How the HIPAA Safe Harbor Bill Supports Compliance

Healthcare providers are finding it difficult to defend their network perimeter and keeping cybercriminals at bay. Worse yet, some healthcare organizations have been penalized for breaking HIPAA rules even after they have implemented industry-standard best security practices.

They weren’t exactly fined for breaking HIPAA rules but for data breaches that they could do very little to avoid. Before moving on to the HIPAA Safe Harbor bill, let’s briefly take a look at what constitutes a breach, violation, and the current cybersecurity scenario in the U.S. healthcare industry.

Impermissible access, use, or disclosure of protected health information (PHI) is presumed to be a data breach unless the covered entity or business associate can prove that it is highly unlikely that their PHI has been compromised based on a risk assessment of at least the following factors:

  • The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;

  • The unauthorized person who used the PHI or to whom the disclosure was made;

  • Whether the PHI was acquired or viewed; and

  • The extent to which the risk to the PHI has been mitigated.

On the other hand, a HIPAA violation occurs when a covered entity or business associates fail to comply with one or more provisions of the HIPAA Privacy, Security, or Breach Notification Rule.

That said, the Office for Civil Rights, known as the OCR, has the discretion to waive a financial penalty in the case of an unknown violation, where the covered entity could not have done anything to avoid the data breach. However, the penalty cannot be waived if the covered entity does not comply with the HIPAA Privacy, Security, and Breach Notification Rules.

Assuming that an entity has been fully compliant with the HIPAA rules and followed industry-standard security practices, it may seem unreasonable to penalize an entity. However, in light of the recent data breaches stemming from cybersecurity incidents, many organizations have been fined for unavoidable and highly sophisticated cybersecurity incidents.

It seemed unfair that the OCR had the authority to penalize these organizations despite enforcing the best security practices.

However, cyberattacks have increased their frequency of attacks, targeting the healthcare industry for highly enriched information. Meanwhile, healthcare accounted for 79% of all reported data breaches in the first ten months of 2020. What’s more, cyberattacks targeting the healthcare sector have increased by 45% since November 2020.

Truly terrifying indeed. What can cover entities and business associates do except pay fines for breaches they cannot really avoid.

But finally, there’s something to look forward to. In the midst of all the chaos, President Trump officially signed the HIPAA Safe Harbor (H.R. 7898) bill into law on January 5, 2021. Amending the HITECH Act, the bill now requires the Department of Health and Human Services (HHS) to reward organizations for following industry-standard cybersecurity practices for complying with HIPAA.

This is indeed splendid news for organizations in the healthcare industry that have been victimized by cybersecurity incidents. It is one of many recent initiatives aimed at promoting cybersecurity in healthcare. The system of incentives serves as a motivation for healthcare organizations to spend more on cybersecurity. In short, healthcare providers can expect incentives if they follow industry-standard security practices through reduced fines and the extent of an audit.

There are three major changes that the HIPAA Safe Harbor bill will bring into effect:

First, the HHS must take into account the security practices followed by an organization in the past twelve months before issuing fines and disciplinary actions. Furthermore, the HHS has to consider cybersecurity when calculating fines related to security incidents.

Second, the HHS is required to decrease the length and extent of an audit when an impacted organization meets industry-standard best-practice security standards.

Third, the HHS will also not have the authority to increase fines or the extent of an investigation, when an organization is found to be out of compliance with the recognized security standards, such as NIST guidelines or the Cybersecurity Act of 2015.

Instead, compliance will now be reviewed by assessing the covered entities and business associates’ consistency with the HIPAA Security Rule. The bill also encourages providers to immediately put a security plan into action after conducting a security risk assessment with proper documentation. Conducting these security risk assessments can be easily streamlined using HIPAA compliance software.

One more pressing concern is the lack of cybersecurity education as part of the HIPAA Security training. Albeit many organizations are still failing to provide adequate and sufficient HIPAA training to their employees, it should be noted that cybersecurity will only become more vital in the coming days.

Nevertheless, the overbearing standards of HIPAA can sometimes be arduous to comply with. And that is why the HIPAA Safe Harbor bill came into effect just at the right time. It is of course ideal to follow the new HIPAA Safe Harbor bill not because it gives providers the chance to defend against massive fines but also because the probability of damaging cyberattacks and ransomware will likely reduce.