HIPAA Safe Harbor Law Changes: Encouraging Proactive Cybersecurity Best Practices

New changes to healthcare IT security and compliance are putting greater focus on the need for cybersecurity best practices in a sector that’s facing a record number of threats that put patient protection and data privacy at risk.

The HIPAA Safe Harbor Bill (House Rule 7898) was signed into law in January 2021 and amends the Health Information Technology for Economic and Clinical Act (HITECH). The law includes provisions that require the Department of Health and Human Services (HHS) to provide regulatory relief and other incentives to healthcare entities for voluntarily adopting recognized cybersecurity best practices and protocols when determining potential penalties for HIPAA violations or other security incidents that may compromise data.

How has HITECH Changed?

The law was amended to prevent instances of HHS issuing severe penalties to HIPAA-regulated organizations victimized by attacks, even though they have best practices in place. Under the new law, investigators must take recognized security practices from the last 12 months into consideration. Best practices can include methodologies, programs and procedures developed under the Cybersecurity Act of 2015, which was created to close the gap between innovation and regulatory processes. It allows the sharing and efficient flow of electronic health information that can lead to better medical care.

Implementing Best Practices Now Can Save You Later

When investigating a security incident, having industry-leading practices in place can reduce the extent and length of an audit and mitigate other fines and penalties. Implementing best practices also can help reduce key vulnerabilities in your IT environment that could be exploited by cyberattackers.

FNTS takes a consultative approach to help organizations understand regulatory requirements and implement robust security solutions that keep them steps ahead of evolving changes to regulatory compliance. FNTS’ dedicated and trusted team of Information Security experts keep sophisticated threats at bay by:

• Adopting a defense-in-depth security posture with robust data segregation and protection mechanisms in all environments
• Preventing threats to data and electronic Protected Health Information (ePHI) confidentiality, integrity and availability
• Protecting ePHI by utilizing administrative, technical and physical safeguards
• Offering self-audit support for HIPAA and HITECH
• Providing access to 24/7 threat monitoring and ongoing patching

Technology Solutions Tailored to the Healthcare Industry

FNTS recently launched the FNTS Healthcare Cloud to provide custom solutions to entities specifically covered by HIPAA and HITECH. Our role in advising clients stems from our segmented security posture built to prevent threats. However, if your organization does have an incident, we are there to get you back up and running immediately, all while helping you reduce costs associated with penalties and capital hardware investments.

FNTS policies and operating procedures undergo routine audits that ensure certification and regulatory compliance with internal and external governing organizations.

The HIPAA Safe Harbor Bill will have long-lasting positive impacts for the entire healthcare sector by incentivizing organizations to take a more proactive approach to HIPAA and HITECH compliance. Below are a few best practices to get you started:

• Ensure the basics are covered. Requirements under the Cybersecurity Act of 2015 need a solid foundation. Think asset management, data classification, data flows and role-aligned/least privilege.
• Take a hard look at how business is being conducted in your organization. In order to implement, mature or maintain a cybersecurity program, you must first understand the who, what, when, why and how of your environment.
• Review your organization’s cybersecurity practices and protocols to ensure you’ve implemented a program that meets or exceeds requirements under the Cybersecurity Act of 2015. Take this opportunity to determine if gaps are present and implement a strategy to remediate them. Review COBIT, ISO, NIST, CSA or other best-practices frameworks.
• Ensure your cybersecurity practices and protocols are correctly applied across the enterprise. Determine if a Risk Register exists and if you’ve conducted a Risk Analysis and Management report documenting all required and actionable controls. Having a program in place is the first step, and mapping it to HIPAA/HITECH required and actionable provisions allows you to focus on critical data, asset applications and services.

We’re here to support you if you have any questions about strengthening healthcare IT security and cybersecurity within your organization.