United States of America: Adopted Health Insurance Portability and Accountability Act (HIPAA) via Cybersecurity Resource Guide

On 14 February 2024, the National Institute of Standards and Technology adopted a Cybersecurity Resource Guide, implementing the Security Rule under the Health Insurance Portability and Accountability Act (HIPAA). The Cybersecurity Resource Guide provides information on the protection of electronic protected health information (ePHI) that is held or maintained by regulated entities. Regulated entities include healthcare providers, health plan providers, healthcare clearinghouses, and business associates that perform certain functions or activities that involve the use or disclosure of protected health information. Any ePHI created, received, maintained, or transmitted by a regulated entity must be safeguarded against reasonably foreseeable threats, risks, and unauthorised uses or disclosures. The document offers practical guidance and resources for regulated entities of all sizes, helping them to secure ePHI and enhance their understanding of the security measures outlined in the HIPAA Security Rule, including the HIPAA risk management requirements, that mandate a risk analysis including an accurate and thorough assessment of potential risks and vulnerabilities to the confidentialities, integrity, and availability of electronic protected health information.