January 14, 2021
There’s a lot of legislative changes coming in 2021 (including changes to the HIPAA Privacy Rule) that affect your practice’s HIPAA program, but there’s at least one change we think you should be pretty thrilled about. We’re usually pretty happy about HIPAA (we know, we’re weird, but we’ve accepted it) – but what should make your practice just as happy? Well, after an unprecedented year of cyber threats and HIPAA enforcement, recently ratified changes to the HITECH Act include some really good news – reduced HIPAA fines and penalties for data breaches if practices have proper security measures in place.
What Changed
HR 7898, or the HIPAA Safe Harbor Bill, was officially signed on January 5th, 2021, and amends the HITECH act to require the Department of Health and Human Services (HHS) to take into account if practices have “recognized cybersecurity practices” in place when investigating a data breach, and to be lenient with their fines or other enforcement actions if the practice has met all the basic technical safeguard requirements.
Translation: if you have the right HIPAA Security Rule basics down, and appropriate technical safeguards to mitigate your identified threats, you’ll be able to stress less when a breach occurs – and see a lot fewer $$$ from the HHS. See why it’s not just us that should be happy about this one?
What Else to Know
So smaller fines is a major plus – but what’s the fine print? Like any law, there are a few caveats to make sure your practice gets to enjoy these incentives:
- Your practice has to be able to demonstrate having industry-standard security measures in place for 12 months before getting the benefits of reduced enforcement.
- HHS will consider the specific cybersecurity efforts made by the practice when calculating fines related to security incidents.
- Meaning, having a single measure in place that’s unrelated to the reason for the breach doesn’t really cut it, and your practice needs to have their Security Risk Analysis and accompanying mitigation efforts documented and demonstrable to get the benefits.
- On a positive note, HHS can’t increase the fine amount or extent of the audit process if a practice is found to not meet basic security standards.
The next question – what does “recognized cybersecurity practices” mean?
- Number one, following the HIPAA Security Rule to identify your weaknesses and areas requiring mitigation through a completed Security Risk Analysis.
- Second, implementing the right technical safeguards to mitigate those identified risks.
- Third, following all other security practices identified as standards that healthcare organizations should hold themselves to consistent with the HIPAA Security Rule. This includes the NIST Act framework, Cybersecurity Act of 2015, and compliance with the NEW 21st Century Cures Act.
What to do NOW
To put it frankly, if you don’t have the required security standards in place already – it’s time to get a move on. Implementing these recognized security practice’s could mean the difference between a hefty fine or enforcement effort in the case that your practice ever falls victim to a data breach or other HIPAA violation – which is often out of your control.
What’s really important about this law change is that having some cyber security measures in place does not cut it – if you don’t have the specific measures required under the HIPAA Security Rule (that Security Risk Analysis, documentation, and more) you will not meet the requirements outlined in HR 7898. This is another way compliance and security go hand in hand – and to get the benefits of reduced fines, you’ll need both.