HIPAA Safe Harbor Act
President Donald Trump officially signed HR 7898 into law on January 5. The HIPAA Safe Harbor bill amends the Health Information Technology for Economic and Clinical Health (HITECH) act to require the Department of Health and Human Services to incentivize best practice cybersecurity for meeting HIPAA requirements.
The new law also requires HHS to be more lenient with fines and enforcement if the healthcare organization is found to meet the basic HIPAA technical safeguard requirements. Under the new HIPAA Safe Harbor, the following factors apply:
- HHS cannot increase the HIPAA fine amount or extent of an audit if an entity is found not to meet basic security standards.
- Compliance will be determined based on consistent practices of each organization.
- HHS must consider cybersecurity measures that an entity has in place for at least 12 months prior to an attack when calculating HIPAA fines.
- If the entity has met industry standard best security practices (such as the HIPAA Security Rule), HHS is required to decrease the extent and length of a HIPAA audit.
This new law allows greater protection in the long run for health-based entities, because when your facility falls victim to a cyber-attack, you should be considered a “victim” and not the “criminal”. For a while now, it didn’t make sense for HHS to worsen the situation by fining your facility for HIPAA violations on top of the attack your facility has just endured--in other words kick you in the mouth while you’re down.
In essence, the government realized in passing this new law that just because providers are victims of cyberattacks, that doesn’t mean that the attacks are preventable, so hefty fines should not be the answer. The FBI agrees, noting that cyberattacks are imminent in the medical community, and even the FBI knows they are not always preventable.
The only thing that providers can do is to exercise best practices, and that means complying, now more than ever, with HIPAA Privacy and Security Rules. These new amendments to the HITECH Act tell us that if you still do not have a robust HIPAA Security Rule compliance plan in place, you should get started now to take advantage of this new HIPAA Safe Harbor. If you do that, HHS will be more lenient on your fines and penalties. With this new age of successful cybercriminals, this makes HIPAA compliance even more important for facilities.
More importantly, this provision serves as a positive incentive for health providers to increase investment in cybersecurity for the benefit of regulatory compliance and, ultimately, patient safety.
Important Things to Note:
- Organizations must be able to prove they have had industry-standard security measures in place for 12 months before getting the benefits of reduced enforcement. Anything less will result in the heavier fines to be administered.
- HHS will consider specific cybersecurity efforts made by the health care company when calculating fines related to security incidents. This means having a single measure in place that’s unrelated to the reason for the breach won’t matter. Organizations must have their Security Risk Analysis and accompanying mitigation efforts documented and demonstrable to receive the benefits.
- HHS can’t increase the fine amount or extent of the audit process if a practice is found to not meet basic security standards. While it gives some relief for those companies, that doesn’t mean you should just not get the basic security measures.
- The law also corrected technical elements of the 21st Century Cures Act related to the information-blocking enforcement authority of HHS’s Office of the Inspector General (OIG). Under the new law, the OIG is authorized to obtain information, assistance and other support from federal agencies when investigating claims of information blocking by developers or other entities offering health information technologies.
What are Recognized Cybersecurity Practices?
1. Following the HIPAA Security Rule to identify weaknesses and areas requiring mitigation through a completed Security Risk Analysis.
2. Implementing the right technical safeguards to mitigate identified risks.
3. Following all other security practices identified as standards that health care organizations should hold themselves to, consistent with the HIPAA Security Rule and the Cybersecurity Act of 2015.
What To Do Now?
Is that even a question? To put it bluntly, if you don’t have the required security standards in place already – quit sitting on your hands and get a move on! Implementing these recognized security practice’s could mean the difference between a hefty fine or enforcement effort in the case that your practice ever falls victim to a data breach or other HIPAA violation – which more times than less is often out of your control.
What’s really important about this law change is that having some cyber security measures in place will not cut it – if you don’t have the specific measures required under the HIPAA Security Rule you will not meet the requirements outlined in HR 7898. This is another way compliance and security go hand in hand – and to get the benefits of reduced fines, you’ll need both.