GUEST ESSAY: HIPAA’s new ‘Safe Harbor’ rules promote security at healthcare firms under seige

By Riyan N. Alam

The Health Insurance Portability and Accountability Act — HIPAA — has undergone some massive changes in the past few years to minimize the burden of healthcare entities.

Related: Hackers relentless target healthcare providers

Despite these efforts, covered-entities and business associates continue to find HIPAA to be overwhelming and extensive, to say the least.

Cyberattacks against healthcare entities rose 45 percent between November 2020 and January 2021, according to Check Point . Meanwhile, the healthcare sector accounted for 79 percent of all reported data breaches during the first 10 months of 2020, a study by Fortified Health Security tells us.

At last, some good news has surfaced that encourages healthcare providers to implement the best security practices and meet HIPAA requirements. Amidst all of the turmoil, President Donald Trump officially signed H.R. 7898, known as the HIPAA Safe Harbor Bill, into law on January 5, 2021.

It is a new sign of relief for entities that could do very little against unavoidable and highly sophisticated cyberattacks. This bill is one of many recent industry efforts aimed at improving cybersecurity. The legislation amends the HITECH Act to require the Department of Health and Human Services (HHS) to reward organizations that follow the best cybersecurity practices for meeting HIPAA requirements.

Last year, the government saw that even the most security-conscious organizations could not prevent cyber attacks. It seemed unfair that the Department of Health and Human Services Office for Civil Rights, known as OCR, had the ability to penalize covered entities that experienced unavoidable security breaches.

Even the FBI issued a warning to the medical community stating that ransomware attacks were inevitable; the only thing these providers could do was create a recovery plan of action.

Carrot vs. stick

The HIPAA safe harbor bill was created to protect organizations that have been victimized by cybersecurity-related incidents. It requires the Department of Health and Human Services (HHS,) to assess security precautions that have been followed over the past 12 months, incentivizing HIPAA best practices even when an attack was successful.

Essentially, the Safe harbor law states that the HHS must take into account:

•The security measures of the organization they audit rather than issuing fines and disciplinary actions for an attack that may have been out of that organization’s control.

•Additionally, they are required to shorten the time it takes to perform an audit if the organization has been following the best security practices.

•The safe harbor law also states that the HHS cannot add or increase fines even if an organization was not in compliance with risk mitigation standards suggested by the National Institute of Standards and Technology or even requirements set forth in the Cyber Security Act of 2015. Their standard of compliance will instead be determined by the organizations’ consistency with the HIPAA Security Rule.

Promoting best practices

The House Energy and Commerce Committee was a part of passing this bill stating that the OCR has issued severe penalties against organizations victimized by cyberattacks, in spite of how well organizations have employed industry best cybersecurity practices.


Another goal of this law is to encourage covered entities and business associates to immediately put a security plan into action and document it through a security risk assessment. Now, organizations can use their discretion to choose whatever tools they want to carry out risk assessments and documentation. Popularly, many organizations utilize HIPAA compliance software to streamline their compliance efforts and for the value it offers.

Nevertheless, if you thought HIPAA was a burden, then it is high time for you to reconsider your options. Because now, instead of being penalized, you could be getting rewards for embracing the best cybersecurity and HIPAA compliant practices.

About the essayist: Riyan N. Alam is a digital marketing analyst at CloudApper, a supplier of mobile ERP solutions, including HIPAA compliance software, facility management software and CMMS. 

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone