Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

New HIPAA Tool Helps Organizations Meet Security Requirements

A new tool, developed by the National Institute of Standards and Technology (NIST) and offered for free, can help public and private organizations, large and small, to understand and implement the requirements of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

Congress enacted HIPAA to, among other things, promote efficiency in the health care industry through the use of standardized electronic transactions, while protecting the privacy and security of health information.

The Secretary of Health and Human Services (HHS) published the HIPAA Security Rule, a national set of standards for protecting electronic protected health information (EPHI) that is created, transmitted, or maintained by covered entities and their business associates. HHS recognizes the value of NIST's information security standards and guidelines, and has recommended these as valuable resources for organizations to consider as they implement the HIPAA Security Rule.

The law requires "covered entities" and business associates to follow the HIPAA Security Rule. Covered entities include government agencies involved in health records, health care providers, health plans such as health insurance issuers and Medicaid and Medicare programs, health care clearinghouses and Medicare prescription drug card sponsors. "Our HIPAA Security Rule Toolkit is designed to help organizations of all sizes and with varying levels of security expertise to better protect electronic health information," says NIST information security specialist Kevin Stine. "It leverages many existing security resources and tailors them for use within the context of HIPAA security." He emphasizes that the application is meant as a self-assessment tool, and does not indicate HIPAA Security Rule compliance.

The toolkit is intended to be a resource that organizations can use to support their risk assessment processes by identifying areas where security safeguards may be needed to protect EPHI, or where existing security safeguards may need to be improved. The self-assessment tool presents a series of questions in groups related to each of the HIPAA Security Rule standards and implementation specifications. For simplicity, the toolkit follows the established HIPAA structure of administrative, physical and technical safeguards, organizational requirements, and policies, procedures and documentation requirements.

The target audience includes HIPAA-covered entities and business associates, and organizations that provide Security Rule implementation, assessment and compliance services. Target user organizations can range in size from a large nationwide health plan with vast information technology (IT) resources to a small two-doctor health care provider with limited access to IT expertise.

The free toolkit comes with a comprehensive User Guide and a self-contained, stand-alone software application that can run on Windows, Mac and Linux operating systems. It is available at Funding for the toolkit was provided by the American Recovery and Reinvestment Act of 2009.

Released November 22, 2011, Updated February 7, 2023