HIPAA Cybersecurity Best Practices: What Must HHS Consider?
The HIPAA Safe Harbor bill amends the HITECH Act to require HHS to consider whether a covered entity or business associate has met recognized security practices when HHS makes certain determinations, such as whether to bring an enforcement action. The HIPAA Safe Harbor bill requires HHS to consider whether a business has met these recognized security practices when determining the amount of fines to issue. HHS must consider whether the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place. If these measures were in place, HHS can lower the amount of a fine and decrease the length and extent of an audit.
HHS must now develop regulations that implement the law. There is no specific timeline for HHS to do so, although covered entities and business associates should begin preparing now.
Is your organization secure? Download the free cybersecurity eBook to get tips on how to protect your patient information.
The legislation recognizes the significance of cyberthreats to the healthcare sector, while addressing concerns of players in the healthcare industry. Many people in the healthcare industry have complained that HIPAA enforcement actions have issued significant penalties to organizations who, even with cybersecurity programs employing best practices, have been victimized by cybersecurity attacks.