Recent legislation approved by the House Energy and Commerce Committee known as HR 7898 would require the Department of Health and Human Services (HHS) to incentivize a covered entity’s or business associate’s HIPAA cybersecurity best practices. Under this legislation, HHS, when deciding whether to issue a fine, would take into account whether an organization has been using recognized HIPAA cybersecurity best practices to comply with the HIPAA Security Rule. The details of this HIPAA Safe Harbor bill are discussed below.
Proposed HIPAA Cybersecurity Best Practices Bill: What Are Recognized Security Practices?
The HIPAA safe harbor bill defines “recognized security practices” broadly, to mean:
- Standards, guidelines, best practices, methodologies, procedures, and processes developed under the National Institute of Standards and Technology Act (NIST Act).
- The cybersecurity practices developed under section 405(d) of the Cybersecurity Act of 2015.
- Programs and practices that are developed in, recognized by, or set forth in federal laws other than HIPAA.
How Are HIPAA Cybersecurity Best Practices Rewarded Under the Proposed Bill?
The proposed HIPAA safe harbor bill would amend the HITECH Act to require HHS to consider whether a covered entity or business associate has met recognized security practices when HHS makes certain determinations, such as whether to bring an enforcement action. The HIPAA Safe Harbor bill would also require HHS to consider whether a business has met these recognized security practices when determining the amount of fines to issue. The bill provides that if HHS determines a provider has met the HIPAA cybersecurity best practice requirements, HHS can lower the fine, and can decrease the length and extent of an audit.
Specifically, if the HHS Secretary determines that a covered entity or business associate has had recognized security practices in place for a year or more, the Secretary may:
- Early-terminate an audit, in the entity’s favor;
- Reduce the amount of a fine;
- Lessen the remedies, such as a corrective action plan (CAP) that HHS might have otherwise imposed.
The legislation recognizes the significance of cyberthreats to the healthcare sector, while addressing concerns of players in the healthcare industry. Many people in the healthcare industry have complained that HIPAA enforcement actions have issued significant penalties to organizations who, even with cybersecurity programs employing best practices, have been victimized by cybersecurity attacks.
The authors of the bill, which has been transmitted to the Senate, believe that a safe harbor will encourage investment in cybersecurity not only for the sake of regulatory compliance, but to enhance patient safety.
Proposed HIPAA Safe Harbor Bill: Are There Recent Similar Cybersecurity Regulations?
The bill is the latest in a series of safe harbor initiatives designed to improve quality of care. In late November of 2020, HHS published two final rules to reduce regulatory barriers and improve care coordination, which both contain safe harbor provisions that will allow health systems and hospitals to donate cybersecurity technologies to provider offices. These finalized changes to the Anti-Kickback Statute and Stark Laws are designed to remove barriers to sharing valuable cybersecurity tools with providers, which often have limited resources, and should address the growing cybersecurity risks on data systems.