Healthcare industry regulations such as HIPAA, HITEC and the Cybersecurity Act, as well as rapid advancement in technology and increased cyber-attack risks, have added complexity and cost to securing and protecting patient healthcare information (PHI).
For healthcare industry covered entities and business associates that proactively manage and maintain data security practices, the signing of HR 7898 HIPAA Safe Harbor bill into law on January 5th brought some welcome news.
The Safe Harbor law amended the HITEC Act to require the Department of Health and Human Service (DHHS) to review the adequacy of a covered entity’s or business associate’s healthcare patient data security practices in place 12 months prior to an identified HIPAA violation.
DHHS is to consider adequacy of an established security practice based on guidelines, standards, best practices and methodologies set forth in the National Institute of Standards and Technology Act (NISTA), Cybersecurity Act of 2015, and other recognized standards.
For organizations with adequate security practices, DHHS now can establish lower fines, reduce the size and scope of an audit or terminate an audit, and reduce requirements necessary to resolve HIPAA violations. The law encourages HIPAA-covered entities and business associates to maintain and invest in best practice security exercises.
The amendment does not provide DHHS the ability to increase established fines or the length, extent or quantity of audits if established security practices do not meet recognized standard practices.
The law also provides technical corrections that authorize the Office of Inspector General of DHHS to obtain assistance and information from other federal agencies when investigating information blocking.
Even the best data security practices do not eliminate risks of breach. Connect with your Warren Averett advisor to learn more about protecting your organization and what this update may mean for your specific situation.