Sign In

An official website of the United States government

U.S. Department of Health & Human Services

Official websites use .gov

A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS

A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Appendix F: HIPA​A Security Rule Mapping

Health Care and Public Health Sector Cybersecurity Framework Implementation Guide[84]


The sensitive health information maintained by health care providers and health plans has become an increasingly attractive target for cyberattacks. The need for health care organizations to up their game on health data security has never been greater.

To help health care organizations covered by the HIPAA Rules[85] to bolster their security posture, the HHS Office for Civil Rights (OCR)[86] developed a crosswalk[87] with NIST and the Office of the National Coordinator (ONC)[88] for Health IT, that identifies “mappings" between the NIST Framework for Improving Critical Infrastructure Cybersecurity (the Cybersecurity Framework) and the HIPAA Security Rule.[89] The crosswalk also includes mappings to other commonly used security frameworks.

Organizations that have already aligned their security programs to either the NIST Cybersecurity Framework or the HIPAA Security Rule may find this crosswalk helpful in identifying potential gaps in their programs. Taking specific action to address these gaps can bolster compliance with the Security Rule and improve an entity's ability to secure ePHI from a broad range of threats. The HIPAA Security Rule is designed to be flexible, scalable, and technology-neutral, which enables it to accommodate integration with more detailed frameworks such as the NIST Cybersecurity Framework. Although the Security Rule does not require use of the NIST Cybersecurity Framework and use of the Framework does not guarantee HIPAA Security Rule compliance, the crosswalk provides an informative tool for entities to use to help them more comprehensively manage security risks in their environments.

In addition, Congress, in both the HITECH Act of 2009[90] as well as the Cybersecurity Information Sharing Act of 2015 (CISA),[91] called for guidance on implementation of NIST frameworks. In response, this crosswalk provides a helpful roadmap for HIPAA covered entities and their business associates to understand the overlap between the NIST Cybersecurity Framework, the HIPAA Security Rule, and other security frameworks that can help entities safeguard health data in a time of increasing risks. The crosswalk also supports and encourages HIPAA Rules covered entities and their business associates to enhance their security programs, increase cybersecurity awareness, and implement appropriate security measures to protect ePHI.

<< Back                                                                                                                                                                              Next >>


84 The text for this appendix is an adaptation of the text provided by HHS (2016, Feb 23). Addressing Gaps in Cybersecurity: OCR Releases Crosswalk Between HIPAA Security Rule and NIST Cybersecurity Framework

85 HIPAA (2006).

86 OCR (2021). About Us. 

87 HHS (2016, 22 Feb). HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework

88 ONC (2020). About ONC: What We Do

89 45 CFR Part 164.

90 HITECH (2009).

91 CISA (2015).