After an unprecedented year of cyber-attacks and ransomware on healthcare organizations, former President Donald Trump signed into law The Safe Harbor Bill. This ratified changes to the HITECH Act that included reduced HIPAA fines and penalties for data breaches if your practice has proper security measures in place. The new law legislation (Safe Harbor Law – HR 7898) went into effect on January 5th, 2021.
What Is the HIPAA Safe Harbor Law?
The HIPAA Safe Harbor bill amends the HITECH Act to require the Department of Health and Human Services (HHS) to consider whether a covered entity or business associate has met recognized cybersecurity practices when HHS makes certain determinations, such as whether to bring an enforcement action. Under this new legislation, HHS will take into account whether an organization has been using recognized. HIPAA cybersecurity best practices to comply with the HIPAA Security Rule.
HHS may reduce fines and penalties for violations of certain federal privacy standards for health information or PHI if the practices or covered entities have all the basic technical safeguards in place to mitigate identified threats. In summary, if your organization has adopted one of the defined “recognized security practices” and has a data breach violation, HHS may be more lenient with fines and penalties.
What does “Recognized Cybersecurity Practices” Mean?
The Safe Harbor Bill has loosely defined recognized cybersecurity practices and HHS has not yet publicized regulations, but the legislation cites two frameworks:
- NIST Act: Standards, guidelines, best practices, methodologies, procedures, and processes developed under the National Institute of Standards and Technology Act.
- Cybersecurity Act of 2015: cybersecurity practices developed under section 405 of this Act.
Your organization or practice must have a cybersecurity framework in place and demonstrate having industry-standard security measures in place for 12 months before getting the benefits of reduced enforcement and penalties.
There is no specific timeline for HHS to develop regulations that implement the law, but covered entities and business associates should begin preparation now. The addition of HIPAA Safe Harbor Law signifies compliance and cybersecurity work best together. The first step is to assess your organization’s weaknesses using a HIPAA Compliance Gap Analysis. Our team of compliance experts is here to help. If you do not have the required security standards in place, it’s time to start implementing these cybersecurity best practices as cyber threats in the healthcare sector continue to be on the rise in 2021.