Close this search box.

HIPAA Cybersecurity Incentivized in New Safe Harbor Law

Woman working on a laptop with a stethescrope laying next to it.

After an unprecedented year of cyber-attacks and ransomware on healthcare organizations, former President Donald Trump signed into law The Safe Harbor Bill. This ratified changes to the HITECH Act that included reduced HIPAA fines and penalties for data breaches if your practice has proper security measures in place. The new law legislation (Safe Harbor Law – HR 7898) went into effect on January 5th, 2021.

What Is the HIPAA Safe Harbor Law?

The HIPAA Safe Harbor bill amends the HITECH Act to require the Department of Health and Human Services (HHS) to consider whether a covered entity or business associate has met recognized cybersecurity practices when HHS makes certain determinations, such as whether to bring an enforcement action. Under this new legislation, HHS will take into account whether an organization has been using recognized. HIPAA cybersecurity best practices to comply with the HIPAA Security Rule.

HIPAA Resource Center

HHS may reduce fines and penalties for violations of certain federal privacy standards for health information or PHI if the practices or covered entities have all the basic technical safeguards in place to mitigate identified threats. In summary, if your organization has adopted one of the defined “recognized security practices” and has a data breach violation, HHS may be more lenient with fines and penalties.

What Does “Recognized Cybersecurity Practices” Mean?

The Safe Harbor Bill has loosely defined recognized cybersecurity practices and HHS has not yet publicized regulations, but the legislation cites two frameworks:

  • NIST Act: Standards, guidelines, best practices, methodologies, procedures, and processes developed under the National Institute of Standards and Technology Act.
  • Cybersecurity Act of 2015: cybersecurity practices developed under section 405 of this Act.

Your organization or practice must have a cybersecurity framework in place and demonstrate having industry-standard security measures in place for 12 months before getting the benefits of reduced enforcement and penalties.

There is no specific timeline for HHS to develop regulations that implement the law, but covered entities and business associates should begin preparation now. The addition of HIPAA Safe Harbor Law signifies compliance and cybersecurity work best together. The first step is to assess your organization’s weaknesses using a HIPAA Compliance Gap Analysis. Our team of compliance experts is here to help. If you do not have the required security standards in place, it’s time to start implementing these cybersecurity best practices as cyber threats in the healthcare sector continue to be on the rise in 2021.

Corsica Technologies
Corsica provides personalized service and a virtual CIO (vCIO) who serves as a strategic advisor. When it comes to the complex integration of solutions for IT and cybersecurity, the whole is greater than the sum of its parts. We offer cybersecurity solutions, managed services, digital transformation, resale services, and one-off technology projects. Corsica unifies any combination of these services into a complete, seamless solution.

Related Reads

Sign Up For Our Newsletter

Stay up-to-date on the Managed Services and Cybersecurity landscape, and be the first to find out about events and special offers.