What is NIST SP 800-66?

NIST Special Publication 800-66 Revision 2 provides practical implementation guidance for the HIPAA Security Rule. Published by NIST in February 2024, it maps each Security Rule standard to specific activities, controls, and assessment procedures. HHS references it as authoritative guidance for HIPAA implementation.

Is NIST SP 800-66 mandatory?

No, it is guidance — not regulation. However, HHS references it as the authoritative source for implementing the HIPAA Security Rule. Following 800-66 demonstrates a good faith effort to comply with HIPAA and is the closest thing to an official implementation guide.

How does 800-66 relate to the HIPAA Security Rule?

The HIPAA Security Rule defines what you must do (the standards and implementation specifications). NIST SP 800-66 tells you how to do it — specific activities, considerations, and assessment criteria for each requirement. Think of HIPAA as the law and 800-66 as the instruction manual.

Revision 2 — February 2024

NIST SP 800-66: the HIPAA Security Rule instruction manual

HIPAA tells you what to do. NIST SP 800-66 tells you how. Detailed implementation activities for every administrative, physical, and technical safeguard in the Security Rule. HHS references this as the authoritative implementation guide. BlackSheep tracks every 800-66 requirement alongside your HIPAA controls.

Start Free Trial See implementation guidance

$249/month · All frameworks included · No credit card to start

Implementation areas

Safeguard categories

Rev 2

Feb 2024 (latest)

HHS

Referenced guidance

Implementation guidance by safeguard category

Each HIPAA standard mapped to specific implementation activities and assessment criteria.

Administrative Safeguard Implementation

§164.308 · 5 controls

Risk analysis using NIST SP 800-30 methodology
Risk management plan with prioritized mitigations
Security official designation with documented authority
Workforce security: authorization, clearance, and termination
Training: security reminders, malware, log-in monitoring, passwords
Contingency plan: backup, DR, emergency mode, testing, criticality analysis

Physical Safeguard Implementation

§164.310 · 2 controls

Facility access: contingency operations, security plan, validation, maintenance records
Workstation use policies and physical security
Device disposal rendering ePHI unrecoverable
Media re-use, accountability tracking, and data backup before equipment moves

Technical Safeguard Implementation

§164.312 · 3 controls

Unique user IDs, emergency access, automatic logoff, encryption at rest
Audit controls capturing ePHI access and system changes
Integrity mechanisms verifying ePHI not improperly altered
MFA for remote access, TLS 1.2+ for transmission security

Organizational & Documentation

§164.314/316 · 2 controls

BAA provisions meeting all Security Rule requirements
Six-year documentation retention
Annual policy review and version control
Documentation accessible to responsible personnel

Common questions about NIST SP 800-66

Why use 800-66 if we already have HIPAA controls?

HIPAA tells you the what — 800-66 tells you the how. For example, HIPAA requires a 'risk analysis.' 800-66 specifies using NIST SP 800-30 methodology, identifies specific activities, and provides assessment criteria. It transforms vague requirements into actionable implementation steps.

Does following 800-66 guarantee HIPAA compliance?

No single document guarantees compliance, but following 800-66 demonstrates a systematic, good-faith implementation of the Security Rule. HHS references it as authoritative guidance. If you can show your security program follows 800-66, you're in a strong position during any audit or investigation.

What changed from Revision 1 to Revision 2?

Rev 2 (February 2024) updated implementation guidance to reflect modern technology (cloud computing, mobile devices, telehealth), aligned with current NIST publications (800-53 Rev 5, 800-30 Rev 1), and incorporated lessons from a decade of HIPAA enforcement actions and breach trends.

Can non-healthcare organizations use 800-66?

While written for HIPAA covered entities, 800-66's implementation methodology is applicable to any organization. The risk analysis approach, safeguard implementation patterns, and assessment criteria translate well to other regulatory frameworks.

Related frameworks

HIPAA Security Rule

The regulation that 800-66 implements. Use together for complete compliance.

HITECH Act

Strengthened HIPAA enforcement that 800-66 Rev 2 incorporates.

HITRUST CSF

Certifiable framework that incorporates 800-66 guidance into its assessment.

NIST CSF 2.0

The overarching NIST framework. 800-66 provides healthcare-specific detail.

HIPAA tells you what. 800-66 tells you how. BlackSheep tracks it all.

Track your implementation of every 800-66 activity alongside your HIPAA controls. One dashboard showing both the requirement and the implementation guidance.

Start Free Trial

$249/month. 30-day money-back guarantee.