What is a HIPAA crosswalk and how can it help with compliance?

What is a HIPAA Crosswalk? - Paubox

During our most recent Paubox Webinar, NIST privacy policy advisor Dylan Gilbert covered how to apply the NIST Privacy Framework in healthcare. While providing an overview of the tool, Gilbert discussed the concept of a HIPAA crosswalk.  We’ll explain what that means in this post.

What is the NIST Privacy Framework?

NIST is the National Institute of Standards and Technology, part of the U.S. Department of Commerce. The NIST Privacy Framework is available to any organization to help it build innovative products and services while also protecting individuals’ privacy through identifying and managing privacy risk.

The framework notes that Internet and IT advances have led to “unprecedented advantages” that are often “fueled by data about individuals.” Those individuals may be unaware of the privacy concerns involved, and businesses and organizations may be unaware of the possible consequences of collecting and using personal data.

By following the Privacy Framework, NIST businesses are able to:

  • Build customers’ trust by supporting ethical decision-making in product and service design or deployment that optimizes beneficial uses of data while minimizing adverse consequences for individuals’ privacy and society as a whole.
  • Fulfill current compliance obligations, as well as future-proof products and services to meet obligations in a changing technological and policy environment.
  • Facilitate communication about privacy practices with individuals, business partners, assessors, and regulators.

The 39-page framework was published in January 2020 and is positioned as an updated counterpart to NIST’s Framework for Improving Critical Infrastructure Cybersecurity, first published in 2014 and last updated in April 2018.

How can a company take advantage of both the Privacy Framework and the Critical Infrastructure Cybersecurity Framework? That’s where a HIPAA crosswalk comes in.

What is a crosswalk?

A crosswalk is a document that helps connect two different frameworks by mapping sections, subcategories, requirements and recommendations in one framework to the applicable parts of the other.

“Crosswalks that map the provisions of standards, laws, and regulations to Subcategories can help organizations determine which activities or outcomes to prioritize to facilitate compliance,” NIST explains.

NIST hosts a number of crosswalks on its Privacy Framework website. In addition to a cybersecurity crosswalk, there are crosswalks connecting the Privacy Framework to the European General Data Protection Regulation (GDPR), the Certified Information Privacy Manager (CIPM) certification, and the Privacy Information Management System (PIMS) standard.

A crosswalk for HIPAA

The U.S. Department of Health and Human Services, under which the Office of Civil Rights enforces HIPAA, has published a crosswalk between the HIPAA Security Rule and NIST’s Cybersecurity Framework.

SEE ALSO: HIPAA Compliant Email: the Definitive Guide

“Organizations that have already aligned their security programs to either the NIST Cybersecurity Framework or the HIPAA Security Rule may find this crosswalk helpful in identifying potential gaps in their programs,” the department says. “Although the Security Rule does not require use of the NIST Cybersecurity Framework, and use of the Framework does not guarantee HIPAA compliance, the crosswalk provides an informative tool for entities to use to help them more comprehensively manage security risks in their environments.”

The HIPAA Security Rule crosswalk includes mappings to other commonly used security frameworks as well.

How can I learn more?

You can watch a replay of the full Paubox Webinar, “Applying the NIST Privacy Framework in Healthcare,” by registering here.  You can access the slides from the presentation here.

For information on our upcoming webinars, click here.

Try Paubox Email Suite for FREE today.

About the author

Ryan Ozawa

Read more by Ryan Ozawa

Get started with
end-to-end protection

Bolster your organization's security with state-of-the-art email encryption and inbound email security.

Highest rated HIPAA compliant messaging solution on G2

EmailEncryption BestMeetsRequirements MeetsRequirements
SecureEmailGateway MostImplementable Total
SecureEmailGateway Leader Leader
SecureEmailGateway EasiestToUse EaseOfUse
SecureEmailGateway EasiestAdmin EaseOfAdmin
SecureEmailGateway BestUsability Total
SecureEmailGateway BestResults Total
SecureEmailGateway BestRelationship Total
EmailEncryption UsersMostLikelyToRecommend Nps
EmailEncryption MomentumLeader Leader
SecureEmailGateway BestSupport Mid Market QualityOfSupport
EmailEncryption BestMeetsRequirements MeetsRequirements
SecureEmailGateway MostImplementable Total
SecureEmailGateway Leader Leader
SecureEmailGateway EasiestToUse EaseOfUse
SecureEmailGateway EasiestAdmin EaseOfAdmin
SecureEmailGateway BestUsability Total
SecureEmailGateway BestResults Total
SecureEmailGateway BestRelationship Total
EmailEncryption UsersMostLikelyToRecommend Nps
EmailEncryption MomentumLeader Leader
SecureEmailGateway BestSupport Mid Market QualityOfSupport