Getty Images

HIPAA Safe Harbor Bill Becomes Law; Requires HHS to Incentivize Security

On January 5, the President signed the HR 7898, HIPAA Safe Harbor Bill, into law, which amends the HITECH Act to require HHS to incentivize best practice security.

President Donald Trump officially signed HR 7898 into law on January 5. The HIPAA Safe Harbor bill amends the HITECH act to require the Department of Health and Human Services to incentivize best practice cybersecurity for meeting HIPAA requirements.

The bill was first introduced on July 31 and easily passed the House Energy and Commerce Committee to the Senate in mid-December, receiving strong support from a host of industry stakeholders.

The Senate unanimously passed the legislation without amendment on December 19.

The legislation directs HHS to take into account a covered entity’s or business associate’s use of industry-standard security practices within the course of 12 months, when investigating and undertaking HIPAA enforcement actions, or other regulatory purposes.

Further, the bill requires that HHS take cybersecurity into consideration when calculating fines related to security incidents. HHS is also required to decrease the extent and length of an audit, if it’s determined the impacted entity has indeed met industry-standard best practice security requirements.

The law also expressly noted that the HITECH changes do not give HHS the authority to increase fines or the extent of an audit, when an entity is found to be out of compliance with the recognized security standards.

“The term ‘recognized security practices’ means the standards, guidelines, best practices, methodologies, procedures, and processes developed under...the NIST Act, the approaches promulgated under... the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities,” according to the law.

“Such practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security rule,” it continued.

The Cybersecurity Act of 2015 was developed by a joint taskforce of the Healthcare and Public Health Sector Coordinating Council Cybersecurity Working Group, HHS, NIST, and the Department of Homeland Security.

The law also corrected technical elements of the 21st Century Cures Act related to the information blocking enforcement authority of HHS’ Office of the Inspector General.

Specifically, under the new law, OIG is authorized to obtain information, assistance, and other support from federal agencies when investigating claims of information blocking by the developers or entities that offer health information technologies.

When it passed the House E&C Committee, HSCC lauded the bill as an important step to addressing some of the most pressing cybersecurity issues in the sector. As noted by many healthcare stakeholders, efforts are being made to shore up key vulnerabilities but hackers continue to victimize the sector.

Notably, recent reports show cyberattacks against healthcare entities increased 45 percent in the last two months.

Further, HSCC noted that often, HIPAA enforcement actions “have applied severe penalties against organizations victimized by cyberattacks in spite of their well-resourced programs that employ industry best cybersecurity practices.”

“The bill rebalances this inequity by directing HHS, when making determinations against HIPAA-covered entities and their business associates victimized by a cyberattack, to take into account their use of recognized security best practices during the last 12 months,” HSCC officials wrote, at the time.

“More importantly, this provision serves as a positive incentive for health providers to increase investment in cybersecurity for the benefit of regulatory compliance and, ultimately, patient safety,” they continued.

The law joins several other induistry efforts aimed at bolstering healthcare cybersecurity efforts, in an age where healthcare is targeted by hackers in record numbers.

In November, HHS finalized rules that provide a safe harbor for cybersecurity technology donations among providers to reduce regulatory barriers. Most recently, HHS proposed changes to the HIPAA Privacy Rule that would improve a patient's right of access to their medical records.

Next Steps

Dig Deeper on HIPAA compliance and regulation