NIST SP 800-66 Revision 2: HIPAA Security Rule Cybersecurity Resource Guide
NIST's 2024 update to the implementation guide for the HIPAA Security Rule, mapping the rule's standards to NIST Cybersecurity Framework subcategories and current cybersecurity practices.
Primary source
NIST SP 800-66 Revision 2 →https://csrc.nist.gov/pubs/sp/800/66/r2/final
Verified May 23, 2026 · This is the authoritative regulator URL. The summary below is a research aid; the linked source controls.
Additional sources
NIST SP 800-66 Revision 2 ("Implementing the HIPAA Security Rule: A Cybersecurity Resource Guide") was published February 14, 2024. It is the authoritative implementation companion to the HIPAA Security Rule for any covered entity or business associate following NIST guidance.
Key changes from Revision 1 (2008):
- Risk-assessment guidance aligned to NIST SP 800-30 r1 and NIST CSF.
- Mappings of each Security Rule standard and implementation specification to NIST Cybersecurity Framework (CSF) subcategories.
- Threat- and vulnerability-aware content reflecting the ransomware, supply chain, and identity-based threat landscape that emerged between 2008 and 2024.
- Worksheets for documenting risk analysis, security categorization, and safeguard implementation.
- Reference architectures for small/medium organizations.
OCR and NIST jointly host webinars and resource pages reinforcing 800-66 r2 as a reference. A risk analysis that traces its method to 800-66 r2 (with explicit NIST CSF mappings) is well positioned for an audit defense — the rule itself is technology-neutral, and following NIST is a recognized way to satisfy the "reasonable and appropriate" standard.
Companion documents: NIST CSF 2.0 (broader framework), NIST SP 800-53 r5 (control catalog), NIST SP 800-63B (digital identity authentication), NIST SP 800-88 r1 (media sanitization).
Use this in your workspace
D3rx assembles the documentation linked to this regulation, walks the practical decisions in plain English, and stores the artifacts against the .gov sources cited above. It is an administrative research aid, not a substitute for counsel.
Related regulations
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
Related across the archive
- RegulationNIST SP 800-63B: Digital Identity Guidelines (Authentication and Lifecycle Management)Federal authentication framework defining three Authenticator Assurance Levels (AAL1, AAL2, AAL3), authenticator types, and lifecycle requirements.
- RegulationHIPAA Security Risk Analysis Standard (45 CFR 164.308(a)(1)(ii)(A))Required implementation specification: conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
- RegulationHIPAA Security Rule: General Rules (45 CFR 164.306)Required objectives — confidentiality, integrity, and availability of ePHI — plus the flexibility provisions that govern how covered entities select and implement specific safeguards.
- RegulationNIST Cybersecurity Framework 2.0The 2024 update to the NIST CSF added the Govern function alongside Identify, Protect, Detect, Respond, and Recover — providing a common language for organizational cybersecurity risk management.
- ComplianceAnnual HIPAA Training Curriculum (What to Cover + How to Document)A 2026 annual HIPAA training curriculum for small healthcare practices — eight required modules under 45 CFR 164.530(b) and 45 CFR 164.308(a)(5), with documentation templates.
- GlossaryAccess ControlsTechnical policies and procedures that allow only authorized persons or software programs to access ePHI.
- SRAHIPAA Contingency Plan for a Small PracticeWhat the Security Rule contingency plan standard at 45 CFR 164.308(a)(7) actually requires, including data backup, disaster recovery, emergency mode operation, and testing — for a small practice.
- ComplianceHealthcare Incident Response Plan — Template + Tabletop ExerciseA 2026 healthcare incident response plan template aligned to 45 CFR 164.308(a)(6) and NIST SP 800-61 Rev. 3, with a tabletop exercise script for small practices.
Last reviewed May 23, 2026 · Citation verified May 23, 2026
Research aid, not legal advice. This summary is an administrative research aid prepared by D3rx. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. For authoritative regulatory text follow the primary source link at the top of this page. The practice remains responsible for reviewing, adopting, and maintaining its compliance program.