By: Christopher A. Parrella, Esq., CPC, CHC, CPCO
Parrella Health Law, Boston, Ma.
A Health Law Defense and Compliance Firm


The healthcare sector is witnessing a pivotal moment in the evolution of cybersecurity and compliance standards. With the publication of Special Publication (SP) 800-66 Revision 2, “Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide,” a joint effort by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and the National Institute of Standards and Technology (NIST), healthcare entities are provided with an invaluable resource. This guide is a cornerstone in the ongoing endeavor to fortify the security and compliance frameworks that protect our most sensitive health information.

Published on February 16, 2024, this comprehensive document is designed to assist HIPAA-covered entities—encompassing healthcare providers, health plans, and health care clearinghouses—and their business associates in navigating the complexities of the HIPAA Security Rule. It aims to enhance understanding, drive compliance, and boost security measures within the healthcare sector. This initiative aligns with the HHS’s broader vision, demonstrated through its release of a department-wide cybersecurity strategy for healthcare in December 2023, followed by the introduction of voluntary performance goals in January 2024 to uplift cybersecurity standards sector-wide.

The publication meticulously details the HIPAA Security Rule’s Risk Analysis and Risk Management requirements, offering a roadmap for entities to assess and manage risks to electronic protected health information (ePHI). It underscores the significance of implementing robust cybersecurity measures and solutions as part of an information security program.

Key areas of focus include:

• The pivotal elements of Risk Analysis and Risk Management as mandated by the HIPAA Security Rule.
• Essential activities and considerations for aligning with Security Rule requirements.
• Practical steps for the deployment of security measures.
• Criteria and sample questions for evaluating the effectiveness of cybersecurity measures in safeguarding ePHI.

Moreover, the guide is supplemented by additional resources from NIST, aimed at bolstering cybersecurity in critical areas such as telehealth, mobile device security, ransomware and phishing, medical device security, cloud services, the Internet of Things in healthcare, application security, and supply chain management. The updated Cybersecurity and Privacy Reference Tool (CPRT) by NIST further enriches this ecosystem of resources, linking HIPAA Security Rule regulations with comprehensive NIST tools and guidelines.

At Parrella Health Law, we recognize the paramount importance of this publication for our clients and the broader healthcare community. As legal advisors specializing in healthcare compliance and cybersecurity, we are poised to assist healthcare entities in interpreting and implementing these guidelines, ensuring not only compliance with the HIPAA Security Rule but also the adoption of industry-leading cybersecurity practices.

This moment marks a significant milestone in the journey toward a more secure and compliant healthcare sector. We encourage all healthcare entities and their business associates to delve into the insights offered by SP 800-66 Revision 2, leveraging this guide as a foundational element of their cybersecurity and compliance strategies. Parrella Health Law is here to guide you through this evolving landscape, ensuring that your operations not only meet but exceed the regulatory requirements, safeguarding the trust and well-being of your patients and stakeholders. For more information on how we can assist you in navigating these complex requirements and bolstering your cybersecurity posture, visit our website at www.parrellahealthlaw.com or contact us directly at info@parrellahealthlaw.com or 857-328-0382.

Christopher Parrella, ESQ, CPC, CHC, CPCO, is the founding partner of Parrella Health Law in Boston, Mass. The firm focuses exclusively on healthcare defense and compliance matters. Chris also travels the country on behalf of a wide range of healthcare organizations, lecturing on a variety of health care enforcement and compliance topics. Chris is one of a handful of health care attorney’s that are also Certified Professional Coders (CPC) and is a member of the AAPC’s National Legal Advisory Board and Ethics Committee. He is also a Certified Professional Compliance Officer (CPCO) and Certified in Health Care Compliance (CHC.)