On January 5, 2021, the HR 7898 – HIPAA Safe Harbor Bill was signed into law, which amends the Health Information Technology for Economic and Clinical Health Act (HITECH) Act to require the Department of Health and Human Services (HHS) to incentivize best practice security.

The bill requires the Secretary of the HHS, when considering penalties, audits, and other actions related to HIPAA breaches and security incidents, to take into consideration whether the covered entity or business associate has had “recognized security practices” in place for at least 12 months. Under the law, the term “recognized security practices” means “the standards, guidelines, best practices, methodologies, procedures, and processes developed under … the NIST Act, the approaches promulgated under … the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.” 

The focus of HHS is on existing programs for assessing cybersecurity risks to electronically protected health information (ePHI) through annual security risk analyses, inventory of ePHI, risk management plans, and implementation of administrative, technical, and physical safeguards to address those risks. It is up to the covered entity or business associate to decide which recognized security practices to implement, consistent with the HIPAA Security Rule.

Recent reports show cyberattacks against healthcare entities increased 45 percent in the last two months. Further, the Healthcare and Public Health Sector Coordinating Council (HSCC) noted that often, HIPAA enforcement actions “have applied severe penalties against organizations victimized by cyberattacks despite their well-resourced programs that employ industry best cybersecurity practices.” The newly signed bill rebalances the inequity by directing HHS, when making determinations against HIPAA-covered entities and their business associates victimized by a cyberattack, to consider their use of recognized security best practices during the last 12 months.

As the healthcare industry continues to serve as one of the top targets for cybersecurity threat actors, the amendment creates a “HIPAA safe harbor” that should provide some much-needed relief to covered entities and business associates that have spent years and significant dollars to implement cybersecurity best practices.

See also  How Investing in Proactive Cyber Operations Helps You Save

The new safe harbor requires that when calculating fines, evaluating audits, or reviewing proposed mitigation steps, the HHS consider whether the covered entity or business associate adequately demonstrated that it had in place “recognized security practices” for at least 12 months prior that would:

  • Mitigate HIPAA fines.
  • Result in the early, favorable termination of a HIPAA audit.
  • Mitigate the remedies in a HIPAA resolution agreement with HHS.

Thus, the new safe harbor has the potential to significantly incentivize those entities that are able and willing to invest in robust cybersecurity programs with these recognized security practices to safeguard health information with a safe harbor that should result in a less punitive outcome should a security incident occur. Notably, however, the amendment did not increase the penalties that HHS can issue to entities that do not implement recognized security practices. The law also expressly noted that the HITECH changes do not give HHS the authority to increase fines or the extent of an audit when an entity is found to be out of compliance with the recognized security standards.

Agio shares information meant to not only make you aware of key changes in prominent cybersecurity and privacy standards, laws and frameworks, but helps to provide context and clarity to these rapidly changing and emerging topics.