Risk Management
| << Back |
March 2021 Bulletin: HIPAA Safe Harbor For Cybersecurity Act- HR7898 – HHS Incentives For Cybersecurity Efforts By Your Practice
March 25, 2021
Dear OMIC Insureds:
In the last 2 months alone, cyberattacks against healthcare entities increased 45 percent. For example, in 2020 there were 642 cybersecurity breaches, involving 500 or more records, compared to 519 breaches in 2019, and 368 breaches in 2018.
As a positive incentive for healthcare providers to increase investment in cybersecurity for the benefit of regulatory compliance, and, ultimately, patient safety, the HIPAA Safe Harbor for Cybersecurity Act was signed into law in January, 2021. The HIPAA Safe Harbor bill amends the HITECH ACT, requiring the Department of Health and Human Services to provide incentives for best-practice cybersecurity measures to meet HIPAA requirements. The Senate unanimously passed the legislation without amendment on December 19, 2020.
This legislation directs HHS to consider a covered entity’s or business associate’s use of industry-standard security practices within the previous 12 months when investigating and undertaking HIPAA enforcement actions, or for other regulatory purposes. The legislation directs HHS to consider:
- easing of fines related to security incidents, and
- early, favorable termination of an audit, if it’s determined the impacted entity has indeed met industry-standard best practice security requirements.
- Of note, these changes to the HITECH Act do not give HHS the authority to increase fines or the extent of an audit when an entity is found to be out of compliance with the recognized security standards.
To comply with the new bill, “recognized security practices” need to be instituted by your practice for not less than 12 months prior to a HHS investigation or HIPAA enforcement action or other regulatory purposes. We recommend you begin implementing these protocols now so your practice will qualify for these safe harbor considerations.
Use these resources for specific guidance on standards, best practices, methodologies, procedures, and processes:
- The National Institute of Standards and Technology Act (NIST Act) NIST-cyberframework
- The Cybersecurity Act of 2015 Cybersecurity Act- Health Industry Cybersecurity Practices HICP
- Other statutory authorities that require specific programs and processes, such as state requirements. state data breach notification laws
- Practices determined by the covered entity or business associate, consistent with the HIPAA Security rule
In addition, HHS provides safe harbor under the Anti-kickback safe harbor statute. This final rule amends the safe harbors to the Federal anti-kickback statute by adding new safe harbors and modifying existing safe harbors that protect certain payment practices and business arrangements from sanctions under the anti-kickback statute.
View a risk management presentation on this topic on our website (OMIC /CyberNET page)
Sail Into the New HIPAA Safe Harbor
If you have questions, contact us for confidential risk management advice at riskmanagement@omic.com. Or call us at 1-800-562-6642, enter 4 for Risk Management.
Sincerely,
Hans K. Bruhn, MHS, OMIC Risk Manager
CONFIDENTIALITY NOTICE: This correspondence is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. Dissemination, distribution or copying of this e-mail or the information herein by anyone other than the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, is prohibited. If you have received this e-mail in error, please call me and destroy the original message and all copies ____________________________________________
As long as we have a current email address for you, you will automatically receive this message. If you do not wish to receive the E-Bulletin, please click the reply button and write REMOVE in the subject line or email omic@omic.com.
