NIST SP 800-66 Revision 2 HIPAA Implementation Guide

NIST Special Publication 800-66 Revision 2 is the official NIST guide to implementing the HIPAA Security Rule. Published February 2024, it replaces the 2008 Rev 1 and is the closest thing to a regulator-blessed implementation playbook.

CMMC-AB RPO #1449 · BBB A+ Since 2003 · Healthcare Compliance Specialists

Call Penny → (919) 348-4912 See ComplianceArmor

Regulation

What the regulation requires

NIST SP 800-66 Revision 2 (Implementing the HIPAA Security Rule) This publication provides educational and supplemental material for regulated entities to consider in helping them safeguard ePHI and better understand the requirements of the Security Rule. It is intended to be used in conjunction with NIST SP 800-53, the NIST CSF, and other applicable resources.

OCR explicitly references SP 800-66 Rev 2 in its risk-analysis guidance. Practices that build their program against 800-66 Rev 2 stand on the strongest possible defensible foundation when an audit or breach happens.

Implementation specifications

Reference

Risk Analysis methodology

Step-by-step risk analysis aligned to 164.308(a)(1)(ii)(A): scope, identify, assess, document, monitor. (SP 800-66 Rev 2 Section 5)

Reference

Implementation considerations per Security Rule standard

For each standard in 164.308 / 310 / 312 / 314 / 316, Rev 2 provides guidance, references to SP 800-53 Rev 5 controls, and references to CSF 2.0 subcategories. (SP 800-66 Rev 2 Appendix F)

Reference

Crosswalks

Mapping from HIPAA Security Rule to NIST CSF 2.0 and SP 800-53 Rev 5 control families. (SP 800-66 Rev 2 Appendix G)

Reference

Templates and examples

Sample documents for risk register, policy structure, and information asset inventory. (SP 800-66 Rev 2 Appendix H)

Implementation

How Petronella implements this safeguard

Every Petronella HIPAA engagement maps NIST SP 800-66 Revision 2 (Implementing the HIPAA Security Rule) to documented evidence in your environment. This is what that looks like in practice for the nist sp 800-66 revision 2 standard:

Risk Analysis under 164.308(a)(1)(ii)(A) using the SP 800-66 Rev 2 method, with output that maps directly to OCR's expectation.
Policy and procedure set authored against the Rev 2 implementation considerations - one document per Security Rule standard.
Risk register that uses the Rev 2 crosswalk so each finding can be discussed in HIPAA, CSF, or 800-53 terms depending on audience.
Annual refresh tied to NIST publication updates so you are never running on the deprecated 2008 Rev 1 method.

Built on top of ComplianceArmor for documentation, training records, and BAA inventory, with optional HIPAA managed IT services for the technical safeguard layer and vCISO services for the named Security Official role.

Common Findings

Where most practices fall short

OCR resolution agreements, HHS audit reports, and our own engagements show the same handful of gaps under NIST SP 800-66 Revision 2 (Implementing the HIPAA Security Rule). We surface these before they become a finding.

Risk Analysis built against the 2008 SP 800-66 Rev 1, which did not address cloud, mobile, or modern threat models.
Practices using third-party HIPAA "checklists" that have not been updated for Rev 2 since its February 2024 release.
OCR audit response references SOC 2 reports or vendor questionnaires instead of an SP 800-66-aligned risk analysis (these are not equivalent).
Risk Analysis exists but does not produce a quantified risk register, which Rev 2 specifically calls out as best practice.

Related HIPAA safeguards

NIST SP 800-66 Revision 2 interacts with several other Security Rule standards. Cover them together for a defensible program.

Need help with NIST SP 800-66 Revision 2?

Penny answers before the third ring, asks 3 qualifying questions, then books your free 15. Or jump straight to the platform that runs your HIPAA program.

Call Penny → (919) 348-4912 See the platform

← Back to HIPAA compliance pillar