Safe Harbor Introduced for Covered Entities That Adopt Recognized Cybersecurity Best Practices

HIPAA covered entities and their business associates have been provided with a degree of protection against HIPAA enforcement actions following a security incident now that new legislation has been signed into law.

HR 7898 was enacted on January 5, 2021 by President Trump and amends the Health Information Technology for Economic and Clinical Health (HITECH) Act to require the Secretary of the Department of Health and Human Services to consider “recognized security practices” that have previously been adopted by the breached entity when considering HIPAA fines and other sanctions and remedies.

Prior to HR 7898 being signed into law, a covered entity or business associate could have adopted a common security framework and implemented security best practices to prevent data breaches, only to subsequently fall victim to a cyberattack. Even though the measures implemented would be over and above the minimum standards demanded by HIPAA, the breached entity could still face a sizable financial penalty from the Department of Health and Human Services. There have been cases where HIPAA-covered entities have implemented industry-recognized security practices but still had to pay severe financial penalties after falling victim to a cyberattack.

If financial penalties in relation to data breaches are likely to be imposed regardless of the security measures implemented by a covered entity or business associate, there is little incentive for committing the time, money, and resources to improving cybersecurity. HR 7898 should therefore help to incentivize healthcare organizations to invest in cybersecurity, as doing so may see financial penalties waived or reduced.

The HITECH Act amendment requires the HHS to consider whether recognized security practices have been adopted for not less than the 12 months prior to a data breach, and if they have it may mitigate any fines under section 1176 of the Social Security Act, result in the early and favorable termination of an audit, reduce the extent of a compliance investigation, or mitigate remedies that would otherwise have been agreed to resolve any violations of the HIPAA Security Rule.

The amendment makes it clear that the HHS is forbidden from increasing financial penalties or the length or extent of audits when an entity is discovered to have failed to implement recognized security best practices and that the amendment should not be construed to subject a breached entity to liability for the failure to adopt recognized security best practices.

Recognized security best practices are defined as “standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology (NIST) Act, and other programs and processes that address cybersecurity and that are developed, recognized, and promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.”

In short, the HITECH Act amendment introduces a safe harbor for HIPAA-covered entities and business associates that suffer data breaches after adopting recognized security best practices, provided they are able to prove to the HHS that those security best practices have been in place for at least 12 months.

The aim of the amendment is to incentivize covered entities and business associates to improve cybersecurity and ensure that those that do are not unduly punished if they still suffer a data breach despite their good faith efforts to improve their security posture.