technical

Person or
Entity Authentication

164.312(d)

Not
Applicable

(R)

NIST SP
800-12 chapter 16

An
Introduction to Computer Security: The NIST Handbook

Technical

Transmission
Security

164.312(e)(1)

Integrity
Controls

(A)

NIST SP
800-14

Generally
Accepted Principles and Practices for Securing Information Technology Systems

Technical

Transmission
Security

164.312(e)(1)

Encryption
(FTP and Email over Internet)

(A)

NIST SP
800-42

Guideline
on Network Security Testing

Technical

Transmission
Security

164.312(e)(1)

Encryption
(FTP and Email over Internet)

(A)

NIST SP
800-53

Recommended
Security Controls for Federal Information Systems

Technical

Transmission
Security

164.312(e)(1)

Encryption
(FTP and Email over Internet)

(A)

NIST SP
800-63

Recommendation
for Electronic Authentication

Technical

Transmission
Security

164.312(e)(1)

Encryption
(FTP and Email over Internet)

(A)

FIPS 140-2

Security
Requirements for Cryptographic Modules

Technical

Transmission
Security

164.312(e)(1)

Encryption
(FTP and Email over Internet)

(A)

NIST SP
800-12 chapter 16 & 19

An
Introduction to Computer Security: The NIST Handbook
Improve the web with Nofollow Reciprocity.