The HIPAA Safe Harbor Act was signed into law by President Trump on January 5, 2021. The law states that the Department of Health and Human Services (HHS) must consider whether organizations have utilized best practices for cybersecurity when investigating a data breach and undertaking HIPAA enforcement actions.
In addition, the law states that HHS is required to reduce the extent and length of an audit if it’s determined the entity has met best practice security requirements. The act also states that HHS does not have any authority to increase fines or the extent of an audit when an entity is found to be out of compliance with security standards.
Prior to the HIPAA Safe Harbor Act, HHS issued severe HIPAA penalties against facilities that were victimized by cyberattacks. This happened even though the entities had taken precautions and had cybersecurity programs. This law was put into place to rebalance these inequities.
As cyberattacks continue to rise, the HIPAA Safe Habor Act helps to protect practices that have taken reasonable cybersecurity precautions. While the law does not exempt entities from penalties if they have implemented HIPAA safeguards and best practices, it does provide an opportunity for HHS to reduce or refrain from invoking penalties under specific circumstances.
The law was also put into place to encourage practices to invest in cybersecurity systems to increase patient safety and regulatory compliance.
Practices that have implemented appropriate security standards and have documented those measures do not need to do anything additional to comply with the HIPAA Safe Harbor Act. If despite your best efforts, a violation occurs, the law only impacts HHS´ discretion on fines or audits.
It is important to conduct a thorough risk assessment, if your organization or practice is unsure if there may be gaps in HIPAA compliance. Doing so will help reduce the likelihood of a violation. Should a violation still occur, the penalty for non-compliance will likely be much less. Like all efforts made to comply with HIPAA, documentation is key to demonstrating compliance.
MedSafe is the nation’s leading one-stop resource for outsourced accreditation and healthcare compliance solutions. For over 20 years, we have been providing peace of mind to hospital groups, private practices, and their business associates. Our suite of onsite and online training services, including OSHA, HIPAA, Corporate Compliance and Code Auditing better equip your practice with the necessary tools and skills to achieve and maintain regulatory billing compliance. MedSafe takes a hands-on approach and works directly with your team to uncover issues and define suitable solutions.