Let's Talk About the New HIPAA Safe Harbor Act And How It Impacts Cybersecurity In The Healthcare Industry

There's At Least One Change We Think You Should Be Thrilled About!


Recent reports indicate that cyberattacks against health care providers increased 45% in December 2020 and January 2021. There have been a lot of legislative changes in 2021, including changes to the HIPAA Privacy Rule.  Yes, this can affect your practice’s HIPAA program, but there’s at least one change we think you should be thrilled about. 

After an unprecedented year of cyber threats and HIPAA enforcement, recently ratified changes to the Health Information Technology for Economic and Clinical Health (HITECH) Act include some really good news – reduced HIPAA fines & penalties for data breaches… if practices have proper security measures in place.

Translation: This means that if a health care provider is following the basic HIPAA Privacy Rule provisions and safeguards to mitigate threats, the fine for a data breach would be lower [than if they did not]. 

A proactive approach to cybersecurity not only protects your business against these attacks and helps enable getting your business back online, should one occur…. but it could also reduce the direct financial cost associated with a breach!

What Has Changed …

The HIPAA Safe Harbor Bill was officially signed on January 5th, 2021 which amends the HITECH Act to require the HHS to (1) consider if practices have “recognized cybersecurity practices” in place when investigating a data breach, and (2) to be lenient with their fines or other enforcement actions if the practice has met all the basic technical safeguard requirements. 

To better understand the changes, providers must first know that the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law to promote the adoption and meaningful use of health information technology.  Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information through several provisions that strengthen the civil and criminal enforcement of HIPAA rules.

What Else You Need to Know …

So smaller fines are a major plus – but what’s the fine print? Like any law, there are a few stipulations to make sure your practice gets to enjoy these incentives:

  • Your practice must be able to demonstrate having industry-standard security measures in place for 12 months before getting the benefits of reduced enforcement. 
  • HHS will consider the specific cybersecurity efforts made by the practice when calculating fines related to security incidents. Meaning, having a single measure in place that’s unrelated to the reason for the breach doesn’t really cut it.  Your practice needs to have their Security Risk Analysis and accompanying mitigation efforts documented and demonstrable to get the benefits. 
  • HHS cannot increase the fine amount or extent of the audit process if a practice is found to not meet basic security standards.


The Next Question… What ARE “recognized cybersecurity practices”? 

  1. Following the HIPAA Security Rule to identify weaknesses and areas requiring mitigation through a completed Security Risk Analysis.
  2. Implementing the right technical safeguards to mitigate identified risks.
  3. Following all other security practices identified as standards that health care organizations should hold themselves to, consistent with the HIPAA Security Rule and the Cybersecurity Act of 2015, and compliance with the NEW 21st Century Cures Act.


What to do NOW…

To put it frankly, if you don’t have the required security standards in place already – it’s time to get a move on!  Implementing these recognized security practices could mean the difference between a hefty fine or enforcement effort in the case that your practice ever falls victim to a data breach or other HIPAA violation, which may be out of your control. 

What’s really important about this law change is that having some cyber security measures in place doesn’t matter – if you don’t have the specific measures required under the HIPAA Security Rule (that Security Risk Analysis, documentation, and more) you will not meet the requirements outlined in HR 7898. This is another way compliance and security go hand in hand– and to get the benefits of reduced fines, you’ll need both!

AlphaONE has built a secure platform on industry standards and best practices (that meet and exceed HIPAA) to allow you to focus on what you do best – care for your patients!  Find out how we can help your practice take a proactive approach and stay one step ahead of the bad guys.  Call us at 833-ALPHA-ONE or 334-245-3125.