On January 5, 2021, H.R. 7898 was signed into law with little fanfare, thereby amending the Health Information Technology for Economic and Clinical Health Act. As the healthcare industry continues to serve as one of the top targets for cybersecurity threat actors, the amendment creates a “HIPAA safe harbor” that should hopefully provide some much-needed relief to those beleaguered covered entities and business associates that have spent years and significant dollars to implement cybersecurity best practices. This new safe harbor requires that, when calculating fines, evaluating audits or reviewing proposed mitigation steps, the Department of Health & Human Services (HHS) must consider whether the covered entity or business associate adequately demonstrated that it had in place “recognized security practices” for at least 12 months prior that would:
(1) Mitigate HIPAA fines.
(2) Result in the early, favorable termination of a HIPAA audit.
(3) Mitigate the remedies in a HIPAA resolution agreement with HHS.
Under the law, the term “recognized security practices” means “the standards, guidelines, best practices, methodologies, procedures, and processes developed under … the NIST Act, the approaches promulgated under … the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.” Thus, the new safe harbor has the potential to both significantly incentivize all entities subject to HIPAA to implement cybersecurity best practices as well as provide some long-overdue relief to those entities that experience a data security incident after having implemented robust security practices, as it recognizes that despite an entity’s best efforts, security incidents still occur, and highly punitive penalties may not be appropriate in such circumstances. While not specifically defined, our experience working with HHS in breach investigations is that HHS focuses on existing programs for assessing cyber security risks to electronic protected health information (ePHI) through annual security risk analyses, inventory of ePHI, risk management plans and the implementation of administrative, technical and physical safeguards to address those risks.