An important new piece of legislation provides great news for HIPAA-regulated covered entities (CEs) and business associates (BAs).

Passed on January 5, 2021, the HIPAA Safe Harbor bill amends the HITECH act to require the Department of Health and Human Services (HHS) to incentivize cybersecurity best practices.  This should both help covered entities mitigate HIPAA fines when a breach occurs despite the use of industry-standard recognized security practices as well as incentivize proactive and increased cybersecurity measures.

Strengthening Cybersecurity in HIPAA-Covered Entities

HIPAA enforcement actions “have applied severe penalties against organizations victimized by cyberattacks in spite of their well-resourced programs that employ industry best cybersecurity practices,” according to the Healthcare Sector Coordinating Council (HSCC).

“The bill rebalances this inequity by directing HHS, when making determinations against HIPAA-covered entities and their business associates victimized by a cyberattack, to take into account their use of recognized security best practices during the last 12 months,” HSCC officials wrote, at the time.

speak with one of our hipaa specialists today

Updating HIPAA Best Practices

The new bill updates some technical aspects of the HITECH Act passed in 2009.  “The term ‘recognized security practices’ means the standards, guidelines, best practices, methodologies, procedures, and processes developed under…the NIST Act, the approaches promulgated under… the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities,” according to the law.

The HIPAA Safe Harbor Bill, most importantly, provides positive incentives for covered entities and business associates.  The legislation allows the HHS to take cybersecurity into consideration when calculating fines related to security incidents. HHS is also required to decrease the extent and length of an audit, if it is determined the impacted entity has indeed met industry-standard recognized security practices.

Importantly, through the implementation of updated cybersecurity controls, proactive and increased cybersecurity measures should better protect CEs, BAs, and Patient Health Information (PHI).

Becoming HIPAA Compliant

Any entity that falls under HIPAA regulation that does not currently follow industry best practices for cybersecurity should start active remediation immediately.  The act requires cybersecurity measures to be in place for “the previous 12 months”.  That means that programs that start today will only count if they are in place through at least this date next year if they are to be considered a mitigating factor. 

Covered entities should work with their IT department and/or Managed Services Provider to ensure adherence to the current HIPAA regulations.  That means following the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).  It means that a current Risk Analysis is conducted annually and not more than 12 months ago.  It means meeting the HIPAA Security Rule with documentation covering the required Administrative, Physical, and Technical Safeguard requirements.  Covered entities should also update their Risk Management Plan documents and keep them updated.

Covered entities should hopefully see lower insurance premiums for demonstrating HIPAA compliance under this update.  They should also expect fines to be lower in the case of a breach by demonstrating compliance.  Finally, covered entities should expect audits to be faster and remediation to be less burdensome if conforming HIPAA compliance is in place and well documented.

Key Take-Aways

o   Covered entities that do not have a comprehensive HIPAA regulatory compliance program in place now have a meaningful financial incentive to put one in place.  Immediate potential offsets in insurance premiums, increased patient protections, and a significant reduction in risk from future HHS actions make now the best time to act. 

o   Covered entities without the in-house resources to make this happen should engage with an experienced IT Managed Services Provider as a Business Associate and implement updated plans immediately.  An IT MSP can make recommendations that save hundreds of hours of work.  They understand the technical jargon for demonstrating adherence to the NIST CSF and the HIPAA Security Rule Technical Safeguards.  Their familiarity with the technical world allows them to write reasonable Risk Assessments based on industry data and published reports. They can implement automation software and technical tools that eliminate hours spent on documentation. 

o   A highly competent IT MSP can make a difference of thousands of dollars spent up front on implementing an updated cybersecurity program and avoiding potentially millions of dollars spent on a breach without a compliance program.

However a HIPAA-regulated entity chooses to move forward, the time to do so has never been better than now.

Speak with one of our HIPAA Specialists today