HIPAA Safe Harbor Offers Limited But Important Protection
The HR 7898 HIPAA Safe Harbor Law, enacted in 2021, created a “safe harbor” for HIPAA-covered entities and their business associates when potentially facing fines and other penalties under HIPAA. But there are nuances to the law that risk managers and compliance officers must consider.
The most important point may be the safe harbor law, while offering substantial protection, does not provide a true safe harbor.
A typical safe harbor shields an entity from liability when certain conditions are met, whereas the HIPAA Safe Harbor Law only offers some protection in certain circumstances, says Kenneth K. Dort, JD, partner with Faegre Drinker Biddle & Reath in Chicago. The HIPAA Safe Harbor Law requires the Office for Civil Rights (OCR) to consider whether a covered entity had implemented certain technical safeguards for 12 months. If so, it allows OCR leniency in assessing the breach.
But how much leniency is undefined.
“It is very much not specific about how OCR must respond. Perhaps they will require audits by a third party every other year instead of every year, maybe for 10 years instead of 20 years,” Dort says. “I’ve wondered if OCR comes to the table in somewhat bad faith and says, ‘We’re going to fine you $1 million, but now we’ll only fine you $900,000,’ when really they always intended to fine you $900,000.”
OCR already considered the circumstances of a HIPAA breach, including what technical safeguards were in place, and other components of a privacy compliance program. Dort says he is unsure of the additional value in the Safe Harbor Law.
For an entity seeking the best treatment from OCR after a breach, Dort says the key will be proving all reasonable and prudent steps were taken to prevent the breach, making it a one-off occurrence that does not reflect negatively on the compliance program. That will require extensive documentation — and probably third-party audits.
“If you can’t show that your regular practices meet the best standards in the way the statute says, OCR may not take that into account,” Dort warns. “Like anything in risk management, you have to prove that you did what you say you did, or it won’t matter.”
W. Reece Hirsch, JD, partner with Morgan Lewis in San Francisco, agrees that even though HR 7898 was titled The HIPAA Safe Harbor Bill, it did not create a true safe harbor. The law does not provide absolute protection for HIPAA-covered entities and business associates, but it does ensure OCR will consider an organization’s implementation of certain recognized security practices when assessing HIPAA penalties or other enforcement actions.
“HR 7898 is beneficial because it reflects a less punitive approach to HIPAA enforcement, recognizing the good work that healthcare organizations have been doing to prevent ransomware and other cyber threats,” Hirsch says.
Because HR 7898 is not a blanket endorsement of all healthcare industry data security standards, it is important to review your security program to determine whether you qualify, Hirsch says.
HR 7898 only applies if the recognized security practices have been in place for the previous 12 months. An organization that has experienced a HIPAA security breach cannot take advantage of the law by implementing those security measures immediately before an OCR investigation.
“Be sure to formally document that your organization is applying one of HR 7898’s recognized security practices in developing its security policies and procedures. You want to make it easy for OCR to see that you have applied practices that must be considered under the law,” Hirsch explains. “Already, OCR has begun to specifically ask whether an organization has implemented recognized security practices in its document requests at the start of an investigation.”
“Recognized security practices” means standards, guidelines, or other approaches developed, recognized, or promulgated through regulations under statutory authorities, such as Section 2(c)(15) of the National Institute of Standards and Technologies (NIST) Act, or Section 405(d) of the Cybersecurity Act of 2015, says Erin Dunlap, JD, an attorney with Coppersmith Brockelman in Phoenix.
“Unfortunately, there are no regulations implementing the amendment, and there is no case law interpreting it. However, the amendment gives HIPAA entities some flexibility in determining their ‘recognized security practices’ so long as the practices are consistent with the HIPAA Security Rule,” Dunlap says. “The amendment also makes clear that OCR cannot hold a HIPAA entity liable for not engaging in recognized security practices, and OCR cannot increase fines or the length, extent, or quantity of an audit due to a lack of recognized security practices.”
Of course, a HIPAA-covered entity still must comply with the HIPAA Security Rule and implement reasonable and appropriate administrative, technical, and physical safeguards to protect its electronic protected health information.
“Historically, we’ve advised HIPAA entity clients to consider the NIST framework and HHS cybersecurity guidance for healthcare entities when evaluating their security measures. But now, there’s a real incentive to do so,” Dunlap explains. “If a HIPAA entity can demonstrate robust security practices based on these industry-recognized standards and approaches, it could result in the favorable termination of an investigation, or audit, or lower settlement amounts or penalties. If a HIPAA entity has the resources, I suggest comparing current security practices to the standards and approaches referenced in the amendment.”
It may turn out the organization already has implemented “recognized security practices,” or it is really close, and a few additional measures will get you there.
“For compliance/privacy personnel responding to an investigation or audit, don’t forget to consider this defense,” Dunlap says. “If your organization can show ‘recognized security practices’ for the past year, you should ask the OCR investigator to take that into consideration and close the investigation or audit — or at least grant some leniency.”
The HIPAA Safe Harbor Law incentivizes healthcare providers to adopt the most appropriate security practices, but it does not provide any penalties for failure to do so, notes William P. Dillon, JD, shareholder with Gunster in Tallahassee, FL. In that sense, it is only beneficial — even though it is not a true safe harbor offering complete protection.
“The settlement agreements are what people sometimes fear the most after a breach because they can be so burdensome and extend for so many years after the incident, and this gives OCR the ability to back off on those,” Dillon says. “It rewards those healthcare providers who are taking cybersecurity more seriously. The crazy thing is that even though HIPAA has been around so long and cyber threats are nothing new, there are still a lot of people in the healthcare arena who are just not taking the security as seriously as they should.”
Some covered entities, especially smaller organizations with fewer resources, may be deficient partly because they do not understand what steps are necessary for the best protection, Dillon says. The HIPAA Safe Harbor Law is helpful in how it outlines what OCR considers the best practices.
The HIPAA Safe Harbor Law underscores the importance of ongoing documentation when dealing with OCR, says Colin J. Zick, JD, partner with Foley Hoag in Boston. A key benefit of the law is how it specifies exactly what OCR will consider evidence of a covered entity’s best intentions and efforts toward compliance.
Regarding documentation, Zick says it is not just about the ability to pull together information when needed. Organizations need to keep that documentation up to date on an ongoing basis so it is ready at a moment’s notice.
“They will ask you what your security practices are, and trying to compile that on the fly as you’re dealing with all the fallout from a breach is very, very difficult,” Zick says. “People may have left the company, or they’re unavailable, or the files are locked up somewhere and you can’t get to them. You need to have a secure and easily available summary of what you have done so that you have something very easy to hand over to the feds when they come.”
The difficulty for covered entities and their business associates, especially small- to medium-size businesses, is understanding what all the requirements mean and providing the financial and human resources to prepare, implement, and monitor the complex security requirements, says Lani M. Dornfeld, JD, CHPC, an attorney with Brach Eichler in Palm Beach, FL.
HIPAA Security Rule compliance is not a “once and done” process, Dornfeld says. It is an ongoing and evolving process that changes over time to address various security risks and vulnerabilities identified by each business.
“Somebody must be minding the store,” Dornfeld says. That means studying the available resources and implementing the right protection.
Dornfeld notes HHS convened a 405(d) Task Group, comprised of more than 150 information security officers, medical professionals, privacy experts, and industry leaders, as a collaboration between industry and the federal government “to align healthcare industry security practices in an effort to develop consensus-based guidelines, practices, and methodologies to strengthen the healthcare and public health sector’s cybersecurity posture against cyber threats.”
The Task Group’s first publication, Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients, identifies the top five cyber threats (email phishing attack; ransomware attack; loss or theft of equipment or data; insider, accidental, or intentional data loss; and attacks against connected medical devices) and 10 best practices to mitigate the top five threats.
“In the end, covered entities and business associates will need to do more than just have written policies and procedures sitting on a shelf,” Dornfeld says. “They will need to take proactive and meaningful measures to implement those policies, conduct periodic risk assessments, address and manage identified risks and vulnerabilities, monitor systems and overall compliance, ensure staff receive periodic and useful training, and properly manage any breach incident or violation.”
At the top of all this must reside HIPAA privacy and security officers who possess enough knowledge and training to assist their organizations in overall HIPAA compliance initiatives, Dornfeld says. When HHS comes knocking, the organization must be prepared to prove it has adopted and implemented recognized security practices, including details of implementation, responsible individuals, training materials, and other proof the security practices meet the requirements of Section 2(c)(15) and Section 405(d).
The HIPAA Safe Harbor Law does not affect the determination as to whether a breach occurred, notes Richard Sheinis, JD, partner with Hall Booth Smith in Charlotte, NC. The Safe Harbor Law only comes into play after a security breach has occurred.
The entity also should be aware that simply complying with the HIPAA Security Rule likely will not be sufficient to meet the standard of “recognized security practices,” Sheinis says. That will require adhering to the technical requirements specified in the law.
“Meeting the standard of recognized security practices is not easy and is not done quickly. Rather, it takes a great amount of coordination by the entity’s IT professional to demonstrate in writing that the standards have been met,” Sheinis says. “Keep in mind that this safe harbor does not provide automatic immunity from a finding that a security breach occurred or that a penalty should be imposed. However, it can serve as an aid after the fact, to reduce the likelihood or amount of a penalty.”
The Safe Harbor Law is an incentive to entities to improve their security practices, Sheinis says. However, even if this standard is met, an entity still can be penalized for a security breach.
“If an entity never experiences a security breach, they have still benefited by having a higher level of security,” Sheinis says. “Although it is difficult to prove a negative, it might just be that the higher level of security is the reason a security breach never occurred.”
The HR 7898 HIPAA Safe Harbor Law, enacted in 2021, created a “safe harbor” for HIPAA-covered entities and their business associates when potentially facing fines and other penalties under HIPAA. But there are nuances to the law that risk managers and compliance officers must consider.Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.