Does your business work with HIPAA-protected information? If it does, we wanted to discuss the latest legislative changes that affect companies that deal with PHI (personal health information). A new law, called the HIPAA Safe Harbor Law, has been signed to help grant incentives for best security practices in the healthcare industry.
Here are some things you should know about the new HIPAA Safe Harbor Law that was signed in January 2021.
What is the HIPAA Safe Harbor Law?
HR 7898, or the HIPAA Safe Harbor Bill, amends the HITECH act to “require the Department of Health and Human Services (HHS) to take into account if practices have ‘recognized security practices’ in place when investigating a data breach, and to be lenient with their fines or other enforcement actions if the practice has met all the basic technical safeguard requirements,” according to Abyde.
Essentially, if your business is employing the correct HIPAA Security Rule procedures and safeguards, that business will see lower fines if and when a breach takes place. This law was created to ease some of the cybersecurity burdens that healthcare organizations deal with. It is a great way to protect businesses in the event of an unavoidable breach. It also incentivizes them to take a good look at their current security measures.
When HIPAA was introduced, cybersecurity wasn’t a part of the considerations made within it. And that means many healthcare providers are sorely lacking in certain cybersecurity areas. This new law is combatting that by motivating businesses to close the gap between their current processes and current security best practice standards.
Eligibility and Application of the HIPAA Safe Harbor Law
For your business to be covered under this new law, it has to meet some specific criteria:
- Your business must be able to show that it’s had industry-standard security measures in place for 12 months.
- HHS will consider existing cybersecurity measures when calculating fines – this is done in place of issuing penalties for unpreventable attacks.
- If the impacted business can demonstrate it has met industry-standard security best practices, HHS must decrease the “extent and length of an audit.”
- Lastly, if the business is out of compliance with NIST guidelines or the Cybersecurity Act of 2015, HHS cannot hold this against them – so no fines or audit lengths can be increased.
According to Cybersecurity Ventures, a cyber attack will occur every 11 seconds in 2021 – nearly double the 2019 rate (every 19 seconds) and four times the 2016 rate (every 40 seconds). As more and more people log in to perform business, personal, and medical functions, cybercriminals get more creative with their attacks.
The HIPAA Safe Harbor Law is set to be used as an incentive for businesses with sensitive healthcare information to start working toward increasing their quality and security measures.
Now is a great time for your business to review the security measures you currently have, assess for weaknesses, and increase your overall protection of healthcare data.
This new law is encouraging healthcare-based organizations to conduct comprehensive risk assessments to start increasing protection in areas that may have been left vulnerable for years.
CyberFort Can Help Protect Your Files
Our experts at CyberFort Advisors are here to help your business secure their cyber assets, whether it’s through security file activity monitoring, user activity monitoring, security awareness, or other potential trouble spots.
Contact us at 1 (866) 221-4004 or email [email protected] to learn more.