NIST SP 800-66 Revision 2
HIPAA Security Rule on one operating record

NIST SP 800-66 Revision 2: implementing the HIPAA Security Rule

NIST Special Publication 800-66 Revision 2 (February 2024), titled Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide, is the implementation companion to the HIPAA Security Rule (45 CFR Part 164 Subpart C). The guide replaces SP 800-66 Revision 1 (October 2008) and modernises the implementation guidance against the current threat landscape, the current NIST control catalogue (SP 800-53 Revision 5), and the current healthcare security operating model. SP 800-66 Rev. 2 is voluntary; it does not replace the regulation. It gives covered entities and business associates a structured implementation language the OCR Audit Protocol, the HITECH audit, and the parallel framework reads (HITRUST, SOC 2, NIST CSF 2.0) all consume.

For healthcare GRC teams, vulnerability management teams, AppSec teams, internal security teams, security engineering teams, and CISOs, SP 800-66 is the practical bridge between the HIPAA Security Rule and the NIST SP 800-53 Revision 5 control catalogue. Programmes that operate against NIST CSF 2.0, HITRUST CSF, or ISO 27001 do not migrate to SP 800-66; the guide reads as the federal-grade implementation companion that places those parallel frameworks into the Security Rule operating language without rebuilding the evidence pack per audit.

Why SP 800-66 Rev. 2 is the named implementation companion to the Security Rule

The HIPAA Security Rule is technology-neutral and outcome-oriented by design. The regulation describes what to achieve (the safeguards) and what reasonable documentation looks like, but it does not prescribe how the implementation should run, which technology stack should be used, or which control catalogue the evidence should map to. SP 800-66 Rev. 2 fills that gap. The guide is structured around five implementation steps the Security Rule expects (risk assessment, identifying and documenting reasonable and appropriate security measures, implementing the measures, documenting the implementation, maintaining continuous security assurance) and maps each Administrative, Physical, and Technical Safeguard to specific SP 800-53 Rev. 5 control families. The guide is voluntary; OCR enforces the regulation, not the guide. The guide is the federal-grade implementation language that turns the safeguards into a working programme.

The pairing with SP 800-53 matters operationally. A healthcare programme that adopts the SP 800-66 implementation language gets the federal control catalogue, the FedRAMP authorisation vocabulary, the NIST CSF 2.0 outcome map, and the parallel framework crosswalks for free. A healthcare programme that operates against the HIPAA Security Rule alone has to rebuild the implementation language per audit. SP 800-66 Rev. 2 is the integration layer between healthcare-specific regulation and the NIST control catalogue the rest of the security ecosystem already speaks.

The five implementation steps SP 800-66 Rev. 2 expects

SP 800-66 Rev. 2 organises the implementation work into five sequential steps. The steps are sequential in dependency rather than strictly in calendar time; continuous security assurance feeds the next risk assessment, so the programme operates as a cycle rather than as a one-off project. Each step has a named output the next step reads against and a documentation requirement the six-year retention rule at 164.316(b)(2) preserves.

Safeguard catalogue: Administrative, Physical, Technical, Organisational

SP 800-66 Rev. 2 maps the Security Rule safeguards directly to NIST SP 800-53 control families. The map is bidirectional. A control implementation reads as Security Rule evidence, and a Security Rule safeguard reads against a specific control family the assessor recognises. The mapping is the discipline that lets a single operating record serve the OCR Audit Protocol, the HITRUST assessment, the SOC 2 examination, and the NIST CSF 2.0 outcome report without rebuilding the evidence pack four times.

NIST SP 800-53 control families the Technical Safeguards map to

The Technical Safeguards at 45 CFR 164.312 carry the bulk of the scanner-driven and authentication-driven evidence. SP 800-66 Rev. 2 maps each Technical Safeguard standard to the SP 800-53 Rev. 5 control families that produce the evidence; the table below names the control families the assessor reads against per safeguard and the implementation specifications they cover.

• AC family (Access Control) for 164.312(a) Access Control. AC-2 Account Management, AC-3 Access Enforcement, AC-5 Separation of Duties, AC-6 Least Privilege, AC-7 Unsuccessful Logon Attempts, AC-8 System Use Notification, AC-11 Device Lock, AC-12 Session Termination, AC-17 Remote Access, AC-18 Wireless Access, AC-19 Access Control for Mobile Devices, AC-20 Use of External Systems. The Security Rule unique user identification requirement (164.312(a)(2)(i), required) reads against AC-2 and IA-2. The emergency access procedure (164.312(a)(2)(ii), required) reads against AC-2(2). The automatic logoff specification (164.312(a)(2)(iii), addressable) reads against AC-11 and AC-12. The encryption and decryption specification (164.312(a)(2)(iv), addressable) reads against SC-13 and SC-28.
• AU family (Audit and Accountability) for 164.312(b) Audit Controls. AU-2 Event Logging, AU-3 Content of Audit Records, AU-4 Audit Log Storage Capacity, AU-5 Response to Audit Logging Process Failures, AU-6 Audit Record Review, Analysis, and Reporting, AU-7 Audit Record Reduction and Report Generation, AU-8 Time Stamps, AU-9 Protection of Audit Information, AU-11 Audit Record Retention, AU-12 Audit Record Generation. The audit controls requirement at 164.312(b) is purposely technology-neutral but the evidence set is the audit logging coverage matrix per ePHI system, the monitoring and review procedure, and the records of those reviews against a defined cadence. Gaps in coverage or review cadence are routine findings under OCR investigations following a breach.
• IA family (Identification and Authentication) for 164.312(d) Person or Entity Authentication. IA-2 Identification and Authentication (Organisational Users) with enhancements IA-2(1) MFA to Privileged Accounts and IA-2(2) MFA to Non-Privileged Accounts, IA-3 Device Identification and Authentication, IA-4 Identifier Management, IA-5 Authenticator Management with enhancements covering password complexity, lifetime, and storage, IA-6 Authentication Feedback, IA-8 Identification and Authentication (Non-Organisational Users). Multi-factor authentication for ePHI access by remote, privileged, or external users is widely treated as the reasonable and appropriate baseline under the addressable specification.
• SI family (System and Information Integrity) for 164.312(c) Integrity. SI-2 Flaw Remediation, SI-3 Malicious Code Protection, SI-4 Information System Monitoring, SI-7 Software, Firmware, and Information Integrity, SI-10 Information Input Validation, SI-11 Error Handling, SI-12 Information Management and Retention. The integrity requirement at 164.312(c) is paired with the audit controls and the contingency plan controls; the evidence set covers file integrity monitoring, database integrity constraints, immutable backups, change management records, and the patch lifecycle that prevents corruption rather than detecting it after the fact.
• SC family (System and Communications Protection) for 164.312(e) Transmission Security. SC-7 Boundary Protection, SC-8 Transmission Confidentiality and Integrity with enhancements covering cryptographic protection, SC-12 Cryptographic Key Establishment and Management, SC-13 Cryptographic Protection, SC-23 Session Authenticity, SC-28 Protection of Information at Rest. The HHS Guidance on Securing Electronic Protected Health Information names AES with a recognised symmetric key length and TLS configurations consistent with NIST SP 800-52 as appropriate cryptographic protection. SSL/TLS scan output, header analysis, and configuration baselines feed this safeguard with hard evidence on the operating record.
• RA, PL, PM families (Risk Assessment, Planning, Program Management) for 164.308(a)(1) Security Management Process. RA-3 Risk Assessment, RA-5 Vulnerability Monitoring and Scanning, RA-7 Risk Response, RA-9 Criticality Analysis, PL-2 System Security and Privacy Plans, PL-4 Rules of Behaviour, PM-1 Information Security Program Plan, PM-9 Risk Management Strategy, PM-11 Mission and Business Process Definition. The Security Rule risk analysis at 164.308(a)(1)(ii)(A) reads against RA-3 and the methodology guidance in NIST SP 800-30 Rev. 1. The continuing risk management at 164.308(a)(1)(ii)(B) reads against RA-7 and PM-9.
• CP family (Contingency Planning) for 164.308(a)(7) Contingency Plan. CP-1 Policy and Procedures, CP-2 Contingency Plan, CP-3 Contingency Training, CP-4 Contingency Plan Testing, CP-6 Alternate Storage Site, CP-7 Alternate Processing Site, CP-9 System Backup, CP-10 System Recovery and Reconstitution. The Security Rule contingency plan standard has five implementation specifications: data backup plan (required), disaster recovery plan (required), emergency mode operation plan (required), testing and revision procedure (addressable), and applications and data criticality analysis (addressable). The pairing with the SP 800-53 CP family gives the covered entity a specific implementation language and an evidence set the assessment can read against.
• IR family (Incident Response) for 164.308(a)(6) Security Incident Procedures. IR-1 Policy and Procedures, IR-2 Incident Response Training, IR-3 Incident Response Testing, IR-4 Incident Handling, IR-5 Incident Monitoring, IR-6 Incident Reporting, IR-7 Incident Response Assistance, IR-8 Incident Response Plan, IR-9 Information Spillage Response. The Security Rule incident procedures at 164.308(a)(6) include response and reporting as required specifications. Pair with the Breach Notification Rule at 45 CFR Part 164 Subpart D so the incident lifecycle, the four-factor breach risk assessment, the notification timelines (without unreasonable delay and no later than 60 calendar days for affected individuals, with media and HHS notifications based on impact), and the rationale for any low-probability-of-compromise determination all read against one record.

Where SP 800-66 sits next to HIPAA, HITECH, HITRUST, SOC 2, NIST CSF 2.0

The healthcare security stack reads multiple frameworks in parallel. HIPAA (the Privacy Rule, the Security Rule, the Breach Notification Rule, and the Enforcement Rule at 45 CFR Parts 160 and 164) is the federal regulation. HITECH Act of 2009 amendments and the 2013 Omnibus Rule extend the regulation to business associates and increase enforcement. SP 800-66 Rev. 2 is the NIST implementation guide that pairs the Security Rule with the SP 800-53 control catalogue. HITRUST CSF is the private-sector certifiable framework many enterprise health systems and business associates adopt to give a third-party certification stream against the same controls. SOC 2 is the AICPA assurance report that some health technology vendors run alongside HIPAA. NIST CSF 2.0 is the outcome-oriented framework boards and senior leaders read against, with the Govern, Identify, Protect, Detect, Respond, and Recover functions. SP 800-66 is the integration layer; the framework crosswalk reads cleanly against all of the above through the SP 800-53 control mapping.

Recurring failure modes SP 800-66 implementations hit

Programmes that struggle with the SP 800-66 implementation typically hit a small set of recurring failure modes. Naming them upfront lets the programme design controls to avoid them rather than discovering them during the OCR audit protocol read or the HITECH investigation following a breach.

Evidence the implementation expects

A defensible SP 800-66 implementation produces a stable evidence set across the five steps. The artefact set is the documentation the Security Rule expects to be retained for six years from creation or last effective date under 164.316(b)(2), and the same evidence the OCR Audit Protocol, the HITECH enquiry, and the parallel framework reads consume.

• Documented Security Rule risk assessment with the asset inventory, threat catalogue, vulnerability list, current control posture, likelihood and impact rationale, risk determination, and risk treatment per the SP 800-30 Rev. 1 methodology
• Documented decision rationale per addressable implementation specification (implement as written, implement an equivalent alternative, or document why neither is reasonable and appropriate)
• Per-safeguard implementation evidence: configuration baselines, scan output, control attestations, policy references, training completion records, drill records, and walk-through evidence
• Six-year document retention from creation or last effective date per 164.316(b)(2)(i) covering policies, procedures, risk assessments, incident records, training records, and the safeguard implementation evidence
• Workforce training records per role with the per-individual completion record, the training content reference, and the cadence the covered entity adopted under 164.308(a)(5)
• Incident records per the Security Incident Procedures (164.308(a)(6)) and the Breach Notification Rule (164.400 to 164.414) including the four-factor breach risk assessment, the notification timeline (HHS, affected individuals, media), and the rationale for any low-probability-of-compromise determination
• Contingency plan testing records covering the disaster recovery plan, the emergency mode operation plan, and the backup restore validation, with the test date, the participants, the findings, and the plan revisions
• Business associate agreement register with the BAA on file per business associate, the categories of ePHI accessed, the security attestations, and the subcontractor chain
• Access review records per the access review cycle the covered entity adopted under 164.308(a)(4) covering the user inventory, the role assignments, the access grant rationale, and the access removal records
• Audit log evidence per ePHI system covering the logging coverage matrix, the monitoring and review procedure, and the records of those reviews against a defined cadence per 164.312(b)
• Vulnerability management evidence under RA-5 covering scan execution records, finding triage with severity calibration, remediation SLAs, exception register entries with rationale, retest evidence per remediated finding, and recurring detection identity
• Configuration baseline evidence per ePHI system component with change control records, configuration deviation tracking, and configuration audit results under 164.312(c) integrity

How SP 800-66 reads across security functions

SP 800-66 is a cross-functional guide. The same Security Rule implementation reads differently depending on the function that holds the work. Programmes that run SP 800-66 as a GRC exercise alone lose the engineering depth the implementation expects; programmes that run it as an engineering exercise alone lose the governance depth. The named functions below own different parts of the same evidence set.

Running the SP 800-66 implementation on SecPortal

SecPortal carries the operating record the SP 800-66 implementation reads against: the engagement is the per-ePHI-system risk assessment cycle, the findings record carries the safeguard gaps and the vulnerability scan output, the documents area carries the risk assessment, the policy library, and the per-BAA register, and the activity log carries the audit trail every Security Rule documentation requirement reads against. The platform alignment below maps the verified product capabilities to the SP 800-66 steps and the SP 800-53 control families the Security Rule safeguards map to.

• Engagement management as the workspace anchor for the SP 800-66 implementation programme, with the per-ePHI-system risk assessment cycle, the per-safeguard implementation evidence, the workforce training pack, and the annual reassessment cadence tracked as engagements that produce the artefact set as a side effect rather than as a parallel project
• Findings management with CVSS 3.1 calibration and 300+ finding templates so the safeguard gaps identified during the risk assessment, the vulnerability scanning output, and the OCR-relevant findings all read the same severity vocabulary and the remediation SLA is enforceable per finding
• Compliance tracking across 21 framework templates including the HIPAA Security Rule, NIST SP 800-53, NIST CSF 2.0, HITRUST, and the additional frameworks healthcare programmes typically read against, so the SP 800-66 mapping reads against the same record the parallel framework reads consume
• Document management for the risk assessment, the per-safeguard policies and procedures, the business associate agreement register, the contingency plan, the incident response plan, the training materials, the audit log coverage matrix, and the OCR investigation evidence pack, so the six-year retention requirement under 164.316(b)(2) operates on the workspace rather than across a folder hierarchy that drifts
• Authenticated scanning (17 modules) for the technical safeguards evidence including TLS posture for 164.312(e) transmission security, authentication posture for 164.312(d), session and access control posture for 164.312(a), and integrity posture for 164.312(c)
• External scanning (16 modules) for the boundary and perimeter posture evidence including DNS, TLS, ports, headers, technology fingerprinting, subdomain enumeration, and CVE matching that the SP 800-53 SC-7 boundary protection control reads against
• Code scanning via Semgrep against connected GitHub, GitLab, and Bitbucket repositories so the SI-2 flaw remediation evidence, the SA-11 developer security testing evidence, and the SI-7 software integrity evidence accumulate as scan execution records archived per ePHI system
• Continuous monitoring on daily, weekly, biweekly, or monthly cadences so the periodic review obligation under SP 800-66 Section 5.5 reads against the operating posture rather than against a snapshot
• Retesting workflows paired to the original finding so the remediation evidence carries the verify-after-fix record the OCR investigator and the HITECH auditor read against, and the recurring detection identity prevents the same gap from being closed without verification
• Activity log with CSV export and timestamped state changes by user across finding, engagement, scan, document, comment, and team entity types, so the AU-2 event logging and AU-12 audit record generation evidence is reproducible from one source for the six-year retention window
• Encrypted credential storage (AES-256-GCM) for the scanning credentials needed to read ePHI systems under authenticated scanning, so the credential lifecycle is held under the same access controls the Security Rule expects against the rest of ePHI access
• Multi-factor authentication for workspace access so the IA-2(1) and IA-2(2) MFA evidence for privileged and non-privileged user access reads against the operating posture rather than against a policy statement alone
• Team management with RBAC (owner, admin, member, viewer, billing) so the AC-2 account management, AC-5 separation of duties, AC-6 least privilege, and PS-2 position risk designation controls have the per-role evidence the Security Rule expects
• AI report generation that produces the per-ePHI-system risk assessment narrative, the per-safeguard implementation summary, the leadership-readable continuous monitoring summary, and the OCR-ready investigation pack draft from the same engagement record, with the underlying findings, scans, and documents linked

Honest scope: what SP 800-66 implementation on SecPortal does not include

SecPortal carries the implementation record the Security Rule expects against the verified product capabilities. The platform does not provide HIPAA certification (the Security Rule does not certify; OCR investigates compliance against the regulation), does not act as a Business Associate by default (the workspace owner decides whether the SecPortal contract reaches BAA territory and signs the appropriate agreements), does not ship packaged Jira, ServiceNow, Slack, PagerDuty, Opsgenie, SIEM, or EHR connectors (the workspace bridges those flows through user actions and bulk import rather than through packaged integrations), does not provide SSO, SCIM, or SAML federation, does not provide a packaged Medical Device Inventory beyond the asset records the workspace owner creates, does not provide a packaged Privacy Rule de-identification engine, and does not determine the four-factor breach risk assessment on the covered entity's behalf (the covered entity makes the determination; SecPortal carries the record).

Related reading on SecPortal

• HIPAA Security Rule is the parent regulation SP 800-66 Rev. 2 provides implementation guidance for.
• NIST SP 800-53 Revision 5 is the control catalogue the SP 800-66 mapping reads against per safeguard.
• NIST SP 800-37 Risk Management Framework is the process framework that places 800-53 controls into a structured authorisation lifecycle.
• NIST CSF 2.0 is the outcomes-oriented framework boards and senior leaders read against alongside the SP 800-66 implementation.
• HITRUST CSF is the private-sector certifiable framework many health systems adopt to certify against the same control set.
• NIST SP 800-30 is the risk assessment methodology guide the SP 800-66 implementation grounds the risk analysis on.
• ISO 27001 reads against the same SP 800-53 control families through the parallel framework crosswalk.
• Compliance audits is the workflow that runs the SP 800-66 implementation through the OCR audit protocol read.
• Control mapping and cross-framework crosswalks is the workflow programmes run to reconcile the SP 800-66 evidence with the parallel framework reads.
• Audit fieldwork evidence request fulfillment is the workflow the OCR audit protocol and the HITECH enquiry read against during the assessment week.
• Vulnerability acceptance and exception management is the workflow that documents the addressable specification choices the Security Rule expects.
• Breach notification and regulator readiness is the workflow that operates the Breach Notification Rule at 45 CFR Part 164 Subpart D paired with the Security Incident Procedures.
• Security compliance automation covers the cross-framework patterns SP 800-66 implementations use to avoid rebuilding evidence per audit.