- December 3, 2021
Growing cybersecurity concerns have impacted every industry worldwide. For example, in the United States, healthcare providers must comply with the Health Insurance Portability and Accountability Act, commonly known as HIPAA. It includes a set of standards that guarantee a patient’s privacy and details the procedures to follow in case of a data breach.
The HIPAA Safe Harbor Act, officially signed into law on January 5th, 2021, amends the HITECH Act. In addition, the Safe Harbor Act mandates the Department of Health and Human Services (HHS) to implement the best cyber security practices to meet HIPAA requirements. Congress proposed the HIPAA Safe Harbor Act after data breaches, ransomware attacks, and increased cybercrime since the onset of the pandemic.
The Safe Harbor Act aims to reduce fines associated with data breaches for healthcare organizations that comply with NIST cybersecurity best and standard practices. In addition, it precisely defines the HIPAA Privacy Rule, which requires healthcare entities to de-identify health data associated with patients, employees, and other members.
According to the 2021 Horizon Report, healthcare is the most targeted sector, with over 79% reported security incidents. The various findings of this report underscored the importance of strengthening cybersecurity measures and frameworks within the said sector, including incident response plans to minimize associated risks and protect sensitive data.
The Significance of HIPAA ‘Safe Harbor’ Act
The primary purpose of the Health Information Technology for Economic and Clinical Health (HITECH) Act was to increase cybersecurity initiatives within healthcare organizations. It encouraged the adoption of electronic health records or EHRs for improving privacy and security around personal health information. In addition, HITECH pushed for HIPAA Security and Privacy Rules to business associates to make everyone HIPAA compliant. Unfortunately, it led to strict penalties and fines for organizations and business associates. The Safe Harbor Act works to balance this inequity.
The HIPAA Safe Harbor Act provides more excellent protection to healthcare providers or entities in the long run. In addition, it changes the perception of organizations after a cyber attack or data breach. Through this change, the government has acknowledged that the providers are the victims of cyberattacks which are not always preventable. Therefore, levying hefty fines is not the solution. Instead, it is necessary to encourage providers to exercise best practices and comply with the HIPAA Privacy and Security Rules.
Summarising critical factors under the HIPAA Safe Harbor Act:
- While calculating fines related to security incidents, the HHS will consider specific cybersecurity efforts of the health care provider.
- Organizations must demonstrate that they have had industry-standard security measures and risk analysis in place for the last 12 months to receive the benefits of reduced enforcement.
- In cases where the practices do not meet basic security standards, the HHS can not increase the acceptable penalty amount or extent of the audit process.
- The HIPAA Safe Harbor Act corrected some technical elements of the 21st Century Cures Act. In addition, the new law authorizes the Office of the Inspector General (OIG) to get information, assistance, and other support from federal agencies when investigating claims of information blocking by health care providers.
The Impact of HIPAA Safe Harbor Act on Business Operations
The HIPAA Safe Harbor law offers two significant benefits to healthcare organizations. First, it reduces heightened scrutiny from regulators and reduces penalties or fines for violating HIPAA because of a data breach. And secondly, the incentives that healthcare providers or organizations can enjoy after voluntarily improving their cybersecurity and risk management practices.
The recognized cybersecurity practices in the Safe Harbor Bill refer to two frameworks, the National Institute of Standards and Technology Act and section 405(d) under the Cybersecurity Act of 2015. Implementing cybersecurity practices developed through regulations under statutory authorities highlights the organization’s efforts to protect PHI and other sensitive data adequately from cybersecurity risk. Healthcare organizations or businesses must follow the HIPAA security rule to identify weaknesses and areas that need improvement through a completed Security Risk Analysis. Then, they should implement suitable technical safeguards to mitigate identifiable risks.
The increasing cyberattacks on healthcare facilities have highlighted the need for more effective incident response plans. A report from the Department of Health and Human Services of the United States stated that 34% of healthcare organizations were affected by ransomware attacks last year. Getting incentives for practicing industry-standard cybersecurity practices comes with double benefits for healthcare organizations. On the one hand, they can receive incentives, and on the other, they have strong cybersecurity defense measures to thwart any attack.
Cybersecurity Best Practices Associated with HIPAA Safe Habor Act
- First, adopt a defense-in-depth security posture and protection mechanisms and robust data segregation in all environments.
- Offer self-audit support for HIPAA and HITECH.
- Prepare for 24/7 threat monitoring and ongoing patching.
- Prevent data and electronic Protected Health Information (ePHI) threats to maintain confidentiality and integrity.
- Utilize administrative, technical, and physical safeguards to protect ePHI.
Although most healthcare organizations are familiar with the NIST, most do not effectively follow or implement the NIST guidelines. The new HIPAA Safe Harbor law will reduce the likelihood of damaging ransomware and cyberattacks and defend against an OCR audit or investigation. While there is no specific timeline for the HHS to develop regulations that implement the law, businesses and their associates should begin preparation at the earliest.
Compliance and strong cybersecurity measures can help organizations brace themselves for the rising cyber threats in the healthcare sector. All in all, security teams must prioritize best practices and refocus their resources and budgets on the highest associated risks to critical operations. With quantitative cyber risk analysis from reputable HIPAA-certified experts, an organization can improve strategic planning and prioritization of various security initiatives for reducing cyber risk while optimizing expenditure.