NIST 800-66 and Third-Party Risk

Simplify HIPAA Security Rule Assessments

National Institute of Standards and Technology (NIST) Special Publication (SP) 800-66 was developed to help healthcare delivery organizations (HDOs) understand the Health Insurance Portability and Accountability Act (HIPAA) Security Rule and provide a framework to support its implementation.

The HIPAA Security Rule applies to any organization managing electronic protected health information (ePHI), whether they are a covered entity or a business associate (e.g., third-party vendor, supplier or partner). The rule requires organizations to:

Ensure the confidentiality, integrity, and availability of all ePHI that they create, receive, maintain, or transmit
Identify and protect against reasonably anticipated threats to the security or integrity of the information
Protect against impermissible uses or disclosures of ePHI that are reasonably anticipated
Ensure compliance by their workforce

Adhering to the guidelines and best practices in NIST 800-66r2 will help healthcare organizations simplify their HIPAA Security Rule compliance.

Relevant Requirements

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate
Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level

The NIST 800-66 Third-Party Compliance Checklist

Learn about SP 800-66 HIPAA Security Rule risk assessments and management guidance for third-party business associates.

Read Now

Feature nist 800 66 compliance checklist 0822

Understanding the HIPAA Security Rule

The HIPAA Security Rule recommends seven steps to include in a comprehensive risk assessment process. The table below maps Prevalent solution capabilities to each step, illustrating how a third-party risk management solution can help to address these best practices.

NOTE: This information is presented as summary guidance only. Organizations should review NIST 800-66r2 and HIPAA Security Rule requirements in full on their own in consultation with their auditors.

Recommended Steps & Tasks	How We Help
1. Prepare for the Assessment Understand where ePHI is created, received, maintained, processed or transmitted. Define the scope of the assessment.	Prevalent partners with you to build a comprehensive third-party risk management (TPRM) program based on proven best practices and extensive real-world experience. Our experts collaborate with your team on defining and implementing TPRM processes and solutions; selecting risk assessment questionnaires and frameworks; and optimizing your program to address the entire third-party risk lifecycle – from sourcing and due diligence, to termination and offboarding. Prevalent can identify fourth-party and Nth-party subcontracting relationships by conducting a questionnaire-based assessment or by passively scanning the third party’s public-facing infrastructure. The resulting relationship map depicts information paths and dependencies that could expose your environment to risk. Suppliers discovered through this process are continuously monitored for financial, ESG, cyber, business, and data breach risks, as well as for sanctions/PEP screening. Once third and fourth parties are identified, you can leverage the 750+ pre-defined assessment templates available in the Prevalent Platform to assess third-party business associates against NIST, HIPAA or other requirements.
2. Identify Realistic Threats Identify the potential threat events and threat sources that are applicable to the regulated entity and its operating environment.	Prevalent continuously tracks and analyzes external threats to third parties. The solution monitors the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information. All monitoring data is correlated to assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting and response initiatives. Monitoring sources include: 1,500+ criminal forums; thousands of onion pages; 80+ dark web special access forums; 65+ threat feeds; and 50+ paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases covering 550,000 companies A database with 10+ years of breach history for thousands of companies 550,000 public and private sources of reputational information, including M&A activity, business news, negative news, regulatory and legal information, operational updates, and more A global network of 2 million businesses with 5 years of organizational changes and financial performance 30,000 global news sources A database containing over 1.8 million politically exposed person profiles Global sanctions lists and 1,000+ enforcement lists and court filings
3. Identify Potential Vulnerabilities and Predisposing Conditions Use internal and external sources to identify potential vulnerabilities. Internal sources may include previous risk assessments, vulnerability scan and system security test results (e.g., penetration tests), and audit reports. External sources may include internet searches, vendor information, insurance data, and vulnerability databases.	Prevalent normalizes, correlates and analyzes information across inside-out risk assessments and outside-in monitoring. This unified model provides context, quantification, management and remediation support for risks. It also validates the presence and effectiveness of internal controls with external monitoring.
4.-6. Determine the Likelihood (and Impact) of a Threat Exploiting a Vulnerability; Determine the Level of Risk Determine the likelihood (Very Low to Very High) of a threat successfully exploiting a vulnerability. Determine the impact (operational, individual, asset, etc.) that could occur to ePHI if a threat event exploits a vulnerability. Assess the level of risk (Low, Medium, High) to ePHI, considering the information gathered and determinations made during the previous steps.	The Prevalent Platform enables you to define risk thresholds and categorize and score risks based on likelihood and impact. The resulting heat map enables teams to focus on the most important risks.
7. Document the Risk Assessment Results Document the results of the risk assessment.	With Prevalent, you can generate risk registers upon survey completion, integrating real-time cyber, business, reputational and financial monitoring insights to automate risk reviews, reporting and response. From the risk register, you can create tasks related to risks or other items; check task status via email rules linked to the platform; and leverage built-in remediation recommendations and guidance. The solution automates third-party risk management compliance auditing by collecting vendor risk information, quantifying risks, and generating reports for dozens of government regulations and industry frameworks, including NIST, HIPAA and many more.

Recommended Steps & Tasks

How We Help

1. Prepare for the Assessment

Understand where ePHI is created, received, maintained, processed or transmitted.

Define the scope of the assessment.

Prevalent partners with you to build a comprehensive third-party risk management (TPRM) program based on proven best practices and extensive real-world experience. Our experts collaborate with your team on defining and implementing TPRM processes and solutions; selecting risk assessment questionnaires and frameworks; and optimizing your program to address the entire third-party risk lifecycle – from sourcing and due diligence, to termination and offboarding.

Prevalent can identify fourth-party and Nth-party subcontracting relationships by conducting a questionnaire-based assessment or by passively scanning the third party’s public-facing infrastructure. The resulting relationship map depicts information paths and dependencies that could expose your environment to risk. Suppliers discovered through this process are continuously monitored for financial, ESG, cyber, business, and data breach risks, as well as for sanctions/PEP screening.

Once third and fourth parties are identified, you can leverage the 750+ pre-defined assessment templates available in the Prevalent Platform to assess third-party business associates against NIST, HIPAA or other requirements.

2. Identify Realistic Threats

Identify the potential threat events and threat sources that are applicable to the regulated entity and its operating environment.

Prevalent continuously tracks and analyzes external threats to third parties. The solution monitors the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.

All monitoring data is correlated to assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting and response initiatives. Monitoring sources include:

1,500+ criminal forums; thousands of onion pages; 80+ dark web special access forums; 65+ threat feeds; and 50+ paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases covering 550,000 companies
A database with 10+ years of breach history for thousands of companies
550,000 public and private sources of reputational information, including M&A activity, business news, negative news, regulatory and legal information, operational updates, and more
A global network of 2 million businesses with 5 years of organizational changes and financial performance
30,000 global news sources
A database containing over 1.8 million politically exposed person profiles
Global sanctions lists and 1,000+ enforcement lists and court filings

3. Identify Potential Vulnerabilities and Predisposing Conditions

Use internal and external sources to identify potential vulnerabilities. Internal sources may include previous risk assessments, vulnerability scan and system security test results (e.g., penetration tests), and audit reports. External sources may include internet searches, vendor information, insurance data, and vulnerability databases.

Prevalent normalizes, correlates and analyzes information across inside-out risk assessments and outside-in monitoring. This unified model provides context, quantification, management and remediation support for risks. It also validates the presence and effectiveness of internal controls with external monitoring.

4.-6. Determine the Likelihood (and Impact) of a Threat Exploiting a Vulnerability; Determine the Level of Risk

Determine the likelihood (Very Low to Very High) of a threat successfully exploiting a vulnerability.

Determine the impact (operational, individual, asset, etc.) that could occur to ePHI if a threat event exploits a vulnerability.

Assess the level of risk (Low, Medium, High) to ePHI, considering the information gathered and determinations made during the previous steps.

The Prevalent Platform enables you to define risk thresholds and categorize and score risks based on likelihood and impact. The resulting heat map enables teams to focus on the most important risks.

7. Document the Risk Assessment Results

Document the results of the risk assessment.

With Prevalent, you can generate risk registers upon survey completion, integrating real-time cyber, business, reputational and financial monitoring insights to automate risk reviews, reporting and response. From the risk register, you can create tasks related to risks or other items; check task status via email rules linked to the platform; and leverage built-in remediation recommendations and guidance.

The solution automates third-party risk management compliance auditing by collecting vendor risk information, quantifying risks, and generating reports for dozens of government regulations and industry frameworks, including NIST, HIPAA and many more.

Mapping Prevalent Capabilities to NIST SP 800-66r2 HIPAA Security Rule Requirements

NIST SP 800-66r2 presents security measures that are relevant to each standard of the HIPAA Security Rule. The table below identifies specific business associate measures and maps Prevalent capabilities that help to satisfy the requirements.

NOTE: This information is presented as summary guidance only. Organizations should review NIST 800-66r2 and HIPAA Security Rule requirements in full on their own in consultation with their auditors.

Key Activity & Description	How We Help
5.1.9 Business Associate Contracts and Other Arrangements (§ 164.308(b)(1)) HIPAA Standard: A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with §164.314(a), that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor.
1. Identify Entities that are Business Associates Under the HIPAA Security Rule Identify the individual or department who will be responsible for coordinating the execution of business associate agreements or other arrangements. Reevaluate the list of business associates to determine who has access to ePHI in order to assess whether the list is complete and current. Identify systems covered by the contract/agreement. Business associates must have a BAA in place with each of their subcontractor business associates. Subcontractor business associates are also directly liable for their own Security Rule violations.	Prevalent identifies fourth-party relationships through a native identification assessment or by passively scanning the third party’s public infrastructure. The resulting relationship map depicts information paths and dependencies that could open paths into an environment. Prevalent offers a pre-contract due diligence assessment with clear scoring based on eight criteria to capture, track and quantify inherent risks for all third parties and business associates during onboarding. Criteria includes: Type of content required to validate controls Criticality to business performance and operations Location(s) and related legal or regulatory considerations Level of reliance on fourth parties (to avoid concentration risk) Exposure to operational or client-facing processes Interaction with protected data Financial status and health Reputation From this inherent risk assessment, your team can centrally manage all business associates; automatically tier suppliers; set appropriate levels of further diligence; and determine the scope of ongoing assessments.
2. Establish a Process for Measuring Contract Performance and Terminating the Contract if Security Requirements Are Not Being Met Maintain clear lines of communication between covered entities and business associates regarding the protection of ePHI as per the BAA or contract. Establish criteria for measuring contract performance.	Prevalent helps to centrally measure third-party KPIs and KRIs to reduce risks from gaps in vendor oversight by automating contract and performance assessments. When a third party is found to be out of contract compliance, the Platform automates contract assessments and offboarding procedures to reduce your organization’s risk of post-contract exposure.
3. Written Contract or Other Arrangement Document the satisfactory assurances required by this standard through a written contract or other arrangement with the business associate that meets the applicable requirements of §164.314(a)… Execute new or update existing agreements or arrangements as appropriate. Identify roles and responsibilities. Include security requirements in business associate contracts and agreements to address the confidentiality, integrity, and availability of ePHI. Specify any training requirements associated with the contract/agreement or arrangement, if reasonable and appropriate.	Prevalent centralizes the distribution, discussion, retention, and review of vendor contracts. It also offers workflow capabilities to automate the contract lifecycle from onboarding to offboarding. Key capabilities include: Centralized tracking of all contracts and contract attributes such as type, key dates, value, reminders, and status – with customized, role-based views Workflow capabilities (based on user or contract type) to automate the contract management lifecycle Automated reminders and overdue notices to streamline contract reviews Centralized contract discussion and comment tracking Contract and document storage with role-based permissions and audit trails of all access Version control tracking that supports offline contract and document edits Role-based permissions that enable allocation of duties, access to contracts, and read/write/modify access With these capabilities, you can ensure that the right clauses – such as security protections over ePHI and training – are in the contract, and that they are enforceable and efficiently communicated to all stakeholders.
5.4.1 Business Associate Contracts or Other Arrangements (§ 164.314(a)) HIPAA Standard: (i) The contract or other arrangement between the covered entity and its business associate required by §164.308(b)(3) must meet the requirements of paragraph (a)(2)(i), (a)(2)(ii), or (a)(2)(iii) of this section, as applicable. (ii) A covered entity is in compliance with paragraph (a)(1) of this section if it has another arrangement in place that meets the requirements of §164.504(e)(3). (iii) The requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this section apply to the contract or other arrangement between a business associate and a subcontractor required by § 164.308(b)(4) in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate.
1. Contract Must Provide that Business Associates Will Comply with the Applicable Requirements of the Security Rule Contracts between covered entities and business associates must provide that business associates will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that the business associate creates, receives, maintains, or transmits on behalf of the covered entity. 2. Contract Must Provide that the Business Associates Enter into Contracts with Subcontractors to Ensure the Protection of ePHI In accordance with § 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit ePHI on behalf of the business associate agree to comply with the applicable requirements of this subpart by entering into a contract or other arrangement that complies with this section.	Prevalent centralizes the distribution, discussion, retention, and review of vendor contracts. It also offers workflow capabilities to automate the contract lifecycle from onboarding to offboarding. With these capabilities, you can ensure that the right clauses – such as security controls enforcement, auditability, incident response, notifications, fourth-party subcontractor arrangements, etc. – are in the contract, and that they are enforceable and efficiently communicated to all stakeholders.
3. Contract Must Provide that Business Associates Will Report Security Incidents Report to the covered entity any security incident of which it becomes aware, including breaches of unsecured PHI as required by § 164.410. Maintain clear lines of communication between covered entities and business associates regarding the protection of ePHI as per the BAA or contract. Establish a reporting mechanism and a process for the business associate to use in the event of a security incident or breach.	In addition to contract lifecycle management, Prevalent offers a Third-Party Incident Response Service that enables teams to rapidly identify and mitigate the impact of third-party breaches by centrally managing vendors, conducting event assessments, scoring identified risks, and accessing remediation guidance. Customers can also access a database containing 10+ years of data breach history for thousands of companies around the world. The database includes types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications. Combined with continuous cyber monitoring, it provides organizations with a comprehensive view of external information security risks that can impact operations.
4. Other Arrangements The covered entity complies with paragraph (a)(1) of this section if it has another arrangement in place that meets the requirements of § 164.504(e)(3). 5. Business Associate Contracts with Subcontractors The requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this section apply to the contract or other arrangement between a business associate and a subcontractor in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate.	In addition to ensuring that business associate contracts contain provisions for assess fourth-party risks, Prevalent identifies fourth-party relationships through a native identification assessment or by passively scanning the third party’s public infrastructure. The resulting relationship map depicts information paths and dependencies that could open paths into an environment.

Key Activity & Description

How We Help

5.1.9 Business Associate Contracts and Other Arrangements (§ 164.308(b)(1))

HIPAA Standard: A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with §164.314(a), that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor.

1. Identify Entities that are Business Associates Under the HIPAA Security Rule

Identify the individual or department who will be responsible for coordinating the execution of business associate agreements or other arrangements.
Reevaluate the list of business associates to determine who has access to ePHI in order to assess whether the list is complete and current.
Identify systems covered by the contract/agreement.
Business associates must have a BAA in place with each of their subcontractor business associates. Subcontractor business associates are also directly liable for their own Security Rule violations.

Prevalent identifies fourth-party relationships through a native identification assessment or by passively scanning the third party’s public infrastructure. The resulting relationship map depicts information paths and dependencies that could open paths into an environment.

Prevalent offers a pre-contract due diligence assessment with clear scoring based on eight criteria to capture, track and quantify inherent risks for all third parties and business associates during onboarding. Criteria includes:

Type of content required to validate controls
Criticality to business performance and operations
Location(s) and related legal or regulatory considerations
Level of reliance on fourth parties (to avoid concentration risk)
Exposure to operational or client-facing processes
Interaction with protected data
Financial status and health
Reputation

From this inherent risk assessment, your team can centrally manage all business associates; automatically tier suppliers; set appropriate levels of further diligence; and determine the scope of ongoing assessments.

2. Establish a Process for Measuring Contract Performance and Terminating the Contract if Security Requirements Are Not Being Met

Maintain clear lines of communication between covered entities and business associates regarding the protection of ePHI as per the BAA or contract.
Establish criteria for measuring contract performance.

Prevalent helps to centrally measure third-party KPIs and KRIs to reduce risks from gaps in vendor oversight by automating contract and performance assessments.

When a third party is found to be out of contract compliance, the Platform automates contract assessments and offboarding procedures to reduce your organization’s risk of post-contract exposure.

3. Written Contract or Other Arrangement

Document the satisfactory assurances required by this standard through a written contract or other arrangement with the business associate that meets the applicable requirements of §164.314(a)…
Execute new or update existing agreements or arrangements as appropriate.
Identify roles and responsibilities.
Include security requirements in business associate contracts and agreements to address the confidentiality, integrity, and availability of ePHI.
Specify any training requirements associated with the contract/agreement or arrangement, if reasonable and appropriate.

Prevalent centralizes the distribution, discussion, retention, and review of vendor contracts. It also offers workflow capabilities to automate the contract lifecycle from onboarding to offboarding. Key capabilities include:

Centralized tracking of all contracts and contract attributes such as type, key dates, value, reminders, and status – with customized, role-based views
Workflow capabilities (based on user or contract type) to automate the contract management lifecycle
Automated reminders and overdue notices to streamline contract reviews
Centralized contract discussion and comment tracking
Contract and document storage with role-based permissions and audit trails of all access
Version control tracking that supports offline contract and document edits
Role-based permissions that enable allocation of duties, access to contracts, and read/write/modify access

With these capabilities, you can ensure that the right clauses – such as security protections over ePHI and training – are in the contract, and that they are enforceable and efficiently communicated to all stakeholders.

5.4.1 Business Associate Contracts or Other Arrangements (§ 164.314(a))

HIPAA Standard: (i) The contract or other arrangement between the covered entity and its business associate required by §164.308(b)(3) must meet the requirements of paragraph (a)(2)(i), (a)(2)(ii), or (a)(2)(iii) of this section, as applicable. (ii) A covered entity is in compliance with paragraph (a)(1) of this section if it has another arrangement in place that meets the requirements of §164.504(e)(3). (iii) The requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this section apply to the contract or other arrangement between a business associate and a subcontractor required by § 164.308(b)(4) in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate.

1. Contract Must Provide that Business Associates Will Comply with the Applicable Requirements of the Security Rule

Contracts between covered entities and business associates must provide that business associates will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that the business associate creates, receives, maintains, or transmits on behalf of the covered entity.

2. Contract Must Provide that the Business Associates Enter into Contracts with Subcontractors to Ensure the Protection of ePHI

In accordance with § 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit ePHI on behalf of the business associate agree to comply with the applicable requirements of this subpart by entering into a contract or other arrangement that complies with this section.

Prevalent centralizes the distribution, discussion, retention, and review of vendor contracts. It also offers workflow capabilities to automate the contract lifecycle from onboarding to offboarding.

With these capabilities, you can ensure that the right clauses – such as security controls enforcement, auditability, incident response, notifications, fourth-party subcontractor arrangements, etc. – are in the contract, and that they are enforceable and efficiently communicated to all stakeholders.

3. Contract Must Provide that Business Associates Will Report Security Incidents

Report to the covered entity any security incident of which it becomes aware, including breaches of unsecured PHI as required by § 164.410.
Maintain clear lines of communication between covered entities and business associates regarding the protection of ePHI as per the BAA or contract.
Establish a reporting mechanism and a process for the business associate to use in the event of a security incident or breach.

In addition to contract lifecycle management, Prevalent offers a Third-Party Incident Response Service that enables teams to rapidly identify and mitigate the impact of third-party breaches by centrally managing vendors, conducting event assessments, scoring identified risks, and accessing remediation guidance.

Customers can also access a database containing 10+ years of data breach history for thousands of companies around the world. The database includes types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications. Combined with continuous cyber monitoring, it provides organizations with a comprehensive view of external information security risks that can impact operations.

4. Other Arrangements

The covered entity complies with paragraph (a)(1) of this section if it has another arrangement in place that meets the requirements of § 164.504(e)(3).

5. Business Associate Contracts with Subcontractors

The requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this section apply to the contract or other arrangement between a business associate and a subcontractor in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate.

In addition to ensuring that business associate contracts contain provisions for assess fourth-party risks, Prevalent identifies fourth-party relationships through a native identification assessment or by passively scanning the third party’s public infrastructure. The resulting relationship map depicts information paths and dependencies that could open paths into an environment.

Navigate the TPRM Compliance Landscape

The Third-Party Risk Management Compliance Handbook reveals TPRM requirements in key regulations and industry frameworks, so you can achieve compliance while mitigating vendor risk.

Read Now

Featured Resources

Blog Post
A HIPAA Compliance Checklist for Third-Party Risk Management

Complying with HIPAA legislation requires gaining complete, internal view of third-party security and privacy controls. Learn...
Blog Post
Healthcare Vendor Data Breaches: 3 Steps to Mitigate Business Associate Risk

With an ever-growing number of healthcare vendor data breaches, use this guidance to be more proactive...
Blog Post
Meeting NIST 800-53, NIST 800-161 and NIST CSF Third-Party Risk...

NIST has authored several industry standards that deal with identifying, assessing and managing supply chain risk...

Ready for a demo?
Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
Request a Demo

NIST SP 800-66 Compliance

Relevant Requirements

A HIPAA Compliance Checklist for Third-Party Risk Management

Healthcare Vendor Data Breaches: 3 Steps to Mitigate Business Associate Risk

Meeting NIST 800-53, NIST 800-161 and NIST CSF Third-Party Risk...