NIST SP 800-66 Rev 2

United States

5 domains

65 controls

NIST SP 800-66 Rev 2 Implementing the HIPAA Security Rule (Feb 2024).

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (5)

Administrative

36 controls

Controls in the Administrative domain of NIST SP 800-66 Rev 2 — 36 controls
Code	Title	Description
164.308(a)(1)(i)	Security Management Process (Standard)	Implement policies and procedures to prevent, detect, contain, and correct security violations. NIST recommends establis...
164.308(a)(1)(ii)(A)	Risk Analysis (Required)	Conduct accurate and thorough assessment of potential risks and vulnerabilities to ePHI. NIST recommends the nine-step r...
164.308(a)(1)(ii)(B)	Risk Management (Required)	Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. NIST r...
164.308(a)(1)(ii)(C)	Sanction Policy (Required)	Apply appropriate sanctions against workforce members who fail to comply with security policies. NIST recommends graduat...
164.308(a)(1)(ii)(D)	Information System Activity Review (Required)	Regularly review audit logs, access reports, and security incident tracking reports. NIST recommends defined review freq...
164.308(a)(2)	Assigned Security Responsibility (Standard)	Identify the security official responsible for development and implementation of policies and procedures. NIST recommend...
164.308(a)(3)(i)	Workforce Security (Standard)	Implement policies ensuring workforce members have appropriate access to ePHI and that those who should not have access...
164.308(a)(3)(ii)(A)	Authorization and Supervision (Addressable)	Implement procedures for authorization and supervision of workforce members who work with ePHI. NIST recommends formal a...
164.308(a)(3)(ii)(B)	Workforce Clearance Procedure (Addressable)	Determine that access to ePHI is appropriate. NIST recommends background screening proportionate to role sensitivity and...
164.308(a)(3)(ii)(C)	Termination Procedures (Addressable)	Implement procedures for terminating access to ePHI when employment ends or as required. NIST recommends time-bounded SL...
164.308(a)(4)(i)	Information Access Management (Standard)	Implement policies authorizing access to ePHI consistent with applicable HIPAA Privacy Rule requirements. NIST recommend...
164.308(a)(4)(ii)(A)	Isolating Health Care Clearinghouse Functions (Required if applicable)	If a clearinghouse is part of a larger organization, isolate ePHI from the larger organization. NIST recommends network...
164.308(a)(4)(ii)(B)	Access Authorization (Addressable)	Implement policies for granting access to ePHI via workstation, transaction, program, or process. NIST recommends formal...
164.308(a)(4)(ii)(C)	Access Establishment and Modification (Addressable)	Implement policies that document, review, and modify a user's right of access. NIST recommends periodic recertification...
164.308(a)(5)(i)	Security Awareness and Training (Standard)	Implement a security awareness and training program for all workforce members. NIST recommends role-based content, onboa...
164.308(a)(5)(ii)(A)	Security Reminders (Addressable)	Issue periodic security updates and reminders. NIST recommends multiple channels including email, posters, intranet, and...
164.308(a)(5)(ii)(B)	Protection from Malicious Software (Addressable)	Implement procedures for guarding against, detecting, and reporting malicious software. NIST recommends endpoint protect...
164.308(a)(5)(ii)(C)	Log-in Monitoring (Addressable)	Implement procedures for monitoring log-in attempts and reporting discrepancies. NIST recommends automated alerts on fai...
164.308(a)(5)(ii)(D)	Password Management (Addressable)	Implement procedures for creating, changing, and safeguarding passwords. NIST recommends aligning to SP 800-63B authenti...
164.308(a)(6)(i)	Security Incident Procedures (Standard)	Implement policies to address security incidents. NIST recommends an incident response plan aligned to NIST SP 800-61 wi...
164.308(a)(6)(ii)	Response and Reporting (Required)	Identify and respond to suspected or known incidents, mitigate harmful effects, and document incidents and their outcome...
164.308(a)(7)(i)	Contingency Plan (Standard)	Establish policies for responding to emergencies that damage ePHI systems. NIST recommends contingency planning per SP 8...
164.308(a)(7)(ii)(A)	Data Backup Plan (Required)	Establish procedures to create and maintain retrievable exact copies of ePHI. NIST recommends offline or immutable backu...
164.308(a)(7)(ii)(B)	Disaster Recovery Plan (Required)	Establish procedures to restore lost data and resume operations. NIST recommends documented recovery procedures, alterna...
164.308(a)(7)(ii)(C)	Emergency Mode Operation Plan (Required)	Establish procedures to enable continuation of critical processes and security of ePHI during emergency mode. NIST recom...
164.308(a)(7)(ii)(D)	Testing and Revision Procedures (Addressable)	Implement procedures for periodic testing and revision of contingency plans. NIST recommends annual tabletop, biennial f...
164.308(a)(7)(ii)(E)	Applications and Data Criticality Analysis (Addressable)	Assess the relative criticality of applications and data in support of other contingency components. NIST recommends tie...
164.308(a)(8)	Evaluation (Standard)	Perform periodic technical and nontechnical evaluation. NIST recommends combining policy review, control testing, vulner...
RA-EPHI-LOC	Risk Analysis: Identify Where ePHI Is Created, Received, Maintained, or Transmitted	Map every system, application, device, storage location, and transmission path handling ePHI across on-premises, cloud,...
RA-IMPACT	Risk Analysis: Determine the Impact of a Threat Exploiting a Vulnerability	Determine adverse impact to ePHI confidentiality, integrity, and availability per scenario, including impact to individu...
RA-LIKELIHOOD	Risk Analysis: Determine the Likelihood of a Threat Exploiting a Vulnerability	Assess likelihood for each threat and vulnerability pairing using a defined scale, considering threat source capability,...
RA-PREP	Risk Analysis: Prepare for the Assessment	Establish risk analysis purpose, scope, assumptions, constraints, sources of information, and risk model before commenci...
RA-RISK	Risk Analysis: Determine the Level of Risk	Combine likelihood and impact determinations to assign a risk level to each threat and vulnerability pairing using a def...
RA-SCOPE	Risk Analysis: Identify Scope of the Analysis	Identify all ePHI created, received, maintained, or transmitted by the regulated entity, including data flows to busines...
RA-THREATS	Risk Analysis: Identify Threats to ePHI	Catalogue reasonably anticipated threats to confidentiality, integrity, and availability of ePHI including adversarial,...
RA-VULN	Risk Analysis: Identify Potential Vulnerabilities and Predisposing Conditions	Identify technical, physical, and administrative vulnerabilities and predisposing conditions that threats could exploit...

Documentation

4 controls

Controls in the Documentation domain of NIST SP 800-66 Rev 2 — 4 controls
Code	Title	Description
164.316(a)	Policies and Procedures (Standard)	Implement reasonable and appropriate policies and procedures to comply with the Security Rule standards. NIST recommends...
164.316(b)(1)	Documentation (Standard)	Maintain the policies and procedures and a written or electronic record of any required action, activity, or assessment....
164.316(b)(2)	Time Limit, Availability, and Updates (Required)	Retain documentation for six years from creation or last effective date, make it available to those responsible for impl...
RA-DOC	Risk Analysis: Document the Risk Assessment Results	Document risk analysis methodology, inputs, determinations, and results in a manner sufficient to support risk managemen...

Organizational

1 controls

Controls in the Organizational domain of NIST SP 800-66 Rev 2 — 1 controls
Code	Title	Description
164.308(b)(1)	Business Associate Contracts and Other Arrangements (Standard)	A covered entity may permit a business associate to handle ePHI only after obtaining satisfactory assurances via written...

Physical

12 controls

Controls in the Physical domain of NIST SP 800-66 Rev 2 — 12 controls
Code	Title	Description
164.310(a)(1)	Facility Access Controls (Standard)	Implement policies limiting physical access to electronic information systems and facilities while ensuring properly aut...
164.310(a)(2)(i)	Contingency Operations (Addressable)	Establish procedures allowing facility access in support of restoration of lost data under disaster recovery plan and em...
164.310(a)(2)(ii)	Facility Security Plan (Addressable)	Implement policies to safeguard facility and equipment from unauthorized physical access, tampering, and theft. NIST rec...
164.310(a)(2)(iii)	Access Control and Validation Procedures (Addressable)	Implement procedures to control and validate access to facilities based on role or function, including visitor control a...
164.310(a)(2)(iv)	Maintenance Records (Addressable)	Implement policies to document repairs and modifications to physical security components of the facility related to secu...
164.310(b)	Workstation Use (Standard)	Implement policies specifying proper functions, manner of performance, and physical attributes for workstations accessin...
164.310(c)	Workstation Security (Standard)	Implement physical safeguards for workstations accessing ePHI to restrict access to authorized users. NIST recommends po...
164.310(d)(1)	Device and Media Controls (Standard)	Implement policies governing receipt and removal of hardware and electronic media containing ePHI into, out of, and with...
164.310(d)(2)(i)	Disposal (Required)	Implement policies to address the final disposition of ePHI and the hardware or media on which it is stored. NIST recomm...
164.310(d)(2)(ii)	Media Re-use (Required)	Implement procedures for removal of ePHI from electronic media before the media are made available for re-use. NIST reco...
164.310(d)(2)(iii)	Accountability (Addressable)	Maintain a record of the movements of hardware and electronic media containing ePHI and any person responsible. NIST rec...
164.310(d)(2)(iv)	Data Backup and Storage (Addressable)	Create a retrievable, exact copy of ePHI when needed before movement of equipment. NIST recommends pre-move backup verif...

Technical

12 controls

Controls in the Technical domain of NIST SP 800-66 Rev 2 — 12 controls
Code	Title	Description
164.312(a)(1)	Access Control (Standard)	Implement technical policies and procedures to allow only authorized persons or software programs access to ePHI. NIST r...
164.312(a)(2)(i)	Unique User Identification (Required)	Assign a unique name or number for identifying and tracking user identity. NIST recommends no shared accounts and centra...
164.312(a)(2)(ii)	Emergency Access Procedure (Required)	Establish procedures for obtaining necessary ePHI during an emergency. NIST recommends break-glass accounts, time-bounde...
164.312(a)(2)(iii)	Automatic Logoff (Addressable)	Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. NIST reco...
164.312(a)(2)(iv)	Encryption and Decryption (Addressable)	Implement a mechanism to encrypt and decrypt ePHI. NIST recommends FIPS 140-validated cryptography, encryption at rest f...
164.312(b)	Audit Controls (Standard)	Implement hardware, software, and procedural mechanisms that record and examine activity in information systems that con...
164.312(c)(1)	Integrity (Standard)	Implement policies and procedures to protect ePHI from improper alteration or destruction. NIST recommends integrity con...
164.312(c)(2)	Mechanism to Authenticate ePHI (Addressable)	Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner. NI...
164.312(d)	Person or Entity Authentication (Standard)	Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed. NIST recommends multi-...
164.312(e)(1)	Transmission Security (Standard)	Implement technical security measures to guard against unauthorized access to ePHI transmitted over an electronic commun...
164.312(e)(2)(i)	Integrity Controls for Transmission (Addressable)	Implement security measures to ensure electronically transmitted ePHI is not improperly modified without detection until...
164.312(e)(2)(ii)	Encryption of Transmissions (Addressable)	Implement a mechanism to encrypt ePHI whenever deemed appropriate. NIST recommends defaulting to encryption for all ePHI...

Frequently Asked Questions

What is NIST SP 800-66 Rev 2?

NIST SP 800-66 Rev 2 is a compliance framework from United States with 5 domains and 65 controls. NIST SP 800-66 Rev 2 Implementing the HIPAA Security Rule (Feb 2024). It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does NIST SP 800-66 Rev 2 have?

NIST SP 800-66 Rev 2 has 65 controls organised across 5 domains. The largest domains are Administrative (36 controls), Physical (12 controls), Technical (12 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does NIST SP 800-66 Rev 2 map to?

NIST SP 800-66 Rev 2 does not currently have cross-framework mappings in our system. Check back as we continuously expand our mapping database.

How do I get started with NIST SP 800-66 Rev 2 compliance?

Start your NIST SP 800-66 Rev 2 compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about NIST SP 800-66 Rev 2 requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 65 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 769 frameworks.

Get Started Free →

Free forever — no credit card required