In an effort to evolve cybersecurity maturity for CEs and BAs, the OCR
has mapped applicable National Institute of Standards and Technology
(NIST) specifications to the HIPAA Security Rule, a so-called “crosswalk.” 89
Unfortunately, this mapping and other NIST guidance do not establish
mandatory requirements for CEs or BAs, and many still mistakenly believe
that HIPAA compliance sufficiently protects against cybersecurity risk. 90
4. OCR Audit Protocol and Oversight
In 2011 and 2012, the OCR developed, pursuant to new HITECH
responsibilities, an audit framework transitioning HIPAA specifications into
an audit control set and worked with 115 CEs to test the audit process. 91 In
2015, the OCR selected and initiated its first candidate pool for audits,
notifying CEs in July of 2016, with planned (at the time of writing)
notification of BAs in the fall of 2016.92 The audit protocol matched HIPAA
statutory requirements and was written similarly to the HIPAA privacy,
security, and data breach notification rules.93
Overall, HIPAA coupled with OCR oversight has set a standard for
organizational privacy and security.94 However, the limited application via
point in the near future. See Niam Yaraghi, Hackers, Phishers, and Disappearing Thumb
Drives: Lessons Learned from Major Health Care Data Breaches, BROOKINGS CTR. FOR TECH.
INNOVATION 2 (May 2016), https://www.brookings.edu/wp-content/uploads/2016/07/Patient-
Privacy504v3.pdf. The use of “addressable” and “required” within the HIPAA Security rule
was included for purposes of organizational flexibility, enabling organizations to select an
appropriate security requirement based on individual circumstances. Unfortunately,
organizations have often interpreted “addressable” as optional. See ADDRESSABLE AND
REQUIRED IMPLEMENTATION, supra note 82; Kerry Shackelford, Top 5 HIPAA Compliance
Gaps to Avoid, LINFORD & CO LLP BLOG (July 15, 2013), http://linfordco.com/blog/top-5-
89. See generally U.S. DEP’T HEALTH & HUMAN SERVS., HIPAA SECURITY RULE
CROSSWALK TO NIST CYBERSECURITY FRAMEWORK (Feb. 22, 2016), http://www.hhs.gov/
the mappings between the HIPAA Security Rule and NIST specifications).
90. Id. NIST offers helpful mappings between cybersecurity categories and relevant
standards (including International Standards Organization, or ISO, a popular standard;
COBIT, a popular audit standard; NIST standards; and other control sets. NIST has also
created additional documents for assistance in complying with HIPAA); see NAT’L INST. OF
STANDARDS & TECH., AN INTRODUCTORY RESOURCE GUIDE FOR IMPLEMENTING THE HEALTH
INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) SECURITY RULE (2008),
91. HIPAA Privacy, Security, and Breach Notification Audit Program, U.S. DEP’T
HEALTH & HUMAN SERVS., http://www.hhs.gov/hipaa/for-professionals/compliance-enforcem
ent/audit/ (last visited Oct. 7, 2016).
93. Id.; Audit Protocol–Updates April 2016, U.S. DEP’T HEALTH & HUMAN SERVS.
visited Oct. 13, 2016).
94. HIPAA Enforcement, U.S. DEP’T HEALTH & HUMAN SERVS., http://www.hhs.gov/hipa