House Approves the HIPAA Safe Harbor Bill to Reward HIPAA-Covered Entities that Adopt Cybersecurity Best Practices

The House Energy and Commerce Committee passed the HIPAA Safe Harbor Bill (HR 7988). The new bill is an attempt to modify the HITECH Act so that the Department of Health and Human Services will determine if an HIPAA-covered entity or business associate is following the cybersecurity best practices whenever making certain decisions, like financial penalties associated with security breaches or other reasons related to regulatory policies.

If the HIPAA Safe Harbor Bill is approved, it will reward covered entities and business associates that follow the cybersecurity practices by lowering financial penalties and having shorter compliance inspections. Under the law, the HHS Secretary must look at the facts to determine if the covered entity has safety practices in place for one year at least. If so, financial penalties can be minimized, an audit can be quickly and favorably dismissed, or remedies can be offset in connection with the handling of potential violations of HIPAA Security regulations.

The ‘Recognized Security Practices’ refer to the standards and guidelines found under section 2(c)(15) of the National Institute of Standards and Technology Act and section 405(d) of the Cybersecurity Act of 2015, and other programs and procedures that deal with cybersecurity. These are created, recognized, or promoted by means of rules under other statutory authorities.

The HIPAA Safe Harbor bill’s objective is to lessen potential sanctions, penalties, and the length of audit time only if the entity adopted cybersecurity best practices. It does not give the HHS the power to extend audit times or issue higher penalties if the entity is determined as not following accepted security practices.

The House quickly quickly approved the bill and the Senate is expected to approve it as well. The bill got a lot of support from health IT industry stakeholder institutions like HITRUST. HITRUST believes that the bill will bring about better cybersecurity status of the healthcare industry; that it will inspire healthcare firms to proactively comply with the HIPAA; and it will give entities the HITRUST Cybersecurity Standard Framework (CSF) Certification to recognize their proactive efforts to protecting healthcare information.

Additionally, the bill is supported by the Healthcare and Public Health Sector Coordinating Council (HSCC). HACC believes that the bill gives healthcare companies a favorable incentive to spend more for cybersecurity to ensure HIPAA compliance and patient safety.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at