HIPAA Safe Harbor Bill: What It Means for You
In January 2021, the HIPAA Safe Harbor law was enacted, providing “safe harbor” for healthcare providers and business associates if they have implemented a government-recognized cybersecurity framework for the previous 12 months. NIST was specifically mentioned. “Safe harbor” means that if the organization can provide evidence of its implementation, it will be rewarded by reduced HIPAA fines and corrective actions if it has a breach or compliance violation. If an organization is selected for a random HIPAA audit, the audit will be immediately terminated once the evidence of NIST CSF implementation for 12 months is validated. This can save a HIPAA-covered entity or business associate millions of dollars.
HIPAA Safe Harbor Bill
The?HIPAA Safe Harbor Bill?(HR 7898) sought to amend the HITECH Act. The HHS must determine if HIPAA CEs and BAs follow best cybersecurity practices.
This Bill requires HHS to consider cybersecurity practices during the last 12 months. These findings impact the assignment of penalties for breaches or other regulatory issues.
It bases the Recognized Security Practices on the National Institute of Standards and Technology (NIST) Act. CEs and BAs must adhere to section 2(c)(15) of the NIST including all:
The goal is to limit penalties for entities following cybersecurity best practices. It also strives to prevent prolonged audits.
HIPAA Safe Harbor Act
The President signed the HIPAA Safe Harbor Bill into law on January 5, 2021. This Act directs the HHS to incentivize healthcare entities to implement best practice security.
It also specifically notes that HHS doesn’t have the authority to raise fines or extend audits. This ruling applies even when entities aren’t compliant with recognized security standards.
HHS’ Office of the Inspector General (OIG) may investigate claims of information blocking. This applies to entities or developers that provide health information technologies. The OIG may receive assistance, information, and support from other federal agencies.
In the past, severe HIPPA penalties were levied against facilities victimized by cyberattacks. This occurred even if they had installed well-resourced programs for cybersecurity. The Bill works to rebalance this inequity.
The ACT also serves to encourage health facilities to invest in cybersecurity systems. This increases their regulatory compliance and increases patient safety.
HIPAA Privacy Rule Provisions Using the Safe Harbor Method
The?Safe Harbor Act method?defines healthcare entities’ HIPPA Privacy Rule compliance. They are to remove identifiers for individuals, employers, household members, or relatives.
This specifically includes the following:
The law applies to any other number that offers a unique way to identify an individual. This may be via a number, code, or characteristic. De-identified health data that follows these rules no longer meets the definition of PHI.HIPAA Safe Harbor Bill
The?HIPAA Safe Harbor Bill?(HR 7898) sought to amend the HITECH Act. The HHS must determine if HIPAA CEs and BAs follow best cybersecurity practices.
This Bill requires HHS to consider cybersecurity practices during the last 12 months. These findings impact the assignment of penalties for breaches or other regulatory issues.
It bases the Recognized Security Practices on the National Institute of Standards and Technology (NIST) Act. CEs and BAs must adhere to section 2(c)(15) of the NIST including all:
The goal is to limit penalties for entities following cybersecurity best practices. It also strives to prevent prolonged audits.
领英推荐
What is HIPAA Training?
The HIPAA law mandates HIPAA Training for all individuals that have contact with PHI. Training must describe how the facility restricts access, tracks, and traces PHI data. Workers should learn about HIPAA compliance and facility policies and procedures (P&P).
Employees must know how to document and keep records of compliance with the P&Ps. These records will be invaluable in the event of a breach or attack.
Teach employees about the organization’s plan for reviewing data security measures. Also, explain the remedial plan to follow if a gap in compliance occurs. Provide a list of actions to take if they suspect or detect a PHI data breach.
It’s key to understand that all the organization’s BAs and CEs must be HIPAA compliant. Thus, the healthcare facility should request proof of compliance from these entities.
How Often Do Employees Need HIPAA Training?
Neither the Privacy Rule nor the Security Rule mandates a time frame for training. The Privacy Rule requires that new employees complete HIPAA training in a “reasonable” time. It also mandates training when changes to the P&P impact the worker’s function.
The “reasonable” time is typically interpreted as within the first few days or weeks. Not months after hiring a new employee.
The Security Rule requires “periodic” HIPPA training. Most healthcare facilities complete training programs annually for all applicable workers.
What is HIPAA Certification?
In fact, there isn’t a HIPAA certification for providers or facilities. Yet, they’re required to follow all HIPAA standards related to PHI.
HIPAA Exams offers a comprehensive course and certification to manage staff HIPAA training. It explains the five HIPAA Rules and strategies for meeting federal regulations.
Would Your Organization Benefit from a Trusted HIPAA Training Provider?
In today’s environment, regulations and threats are constantly changing. This creates a big challenge for facility leaders to maintain employee HIPAA training. Innovative Technologies has been the trusted source for HIPAA training since 2011.
Our program is one of the few to receive multiple industry endorcements and accreditations.
Employees can view our computer-based courses on any PC, MAC, or mobile device. You can download, email, or print certification after successful completion of online courses.
Contact us today?so we can help you meet all HIPPA training requirements
Have questions about HIPAA compliance check out our free resources page here: