[cnkeller]

When you state HIPPA compliance, are you saying that you've addressed NIST 800-66 with a 3rd party certification? As I'm sure you know, the word "compliance" is sort of funny and subject to interpretation.

Disclaimer: I work in a similar space.

[chasb]

Great question! We audit customers against an adapted version of HHS's pilot audit protocol for covered entities[0], tailored for cloud-based software business associates. HHS is starting the permanent audit program and we expect them to publish an audit protocol specifically for business associates this fall.

NIST Special Publications are great resources, and we use them where appropriate, but as I'm sure you know, they're not specific enough to just audit against a single publication and call it a day.

For example, NIST SP 800-66 Revision 1[1]:

1. Only covers the Security Rule 2. Consists of mostly pointers to the other, substantive NIST SPs, and 3. Isn't as detailed as the audit protocol from HHS, which is the entity that will ultimately judge your compliance

Again, all of that said, we love NIST(!) and use their methodologies and guidance (including SP 800-66 Rev 1) extensively.

[0] http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/

[1] http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-80...