The House Energy and Commerce Committee has passed a new bill (HR 7898) which seeks to amend the HITECH Act to require the Department of Health and Human Services to recognize whether cybersecurity best practices have been implemented by HIPAA-covered groups and business associates when making specific determinations, such as fines following security breaches or for other regulatory aims.
The HIPAA Safe Harbor Bill, if passed into law, would reward covered groups and business associates that have met cybersecurity practices through reduced fines and shorter compliance audits. The legislation calls for the HHS Secretary to think about whether the entity has adequately demonstrated recognized security practices have been in place for no less than one year, which may mitigate fines, lead to an early, favorable termination of an audit, or mitigate other remedies which may otherwise have been agreed with respect to resolving potential HIPAA Security Rule breaches.
The bill classifies as ‘Recognized Security Practices’ as “standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.”
The bill also confirms that its target is to cut possible sanctions, fines, and the length of audits when cybersecurity best practices are followed, and not to give the HHS the authority to grow audit lengths, fines, and penalties when an entity is found not to be in compliance with recognized security standards.
The bill has received considerable support from health IT sector stakeholder groups, including HITRUST. HITRUST believes the legislation will help to enhance the cybersecurity posture of the healthcare industry, will encourage healthcare groups to take a more positive approach to HIPAA compliance, and will ensure entities that have achieved HITRUST Cybersecurity Standard Framework (CSF) Certification are recognized for their proactive approach to safeguarding healthcare data.
The bill also has the support of the Healthcare and Public Health Sector Coordinating Council (HSCC), which believes the legislation will act as a positive reason for health providers to increase investment in cybersecurity for the benefit of regulatory compliance and patient security.
Update: December 19, 2020 – The unamended bill was passed by the Senate. The bill will not go to the President who will choose whether to sign the bill into law or veto it.