On January 5, 2021, H.R. 7898 was signed into law with little fanfare, thereby amending the Health Information Technology for Economic and Clinical Health Act. As the healthcare industry continues to serve as one of the top targets for cybersecurity threat actors, the amendment creates a “HIPAA safe harbor” that should hopefully provide some much-needed relief to those beleaguered covered entities and business associates that have spent years and significant dollars to implement cybersecurity best practices. This new safe harbor requires that, when calculating fines, evaluating audits or reviewing proposed mitigation steps, the Department of Health & Human Services (HHS) must consider whether the covered entity or business associate adequately demonstrated that it had in place “recognized security practices” for at least 12 months prior that would:
(1) Mitigate HIPAA fines.
(2) Result in the early, favorable termination of a HIPAA audit.
(3) Mitigate the remedies in a HIPAA resolution agreement with HHS.
Under the law, the term “recognized security practices” means “the standards, guidelines, best practices, methodologies, procedures, and processes developed under … the NIST Act, the approaches promulgated under … the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.” Thus, the new safe harbor has the potential to both significantly incentivize all entities subject to HIPAA to implement cybersecurity best practices as well as provide some long-overdue relief to those entities that experience a data security incident after having implemented robust security practices, as it recognizes that despite an entity’s best efforts, security incidents still occur, and highly punitive penalties may not be appropriate in such circumstances. While not specifically defined, our experience working with HHS in breach investigations is that HHS focuses on existing programs for assessing cyber security risks to electronic protected health information (ePHI) through annual security risk analyses, inventory of ePHI, risk management plans and the implementation of administrative, technical and physical safeguards to address those risks.
Notably, the amendment did not increase the penalties that HHS can issue to entities that do not implement recognized security practices. Instead, the amendment expressly states that nothing in the amendment either grants HHS the authority to levy increased fines or increases an entity’s liability due to lack of compliance with recognized security practices. As such, the amendment does not establish these recognized security practices as a new minimum level of compliance for HIPAA-regulated entities. Instead, the amendment serves to incentivize those entities that are able and willing to invest in robust cybersecurity programs with these recognized security practices to safeguard health information with a safe harbor that should result in a less punitive outcome should a security incident occur.
In working with our healthcare clients, we advise them on the importance of good cybersecurity hygiene consistent with industry best practices and on curing any deficiencies in their security programs, particularly in the aftermath of a breach. These actions put the entity in the best possible position for us to advocate to HHS on their behalf. In passing this amendment, HHS is recognizing this process.
Additionally, the amendment also makes technical corrections to the 21st Century Cures Act (Cures Act), which cements the HHS Office of the Inspector General’s (OIG) enforcement authority to investigate claims of information blocking, which the Cures Act broadly defines as practices that interfere with the access to or use or exchange of electronic health information. The technical corrections clarify that the OIG may draw on the powers outlined in the Inspector Act of 1978 when investigating claims that an entity regulated by the Cures Act has engaged in information blocking. To date, the OIG has only promulgated a proposed rule that would allow the OIG to impose civil money penalties – up to $1 million per violation – on developers or offerors of certified health information technology and health information exchanges or networks found to have engaged in the practice of information blocking. Following the passage of this amendment, it is anticipated that the OIG will finalize this proposed rule, which is expected to become effective 60 days after publication. While the OIG’s authority in the Cures Act to impose civil monetary penalties does not extend to healthcare providers and the OIG has not yet issued any proposed rule-making regarding violations of the information blocking rules by providers, the OIG has stated that if it determines that a healthcare provider has committed information blocking, the office will refer that healthcare provider to the appropriate agency, such as the HHS Office of Civil Rights, for what it refers to as “appropriate disincentives.”