HIPAA Safe Harbor Act: A Map to Future Safety from HIPAA Breaches

NOTICE: This was developed based on our reading of the new law and documentation from the NIST and HHS websites. This is not legal advice.

On January 5, 2021, the HIPAA Safe Harbor Act (the Act) was signed into law. We have recently gotten some questions on what this new law means in practice. The purpose of this guide is to tell you just that. This new law does not create new compliance requirements, but it creates a safe harbor for covered entities (CEs) that take recognized cybersecurity precautions. Specifically, the Act requires the Department of Health and Human Services (HHS) to take into account whether the CE or business associate adequately demonstrates that it had "recognized security practices" in place for at least 12 months in the event of a breach. For a background on HIPAA requirements and fines, see our earlier blog on the topic.

When Does It Go Into Effect?

Unfortunately, before the new safe harbor becomes effective, it must go through the notice-and-comment rulemaking process required for federal regulations. As such, it will likely be at least a year before the law goes into effect.

Impact of "Recognized Security Practices"

If a CE or business associate has "recognized security practices" in place for the 12 months prior, that would:

Mitigate HIPAA fines
Result in the early, favorable termination of a HIPAA audit
Mitigate the remedies in a HIPAA resolution agreement with HHS

What are "Recognized Security Practices"?

The "recognized security practices" referenced in the Act include:

Performing an annual security risk analysis (SRA) and addressing identified weaknesses
- MarsdenAdvisors Clients: A chart including the required elements of a SRA is in the PI section of your MIPS Kickoff powerpoint
- HHS OCR Guidance can be found here.
NIST Act: Standards, guidelines, best practices, methodologies, procedures, and processes developed under the National Institute of Standards and Technology (NIST) Act.
Cybersecurity Act of 2015: Cybersecurity practices developed under section 405 of the Cybersecurity Act of 2015.
- The resource page for section 405
- The small practice-specific page: Health Industry Cybersecurity Practices, Volume 1: Cybersecurity Recommendations for Small Health Care Organizations
- The overview document: Overview of threats and 10 cybersecurity recommendations.

Additional Cybersecurity Resources

Prepare for Cyberthreats

In addition to the free federal resources above (particularly those listed under the Cybersecurity Act of 2015), we recommend reviewing the Federal Trade Commission's guidance on securing your wireless network. These, in combination, will help you prepare your practice to ward against cyberthreats.

Respond to Cyberattacks

Below is guidance from the HHS Office of Civil Rights (OCR) on the required and recommended steps to follow in response to a cyberattack at a healthcare practice:

Anti-Virus Software

We recommend that you research or seek out expert opinion on the anti-virus software your practice employs. But we caution you to not install more than one anti-virus software. Multiple anti-virus software applications can slow down your system and interfere with each, reducing the effectiveness of the software. Remember that your computer may have anti-virus software pre-installed (such as Windows Defender, which is built-in with Windows 10).

Train Yourself and Your Staff

Below are free training resources:

HIPAA TV, Healthcare Cybersecurity Training
HHS Cybersecurity Awareness Training
Description: Cybersecurity awareness training leveraged by HHS employees, contractors, interns, and others.
HHS, Your Mobile Device and Health Information Privacy and Security

Additional Physician Cybersecurity Resources from the AMA

Below are free training resources:

The AMA has also developed tips and advice on protecting your computers and network to keep your patient health records and other data safe from cyberattacks.

Download and share with your staff and IT: