Headed to RSA in San Francisco? May 6-9 | Join us!

HIPAA Safe Harbor Act – Complete Guide

The HIPAA Safe Harbor Act was designed to limit the fines associated with a data breach for healthcare organizations that implement “recognized security practices.” Do you have your cybersecurity practices in place? Learn more about how to identify what you need to mitigate risk.

Organizations that take proactive steps to implement cybersecurity initiatives to protect their customers and employees are becoming more commonplace. Yet, there are still many examples of organizations falling victim to bad actors’ efforts to steal sensitive information for financial gain.

This scenario has become a more common tale within the healthcare industry, especially as malicious players continue to take advantage of the COVID-19 pandemic. In fact, according to the Cybersecurity & Infrastructure Security Agency (CISA), personal health information (PHI) is estimated to be worth 10-20 times the value of credit card data on the dark web.

Data breaches targeting PHI are clearly not going away, creating a new level of urgency for enhanced cybersecurity within the healthcare industry. As the regulatory oversight in the healthcare industry increased, ensuring Healthcare Insurance Portability and Accountability Act (HIPAA) compliance becomes more valuable to you and your customers than ever.

HITECH and HIPAA Compliance

In an effort to increase cybersecurity initiatives within healthcare organizations, the Health Information Technology for Economic and Clinical Health (HITECH) Act was passed in 2009. HITECH was designed to encourage healthcare providers to adopt electronic health records (EHRs) and increase privacy and security around PHI.

This was an incredibly important introduction to the healthcare industry because it encouraged the adoption of a system that ensured a heightened level of accountability for HIPAA compliance. HIPAA is law in the United States that includes a set of safeguards that covered entities and business associates must follow to protect health information. Before HITECH was passed, organizations could avoid sanctions as a result of a breach of PHI by a business associate, claiming they did not know the business associate was not HIPAA compliant. This was extremely easy to do considering the majority of health records were only kept on paper.

HITECH, however, applies HIPAA Security and Privacy Rules to business associates so everyone is responsible for maintaining HIPAA compliance. As a result, it inspired tougher penalties for HIPAA violations for not only the covered entities but for their business associates, as well. The maximum penalty for a HIPAA violation increased to $1.5 million per violation category per year.

But as we previously mentioned, even the best-laid plans can go awry. So, what happens to the healthcare organizations that do take every precaution possible to protect PHI and still suffer a HIPAA violation?  Let’s find out.

HIPAA Safe Harbor Act

In January 2021, the HIPAA Safe Harbor Act, officially known as H.R. 7898 Bill, was passed by former President Trump as a HITECH amendment. The bill specifically reduces financial penalties and the length of compliance inspections for covered entities and business associates that can prove recognized security practices have been in place for at least one year.

These “recognized security practices” are specifically defined in the bill as, “voluntary, consensus-based, industry led-standards, guidelines, best practices, methodologies, procedures, and processes developed by the National Institute of Standards and Technology (NIST), approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.”

But, what does this mean? Implementing cybersecurity practices, like those set forth by NIST,  illustrates an organization’s efforts to adequately protect PHI and other sensitive data from cybersecurity risk. This, coupled with an organization’s efforts to follow the basic HIPAA Privacy Rule provisions and safeguards, makes the organization eligible for consideration of a lower fine or penalty from the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) in the event of a cybersecurity incident.

A-LIGN Can Help

Though most healthcare organizations are familiar with NIST and the HIPAA Security Rule, the reality is that most organizations just don’t know how to properly — or effectively — follow and implement NIST guidelines. According to the Journal of AHIMA, HIPAA audit results from 2016 and 2017 revealed nearly 80% of audited covered entities and business associates demonstrated less than adequate risk management and risk analyses. And to date, the OCR still finds a “lack of thorough risk analysis” in a high percentage of its investigations.

Don’t be caught unprepared — A-LIGN is here to help you navigate HIPAA and HITECH compliance. A-LIGN’s assessors will review your organization’s safeguards to identify areas where you can enhance your information security program to ensure compliance and give you actionable guidance to help you get to where you need to be.

A-LIGN’s experience and commitment to quality has helped more than 300 clients successfully achieve HITRUST certification.

Download our HIPAA checklist now!