safe harbor2

HIPAA Safe Harbor Bill Encourages Stronger Cybersecurity

A new law amending the HITECH Act was signed by the President on January 5.

The HIPAA Safe Harbor Bill (HR 7898) could help covered entities and business associates defend against HIPAA investigations if they employ strong cybersecurity measures. The law is designed to incentivize healthcare organizations to use industry-standard security practices because if they do, fines will be reduced and audits could be ended early.

The law is not designed as a guarantee for healthcare organizations to avoid all liability, but it can help shield against larger fines or reduce the length of an audit. The Office for Civil Rights (OCR) may still impose penalties for non-compliance issues that contributed to a breach, but OCR must take into consideration the cybersecurity practices that were in place to reduce risk in the 12 months before the breach. The shield – the safe harbor – is only available if an organization has adopted and followed good cybersecurity practices recognized by statutory authorities, in advance.

Safe Harbor Bill Faces Rulemaking Period Before Effective

Before it becomes effective, the HIPAA Safe Harbor Bill must go through the federal rulemaking process which could take months, or longer. There will be a Notice of Proposed Rulemaking (NPRM), and a comment period before being written into existing HIPAA rules. When the 2009 HITECH Act became law, four years passed before the 2013 HIPAA Omnibus Rule became effective.

It may also be delayed due to the change in Administration, or because OCR is currently focused on an update to the HIPAA Privacy Rule, based on the Notice of Proposed Rulemaking issued in December.  The HIPAA Safe Harbor Bill law is relatively simple and brief compared to the longer Privacy Rule changes, so it may proceed faster. As noted in our earlier blog, HIPAA is Not Political so there is no reason to think either set of proposed changes will face an uphill battle.

Follow HIPAA Privacy Rule to Fulfill Cybersecurity Requirements

It’s critically important to continue to follow all the HIPAA Rules: the Privacy Rule, the Security Rule and the Breach Notification Rule. If you plan to adopt industry-standard security measures, like the National Institute of Standards and Technology (NIST), remember that the NIST framework is part of a larger compliance program.

A complete HIPAA Risk Analysis includes all standards, implementation specifications and requirements of the HIPAA Privacy, Security and Breach Notification Rules. There is no crosswalk between the NIST CSF and the HIPAA Privacy or Breach Notification Rules because CSF subject matter relates only to elements of the HIPAA Security Rule. And the HIPAA Privacy Rule is the most important and fundamental HIPAA Rule.

Following the new HIPAA Safe Harbor law is a good idea, not only because it could help defend against an OCR audit or investigation, but because it will reduce the likelihood of damaging cyber attacks and ransomware. The benefits are immediate, with a stronger, more secure information infrastructure.

The HIPAA E-Tool® Contains Everything Needed

Following industry-wide standards does not need to be complicated or expensive. You need to know what the standards are and guidance about how to implement them. If you’ve already started, review your program to make sure it’s complete.

All the rules are covered in The HIPAA E-Tool® with step-by-step guidance about compliance with the Security Rule, Risk Analysis-Risk Management, and Breach Notification, including all the legal citations required to show you the source. The Risk Analysis – Risk Management module incorporates NIST.

If you have questions, we have answers, and can help you avoid heavy fines, audits and litigation. HIPAA compliance is easy step-by-step, once you know the steps.

The HIPAA E-Tool® makes compliance fast and easy. Get your free HIPAA Quick Start Kit, complete with a webcam privacy guard, HIPAA Hot Zone labels and a HIPAA checklist delivered directly to your office.

Share This Post

Share on facebook
Share on twitter
Share on linkedin

Maggie Hales

Maggie Hales is a lawyer specializing in health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2021 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Service | Privacy Policy

Powered by JEMSU

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

Office
8820 Ladue Road Suite 200
St. Louis, MO 63124

You may have questions about COVID-19 and HIPAA. We have answers. 

We are open and answering questions about all the new modifications and waivers, coming from HHS, OCR, CMS, and the new CARES act.

If you need help with HIPAA during the COVID-19 pandemic, fill in the form, and we’ll get back to you.

Free hipaa kit!

hipaa compliance Quick start kit
Delivered free