In January 2021 the US government signed into law cybersecurity bill HR 7898, known as the HIPAA Safe Harbor Bill. This amendment has important information security consequences for companies operating in healthcare. This article explains the compliance impacts of these new HIPAA standards along with some practical actions for implementing them.
HIPAA Safe Harbor Bill: incentivizing best practice cybersecurity
Now officially US law, HIPAA Safe Harbor directs the Department of Health and Human Services (HHS) to incentivize “recognized security standards” for meeting HIPAA requirements.
The new law states that the HHS must take cybersecurity into account when determining fines related to security breaches. Furthermore, companies regarded as implementing recognized security practices are subject to less stringent audits.
This is good news for healthcare organizations — the new law has the attraction of reduced fines in the event of a breach and less intense audits if you have the right security measures in place.
It’s crucial to note that you only benefit from these more lenient legal changes if you have implemented the necessary security measures in the 12-month period prior to a breach. By being proactive and ensuring your cybersecurity defenses meet the desired industry-standard best practices, you help to mitigate penalties in case of a security breach.
What are the recognized security standards?
For meeting the criteria of recognized security standards, the HIPAA Safe Harbor Bill cites “the standards, guidelines, best practices, methodologies, procedures, and processes developed under…the NIST Act…and the approaches promulgated under…the Cybersecurity Act of 2015.” These refer to the National Institute of Security and Technology’s Cyber Security Framework (NIST CSF) and the Center for Internet Security Critical Security Controls for Effective Cyber Defense (CIS CSC).
Here is a brief overview of these two security frameworks.
NIST Cybersecurity Framework
- The NIST CSF was published in 2014 in response to an executive order calling for standardized security guidelines for critical infrastructure in the United States.
- The framework contains five core functions: Identify, Protect, Detect, Respond, and Recover.
- Each function contains essential processes, controls, and policies that help mitigate information security risks.
- The NIST CSF gives private sector organizations the knowledge needed to implement a reasonable level of cybersecurity defenses.
CIS Critical Security Controls
- The CIS CSC is a list of 20 actions and resources that provide actionable ways to safeguard against modern cybersecurity threats.
- The security controls are annually reviewed and updated if necessary in line with the latest cybersecurity threat landscape.
- The first version of the controls was published in 2009; the current version is 7.1.
You can read more about these two cybersecurity frameworks here.
Aligning your cybersecurity strategy with the new HIPAA law
As mentioned previously, if you can demonstrate you have had the right security practices in place over the 12 months prior to a HIPAA data breach or violation, the consequences for your business will be less severe.
Aligning your company’s cybersecurity strategy with the new law is a matter of taking control. Often, data breaches can happen due to factors outside of your control. For example, the vast majority of data breaches occur through human error. Anyone, from patients to staff members, can trigger an audit for a potential HIPAA violation if they are careless or negligent regarding personal information.
The Healthcare and Public Health Sector Coordinating Council (HPH SCC) noted that companies have received severe HIPAA penalties in spite of well-resourced programs that employ industry best cybersecurity practices. The new law addresses and attempts to rebalance this inequity with positive incentives for companies that implement a high standard of cybersecurity practices.
The HIPAA Safe Harbor Bill helps put you back in control by ensuring that if your business takes certain actions, such as implementing best practices in line with an industry-standard cybersecurity framework, you’re protected from the most severe consequences of HIPAA data breaches or violations.
On the other hand, if you don’t put in the effort to implement sufficient best practices, you’re liable for the most severe penalties and fines for HIPAA breaches and violations. Having only some of the recommended cybersecurity measures in place won’t cut it; you need to implement all the recognized security practices.
The first act should be to confirm you are adhering to the guidelines laid out in the NIST CSF, and the 20 controls of the CIS CSC. This may require you to perform an internal risk analysis, and update your risk management plan if necessary. Ultimately, given the severity of HIPAA violations, consulting with experts in both cybersecurity and legal liability could be the wisest move.
The Safe Harbor Bill ultimately benefits all parties. If your business is a Covered Entity or Business Associate under HIPAA, the changes incentivize you to take actions now that reduce potential fines and the scope of audits. Furthermore, by aligning your cybersecurity strategy with the new law, patient data become better protected and less exposed to breaches. This will appeal to both your employees and clients.
The experts at Umbrella are experienced at implementing NIST CSF, CIS CSC, and facilitating HIPAA compliance for healthcare organizations. To find out how we can help you, contact us today.