HIPAA safe harbor law: What is it, and does it apply to your organization?
On January 5, 2021, H.R.7898 — nicknamed the HIPAA safe harbor bill — became law.
The law impacts healthcare organizations that experience a cyberattack or data breach. It requires Health and Human Services (HHS), when determining fines and penalties, to take into consideration whether the healthcare organization had implemented recognized security practices at least 12 months prior to the attack.
The benefits of H.R.7898
The HIPAA safe harbor law provides two distinct benefits to healthcare organizations.
The first is that it reduces heightened scrutiny from regulators and reduces penalties and fines for violating HIPAA because of a data breach.
The truth is, healthcare organizations that have adopted and maintained robust cybersecurity practices and industry frameworks are never completely protected from cyberattacks and data breaches — nothing is 100% foolproof — but they’re much closer to that 100% than an organization that has an outdated, ad-hoc or even nonexistent security program.
The rationale for the HIPAA safe harbor law was, if a healthcare organization seemingly did everything right, why should they be punished to the same level as a healthcare organization that invested little into security and risk management? With H.R.7898, Congress has declared that no, healthcare organizations should not be punished for doing the right thing.
The second benefit is that this law incentivizes healthcare organizations to voluntarily improve their cybersecurity and risk management practices, and that’s good for the industry as a whole. Employees and patients alike benefit from an organized information security program. And investing in robust security practices pays for itself considering the HIPAA safe harbor law would likely protect the organization from steep fines and penalties if, despite their best efforts, a data breach does occur.
The American Hospital Association is excited about the benefits of this law and what it means for healthcare organizations across the U.S. The Healthcare and Public Health Sector Coordinating Council has also expressed its support for the law. So with that in mind, let’s dive into how you can fall under the safe harbor — aka what constitutes a viable program.
What makes up a viable information security program?
Healthcare organizations aren’t protected under the safe harbor law if they haven’t implemented a viable information security program.
To be viable, the information security program at a minimum must meet two criteria: 1) the program has to have been in place and fully functional for at least 12 months prior to a data breach, and 2) the program must have “recognized security practices,” meaning standards, guidelines, best practices, methodologies, procedures and processes developed in accordance with guidelines set forth by the National Institutes of Standards and Technology (NIST), for the safe harbor law to apply. It’s in your organization’s best interest to understand what constitutes a viable program and get started sooner rather than later.
Here are the three areas you should focus on:
1. Create a formal information security program
To start, do you know what your current program looks like? Is it in compliance with HIPAA? Are you following best practices? It’s not enough to hope your current program is good enough if the Office for Civil Rights (OCR) comes knocking.
An independent third party specializing in regulatory compliance and risk management can assess your organization, create a report that identifies gaps and mitigation activities, and even assist you with remediation.
If you’ve had third parties come in before to perform security-related assessments, did your organization act on their findings? And when was the last time any of these assessments were performed? Has it been over a year? Now is the time to identify what makes up a robust information security program (e.g., policy/procedure, risk management, dedicated program management, employee training, etc.) and implement those best practices.
Once you understand the scope of a robust information security program, you may realize you need an information security officer to handle these responsibilities.
Read more: Top benefits of a virtual chief information security officer — and what to look for
2. Base your program on an industry framework
Many healthcare organizations claim they have a security program in place, but the HIPAA safe harbor law requires that the program must be based on recognized security practices. Smaller organizations tend to put IT directors in charge of security, unaware that they don’t have the specialized knowledge and experience required to build and maintain an effective information security program. So, even if you do have a program, it may not be based on recognized security practices.
Luckily, there are industry frameworks you can base your program off of. HITRUST, ISO 27001 and the National Institute of Standards and Technology (NIST) cybersecurity framework are all great options. They provide organizations with comprehensive security and privacy guidance designed to ensure the confidentiality, integrity and availability of sensitive data, assist with regulatory compliance and create the means for ongoing risk management. And by formally certifying against any of these frameworks, an organization can demonstrate its compliance with the framework to anyone who needs that reassurance, from customers to vendors to OCR and HHS.
Read more: What is HITRUST, and why does it matter?
3. Maintain your program
A key component of a viable information security program is risk management. Risk management is not a once-a-year event. Risk management is an ongoing activity that requires constant attention. It’s no different than how you manage financial risks, patient safety risks and other risks associated with operating a healthcare organization. Technology is constantly evolving, new threats are conceived and existing threats are always changing. What was once a low risk can change in a second to a high risk requiring immediate action, and what was once a high risk has become less dangerous, which could allow for easing of controls. Your security program must adapt.
Having a third party annually assess your risk management program is just one part of maintaining it. Your information security officer must continually be engaged in risk management by working with others (e.g., IT) to continually identify, analyze and mitigate risks, and monitor the effectiveness of existing security controls.
It’s also important to understand that threats and vulnerabilities that create risk are not just related to information technology. Insider threats (e.g., disgruntled employee, fraudulent, nosy or careless employees), whistleblowers, regulatory non-compliance are all risks that, if not properly mitigated, could lead to a breach — resulting in reputational damage, costly fines and penalties, and civil or criminal lawsuits. Your information security program should take into account all different types of anticipated threats.
Read more: Why security risk management isn't a once-a-year event
Wipfli can help
The cybersecurity and risk management professionals at Wipfli can help your healthcare organization implement viable information security and risk management programs that stands up to OCR and HHS scrutiny. We can assist you with implementing a program based on HITRUST, NIST or ISO frameworks, and we can even help you choose what framework to go with based on business requirements, level of effort, cost and other factors important to your organization. Contact us to get started.
We can also provide vulnerability scanning, penetration testing, risk assessments, policy development, vCISO services and other cybersecurity services that help keep your organization protected. Click here to learn more.
Related content:
Why measuring needs to be a standard of your information security program