HIPAA Safe Harbor Law - Good Practices in Security Limit Penalties Recorded Webinar | Jim Sheldon Dean | From: May 12, 2021 - To: Dec 31, 2021 |
For many years, health information has been threatened by information security incidents caused by hackers and by lax practices at HIPAA entities. But even entities that take reasonable and appropriate steps to protect the health information can sometimes suffer a breach or incident that results in a penalty. There is concern that penalties are overly severe and investigations are overly broad when an entity has taken reasonable, responsible steps to protect the information, and the HIPAA Safe Harbor Law is designed to ease that burden. If an entity follows standards and guidance issued by the National Institute of Standards and Technology, and pursuant to the Cybersecurity Act of 2015, investigations and penalties are more limited.
On January 5, 2021, President Donald Trump officially signed HR 7898 into law January 5. The HIPAA Safe Harbor bill amends the HITECH act to require HHS to incentivize best-practice cybersecurity for meeting HIPAA requirements. The legislation directs HHS to take into account a covered entity’s or business associate’s use of industry-standard security practices within the course of 12 months, when investigating and undertaking HIPAA enforcement actions, or other regulatory purposes. Further, the bill requires that HHS take cybersecurity into consideration when calculating fines related to security incidents. HHS is also required to decrease the extent and length of an audit if it’s determined the impacted entity has indeed met industry-standard best-practice security requirements.
The law also expressly noted that the HITECH changes do not give HHS the authority to increase fines or the extent of an audit when an entity is found to be out of compliance with the recognized security standards. The term “recognized security practices” means the standards, guidelines, best practices, methodologies, procedures, and processes developed by NIST, the approaches promulgated under the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized or promulgated through regulations under other statutory authorities. The law says that such practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security Rule.
Once the appropriate practices are in place, they must be documented and applied, with documentation, to show that they have been in place over time. Safe Harbor doesn’t apply unless good practices can be shown to have been in effect for at least a year.
In essence, the HIPAA Safe Harbor Law makes the case for improving information security practices by reducing the penalties and investigations that may occur in the event of an information security incident or breach. Not implementing a good information security management process can clearly lead to tougher investigations and higher penalties.
Learning Objectives:-
Why Should you Attend?
Penalties for HIPAA violations have often been in the millions of dollars and may have resulted even when an organization has followed industry-established practices and HHS guidance. But the new HIPAA Safe Harbor Law, signed in January 2021, provides for more limited investigations and penalties when an organization can show it has been following established good practices for at least a year.
Now the reasons for investing in information security are even stronger since you can reduce your exposure to investigations and penalties by following established good practices. The US Department of Health and Human Services has shown no reluctance to enter into settlement agreements and collect financial penalties when a HIPAA entity suffers a breach or other hack that results in security issues. Even when an entity took reasonable steps based on established good practices in security and privacy, a penalty could result from an incident that involves a violation of the rules. The new HIPAA Safe Harbor Law now intends to limit entities’ exposure to investigations resulting from information security issues, and limit potential penalties, but only when the entity has had good information security practices in place for at least a year. If good practices have not been in place, investigations can be expanded and penalties can soar into the millions of dollars.
Who Should Attend?
Jim Sheldon-Dean is the founder and director of compliance services at Lewis Creek Systems, LLC, a Vermont-based consulting firm founded in 1982, providing information privacy and security regulatory compliance services to a wide variety of healthcare entities. He is a frequent speaker regarding HIPAA, including speaking engagements at numerous regional and national healthcare association conferences and conventions and the annual NIST/OCR HIPAA Security Conference. Sheldon-Dean has more than 18 years of experience specializing in HIPAA compliance, more than 36 years of experience in policy analysis and implementation, business process analysis, information systems and software development, and eight years of experience doing hands-on medical work as a Vermont certified volunteer emergency medical technician. Sheldon-Dean received his B.S. degree, summa cum laude, from the University of Vermont and his master’s degree from the Massachusetts Institute of Technology