House Approves the HIPAA Safe Harbor Bill to Reward HIPAA-Covered Entities that Adopt Cybersecurity Best Practices

The House Energy and Commerce Committee passed the HIPAA Safe Harbor Bill (HR 7988). The new bill is an attempt to modify the HITECH Act so that the Department of Health and Human Services will determine if an HIPAA-covered entity or business associate is following the cybersecurity best practices whenever making certain decisions, like financial penalties associated with security breaches or other reasons related to regulatory policies.

If the HIPAA Safe Harbor Bill is approved, it will reward covered entities and business associates that follow the cybersecurity practices by lowering financial penalties and having shorter compliance inspections. Under the law, the HHS Secretary must look at the facts to determine if the covered entity has safety practices in place for one year at least. If so, financial penalties can be minimized, an audit can be quickly and favorably dismissed, or remedies can be offset in connection with the handling of potential violations of HIPAA Security regulations.

The ‘Recognized Security Practices’ refer to the standards and guidelines found under section 2(c)(15) of the National Institute of Standards and Technology Act and section 405(d) of the Cybersecurity Act of 2015, and other programs and procedures that deal with cybersecurity. These are created, recognized, or promoted by means of rules under other statutory authorities.

The HIPAA Safe Harbor bill’s objective is to lessen potential sanctions, penalties, and the length of audit time only if the entity adopted cybersecurity best practices. It does not give the HHS the power to extend audit times or issue higher penalties if the entity is determined as not following accepted security practices.

The House quickly quickly approved the bill and the Senate is expected to approve it as well. The bill got a lot of support from health IT industry stakeholder institutions like HITRUST. HITRUST believes that the bill will bring about better cybersecurity status of the healthcare industry; that it will inspire healthcare firms to proactively comply with the HIPAA; and it will give entities the HITRUST Cybersecurity Standard Framework (CSF) Certification to recognize their proactive efforts to protecting healthcare information.

Additionally, the bill is supported by the Healthcare and Public Health Sector Coordinating Council (HSCC). HACC believes that the bill gives healthcare companies a favorable incentive to spend more for cybersecurity to ensure HIPAA compliance and patient safety.