Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Implementing the HIPAA Security Rule: NIST Releases Draft NIST SP 800-66, Rev. 2 for Public Comment

The initial public draft of NIST Special Publication (SP) 800-66r2 (Revision 2), Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide, is now available for public comment. Deadline to

The initial public draft of NIST Special Publication (SP) 800-66r2 (Revision 2), Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide, is now available for public comment.

The HIPAA Security Rule specifically focuses on protecting the confidentiality, integrity, and availability of electronic protected health information (ePHI), as defined by the Security Rule. All HIPAA-regulated entities must comply with the requirements of the Security Rule.

This draft update:

  • Includes a brief overview of the HIPAA Security Rule
  • Provides guidance for regulated entities on assessing and managing risks to ePHI
  • Identifies typical activities that a regulated entity might consider implementing as part of an information security program
  • Lists additional resources that regulated entities may find useful in implementing the Security Rule

A public comment period is open through September 21, 2022. See the publication details for a copy of the draft and instructions for submitting comments.


NOTE: A call for patent claims is included on page v of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.

Released July 21, 2022, Updated August 2, 2022