Specifically, if the HHS Secretary determines that a covered entity or business associate has had recognized security practices in place for a year or more, the Secretary may:
- Early-terminate an audit, in the entity’s favor;
- Reduce the amount of a fine;
- Lessen the remedies, such as a corrective action plan (CAP) that HHS might have otherwise imposed.
The legislation recognizes the significance of cyberthreats to the healthcare sector, while addressing concerns of players in the healthcare industry. Many people in the healthcare industry have complained that HIPAA enforcement actions have issued significant penalties to organizations who, even with cybersecurity programs employing best practices, have been victimized by cybersecurity attacks.
The authors of the bill, which has been transmitted to the Senate, believe that a safe harbor will encourage investment in cybersecurity not only for the sake of regulatory compliance, but to enhance patient safety.
Proposed HIPAA Safe Harbor Bill: Are There Recent Similar Cybersecurity Regulations?
The bill is the latest in a series of safe harbor initiatives designed to improve quality of care. In late November of 2020, HHS published two final rules to reduce regulatory barriers and improve care coordination, which both contain safe harbor provisions that will allow health systems and hospitals to donate cybersecurity technologies to provider offices. These finalized changes to the Anti-Kickback Statute and Stark Laws are designed to remove barriers to s