HIPAA Safe Harbor Amendment — Real Guidance for Security Best Practices

Covered Entities and Business Associates are well aware of the mandatory requirements of the HIPAA Security Rule and the HITECH Act, but until recently, there was limited specific guidance from HHS and OCR on how to comply with standards or what regulators viewed as appropriate compliance efforts. On January 5, 2021, HR 7898, commonly referred to as the HIPAA Safe Harbor Bill, was signed into law, amending the HITECH Act and providing some clarity for Covered Entities and Business Associates on industry best practices for security. The law requires HHS and OCR to provide certain incentives for best practice cybersecurity to meet HIPAA standards.

Industry best practices now equate to specific standards, practices, and guidelines under NIST (National Institute of Standards and Technology) and the Cybersecurity Act of 2015. Covered Entities and Business Associates may now have some level of assurance that following those existing regulations, acts, and standards is what HHS and OCR expect to meet “industry best practices” related to security compliance efforts under HIPAA and HITECH. Some of the uncertainty regarding compliance efforts has now been removed, and the new law provides clarity for entities trying to build and maintain robust security programs.

Just as significant for Covered Entities and Business Associates is the mandate in the law that HHS and OCR must “take into consideration” an entity’s security posture and program when conducting investigations and audits and when assessing fines related to security incidents and breaches. The purpose of that mandate is twofold. First, the law is meant to incentivize entities to build robust security programs under the now-prescripted industry best practices, thus ensuring compliance with the HIPAA Security Rule and the HITECH Act. Second, HHS and OCR must recognize the entities that have met those industry standards, thus lessening administrative burdens of audits and investigations, along with limiting or reducing fines that may be assessed when an incident does occur. That recognition formalizes the reality that, notwithstanding the best of efforts, incidents may and often do occur, and it is not always due to an entity’s failure to take the necessary and required steps to protect data.

Over the past several years, cybersecurity incidents and hacks of healthcare data systems have become commonplace. Bad actors have become more and more sophisticated, and thus their attacks on systems holding sensitive data and information have become more complex as well. Following strict security protocols will reduce the risk of suffering a serious incident, but even the federal government recognizes that no programs and protocols are foolproof. However, healthcare entities that choose to ignore basic security requirements under HIPAA increase their risk of suffering a serious security incident, serious consequences from OCR, and severe reputational and business harm. While the newly passed Safe Harbor law benefits Covered Entities and Business Associates who have robust security programs, the law should also serve as a wake-up call for those that do not take HIPAA and HITECH seriously enough to invest the resources necessary to secure sensitive data. Now that there is clarity around what are considered “industry best practices,” there can be few excuses for ignoring those standards and protocols. While specific OCR guidance is still pending, and the law has yet to be tested, government regulators are informing the healthcare industry what it must do to protect sensitive data. Who is listening?

Email our team to learn how your organization can better secure sensitive data using healthcare compliance analytics.