On January 11, 2021, then-president Donald Trump signed the HIPAA Safe Harbor Bill into law, a new piece of data protection legislation designed to balance the needs of companies against the interest of the general public.
The House Energy and Commerce Committee passed the bill to the senate in mid-December 2020, before the upper house confirmed the new piece of legislation without amendment on December 19.
The Safe Harbor Law attempts to improve data security while also providing clarity and fairness for healthcare organizations.
The new piece of legislation directs the Department of Health and Human Services (HHS) to take into account both the business entity’s security practices, but also those of their associates and covered entities, when considering HIPAA regulatory and enforcement actions. This means that organizations can be held accountable for the actions of related third-parties.
The law also demands that HHS consider the cybersecurity status of an organization when calculating fines and taking legal action. Having better security could potentially mean lower penalties.
The new law aims to protect organizations from government action. The rules, for instance, put strict limits on the extent and length of HHS audits while also making clear when the entity has met industry-standard security criteria. They also forbid the HHS from increasing fines or deepening the audit if the organization is not in compliance with the rules.
The purpose of the law is to address what lawmakers call “equity issues” regarding organizations under persistent attack by cybercriminals. Many HIPAA actions in the past applied severe penalties to organizations regardless of the sophistication and diligence of their existing cybersecurity practices.
The new amendment makes the current arrangement fairer and properly incentivizes investment in new security measures by improving the cost-benefit ratio. Now companies know that if they put in place well-defined security arrangements, they can protect themselves against HHS auditors looking to extract large fines.
The ultimate goal of the legislation is to encourage health providers to improve cybersecurity for the benefit of patients. The more worthwhile their security efforts are and the more they can protect their financial interests, the more likely they will be to engage in them. Furthermore, with the inclusion of industry-standards such as best practices, guidelines, standards, methodologies and procedures, providers now have a much better concept of the security level they need to attain.
This new piece of legislation joins a raft of other changes being introduced by the HHS. For instance, the department finalized a set of rules that allowed hospitals and health systems to donate cybersecurity technologies to providers. New legislation also makes changes to the HIPAA privacy rules, giving patients more control and access rights over their medical records.
Healthcare providers looking to improve their cybersecurity can outsource the task to an IT company in Bridgeport. Seeking external help ensures that providers avoid many of the usual pitfalls and achieve the minimum standards required by the new Safe Harbor law. The new setup should represent an improvement in the relationship between healthcare organizations and regulators.