A new law amending the HITECH Act was signed by the President on January 5.
The HIPAA Safe Harbor Bill (HR 7898) could help covered entities and business associates defend against HIPAA investigations if they employ strong cybersecurity measures. The law is designed to incentivize healthcare organizations to use industry-standard security practices because if they do, fines will be reduced and audits could be ended early.
The law is not designed as a guarantee for healthcare organizations to avoid all liability, but it can help shield against larger fines or reduce the length of an audit. The Office for Civil Rights (OCR) may still impose penalties for non-compliance issues that contributed to a breach, but OCR must take into consideration the cybersecurity practices that were in place to reduce risk in the 12 months before the breach. The shield – the safe harbor – is only available if an organization has adopted and followed good cybersecurity practices recognized by statutory authorities, in advance.
Safe Harbor Bill Faces Rulemaking Period Before Effective
Before it becomes effective, the HIPAA Safe Harbor Bill must go through the federal rulemaking process which could take months, or longer. There will be a Notice of Proposed Rulemaking (NPRM), and a comment period before being written into existing HIPAA rules. When the 2009 HITECH Act became law, four years passed before the 2013 HIPAA Omnibus Rule became effective.
It may also be delayed due to the change in Administration, or because OCR is currently focused on an update to the HIPAA Privacy Rule, based on the Notice of Proposed Rulemaking issued in December. The HIPAA Safe Harbor Bill law is relatively simple and brief compared to the longer Privacy Rule changes, so it may proceed faster. As noted in our earlier blog, HIPAA is Not Political so there is no reason to think either set of proposed changes will face an uphill battle.
Follow HIPAA Privacy Rule to Fulfill Cybersecurity Requirements
It’s critically important to continue to follow all the HIPAA Rules: the Privacy Rule, the Security Rule and the Breach Notification Rule. If you plan to adopt industry-standard security measures, like the National Institute of Standards and Technology (NIST), remember that the NIST framework is part of a larger compliance program.
A complete HIPAA Risk Analysis includes all standards, implementation specifications and requirements of the HIPAA Privacy, Security and Breach Notification Rules. There is no crosswalk between the NIST CSF and the HIPAA Privacy or Breach Notification Rules because CSF subject matter relates only to elements of the HIPAA Security Rule. And the HIPAA Privacy Rule is the most important and fundamental HIPAA Rule.
Following the new HIPAA Safe Harbor law is a good idea, not only because it could help defend against an OCR audit or investigation, but because it will reduce the likelihood of damaging cyber attacks and ransomware. The benefits are immediate, with a stronger, more secure information infrastructure.
The HIPAA E-Tool® Contains Everything Needed
Following industry-wide standards does not need to be complicated or expensive. You need to know what the standards are and guidance about how to implement them. If you’ve already started, review your program to make sure it’s complete.
All the rules are covered in The HIPAA E-Tool® with step-by-step guidance about compliance with the Security Rule, Risk Analysis-Risk Management, and Breach Notification, including all the legal citations required to show you the source. The Risk Analysis – Risk Management module incorporates NIST.
If you have questions, we have answers, and can help you avoid heavy fines, audits and litigation. HIPAA compliance is easy step-by-step, once you know the steps.