Safe Harbor for Implementing a Government-Recognized Cybersecurity Program

by Mike Semel

Originally published at  Healthcare IT Today Reprinted with permission.

On January 5, 2021, President Trump signed a new law providing Safe Harbor for HIPAA Covered Entities and Business Associates that have consistently implemented government-recognized cybersecurity practices.

HR 7898 amends the HITECH Act to reduce HIPAA fines and mitigate other remediation after cybersecurity incidents, and to termination audits early, if certain requirements are met. To qualify for this ‘Safe Harbor,’ organizations must show that they have implemented cybersecurity programs recognized by “statutory authorities”, such as the NIST Cybersecurity Framework (NIST CSF), for at least 12 months. The law states that HIPAA penalties cannot be increased for the lack of implementation of a recognized cybersecurity framework.

The new law must go through the federal rulemaking process, requiring a Notice of Proposed Rulemaking (NPRM), and a comment period before being written into the existing rule structure. The last time HIPAA was modified, it took more than four years from when the 2009 HITECH Act became law to when the resulting 2013 HIPAA Omnibus Rule became effective.

A rule update based on the new law may be further delayed by a change in presidential administrations, plus the current focus by the Office for Civil Rights (OCR) to update the HIPAA Privacy Rule based on the NPRM issued in December 2020. On the other hand, the new leaders at the OCR may fast-track the new law because it is simple and brief, only 636 words, compared to the 357-page NPRM for the Privacy Rule changes.

The HIPAA Security Rule includes 42 requirements to protect data, broken down into Administrative, Physical and Technical Safeguards. It went into effect in 2005 and was modified by the HIPAA Omnibus Final Rule in early 2013.

The NIST CSF is the U.S. government’s recommended cybersecurity framework for business of all types and sizes, except for defense and federal contractors that must implement higher-level NIST frameworks. It is newer and more prescriptive than the HIPAA Security Rule. The NIST CSF breaks cybersecurity down into 5 functions, 23 categories, and 98 subcategories (cybersecurity controls). It is recognized by state governments and oversight agencies for financial institutions and consumer protection. Canada, Israel, and Japan have all adopted the NIST CSF.

For years there have been calls to update the 2005 HIPAA Security Rule to address newer technologies and newer risks. The Security Rule became effective in 2005, two years before the iPhone was introduced. Cloud-delivered Software-as-a-Service (SaaS) and Infrastructure-as-a-Service (IaaS) were in their infancies. In 2005, encryption of data required expensive tools and cybersecurity expertise. Now, Windows 10 Professional, Mac OS, and server software includes encryption that can just be turned on.

Failure to conduct an “accurate and thorough” risk analysis, the foundation of the HIPAA Security Rule, is cited in most HIPAA penalties. A HIPAA risk analysis is a requirement of the Medicare Merit-Based Incentive Payment System (MIPS). Falsely attesting for the MIPS program can bring charges under the federal False Claims Act, resulting in a payback of three times the amount paid to the entity by Medicare and Medicaid, being banned from future payments, and possible criminal Medicare fraud charges.

In December 2020, the OCR released a report from the federal HIPAA audit program showing that “most covered entities and business associates failed to implement the HIPAA Security Rule requirements for risk analysis and risk management.”

The new Safe Harbor law gives HIPAA Covered Entities and Business Associates financial incentives to do what they should have been doing all along. Covered entities have been required to implement the HIPAA Security Rule for the past 15 years. Business associates were required to implement the HIPAA Security Rule for the past eight years. In 2019, the OCR issued a Business Associate Fact Sheet reminding Business Associates of their obligations.

Consistently implementing the NIST CSF for at least 12 months will lower the potential liability for all HIPAA covered entities and business associates.