HIPAA Cybersecurity Best Practices

On January 5, 2021, President Trump signed into law legislation approved by the House Energy and Commerce Committee known as HR 7898. HR 7898, now law, requires the Department of Health and Human Services (HHS) to incentivize a covered entity’s or business associate’s cybersecurity best practices. Under this legislation, HHS, when deciding whether to issue a fine, or undertake an audit, must take into account whether an organization has been using recognized HIPAA cybersecurity best practices to comply with the HIPAA Security Rule.

HIPAA Cybersecurity Best Practices and HR 7898

The HIPAA Safe Harbor bill defines “recognized security practices” broadly, to mean:

  • Standards, guidelines, best practices, methodologies, procedures, and processes developed under the National Institute of Standards and Technology Act (NIST Act).
  • The cybersecurity practices developed under section 405(d) of the Cybersecurity Act of 2015.
  • Programs and practices that are developed in, recognized by, or set forth in federal laws other than HIPAA. 

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

G2 Leader Fall 2024

HIPAA Cybersecurity Best Practices: What Must HHS Consider?

The HIPAA Safe Harbor bill amends the HITECH Act to require HHS to consider whether a covered entity or business associate has met recognized security practices when HHS makes certain determinations, such as whether to bring an enforcement action. The HIPAA Safe Harbor bill requires HHS to consider whether a business has met these recognized security practices when determining the amount of fines to issue. HHS must consider whether the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place. If these measures were in place, HHS can lower the amount of a fine and decrease the length and extent of an audit

HHS must now develop regulations that implement the law. There is no specific timeline for HHS to do so, although covered entities and business associates should begin preparing now.

Is your organization secure? Download the free cybersecurity eBook to get tips on how to protect your patient information.

The legislation recognizes the significance of cyberthreats to the healthcare sector, while addressing concerns of players in the healthcare industry. Many people in the healthcare industry have complained that HIPAA enforcement actions have issued significant penalties to organizations who, even with cybersecurity programs employing best practices, have been victimized by cybersecurity attacks

HIPAA Trust Badge

HIPAA Protects You

Protect your business from expensive breaches and fines!