HIPAA Safe Harbor Law Requires HHS to Incentivize Cybersecurity

On January 5, 2021, President Donald Trump signed the Health Insurance Portability and Accountability Act (HIPAA) Safe Harbor Bill into law.

The new law amends the Health Information Technology for Economic and Clinical Health (HITECH) Act to require the US Department of Human and Health Services (HHS) to incentivize cybersecurity best practices for covered entities (CEs) and business associates (BAs) for meeting HIPAA requirements.

Overview of the Law

The HIPAA Safe Harbor Bill directs HHS to consider a CE’s or BA’s use of industry-standard security practices over the last 12 months when investigating and undertaking HIPAA enforcement actions or other regulatory purposes.

Under the new law, if CEs and BAs can adequately demonstrate that recognized security practices have been in place for the previous 12 months or more, they might not incur additional burden of proof for compliance. They might also avoid heightened scrutiny from regulators.

Additionally, when HHS is deciding whether to issue a fine or undertake an audit, it must now take into account whether an organization has been using recognized HIPAA cybersecurity best practices to comply with the HIPAA Security Rule.

NIST Cybersecurity Framework

The term recognized security practices includes “the standards, guidelines, best practices, methodologies, procedures, and process developed under subsection 2(c)(15) of the National Institute of Standards and Technology (NIST) Act to cost effectively reduce cyber risks to critical infrastructure.”

NIST has developed and disseminated the NIST Framework for Improving Critical Infrastructure Cybersecurity, commonly referred to as the NIST Cybersecurity Framework or NIST CSF. The framework integrates industry standards and guidance to help organizations manage and reduce their cybersecurity risks.

The NIST CSF framework consists of three main components:

  • Core
  • Implementation tiers
  • Profiles

Core

The Framework Core provides a set of desired cybersecurity activities and outcomes. It consists of five concurrent and continuous functions:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

The Framework Core guides organizations in managing and reducing their cybersecurity risks in a way that complements an organization’s existing cybersecurity and risk-management processes.

Implementation Tiers

The Framework Implementation Tiers assist organizations by providing context on how an organization views cybersecurity risk management. The Implementation Tiers characterize an organization’s practices over a range:

  • Partial: Tier 1
  • Risk informed: Tier 2
  • Repeatable: Tier 3
  • Adaptive: Tier 4

The tiers reflect a progression from informal, reactive responses to approaches that are agile and risk informed. They should be used as a tool to discuss risk appetite—the level or risk an organization is prepared to accept—as well as mission, and budget, guiding organizations to consider the appropriate level of rigor for their cybersecurity program. For example, an organization may determine that Tier 2 is acceptable based on their risk appetite or budget because management has determined the cybersecurity controls are appropriate for the types of data being processed, transmitted, or stored.

Profiles

Framework Profiles are an organization’s unique alignment of organizational requirements and objectives, risk appetite, and resources against the desired outcomes of the Framework Core.  Profiles are primarily used to identify and prioritize opportunities for improving an organization’s cybersecurity controls because profiles can provide a current state view as well as a target state.

Organizations are responsible for selecting controls they deem necessary to achieve and meet their risk posture, which refers to how well an organization’s cybersecurity controls can mitigate risks. The HIPAA Security Rule requires organizations to take the following steps:

  • Conduct a thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI)
  • Implement security measures that reduce risks and vulnerabilities to an appropriate level
  • Protect against reasonably anticipated threats to the security and integrity of ePHI

Risk analyses and assessments are critical to identifying and designing controls that meet HIPAA safeguards as well as align with the NIST CSF.

Increased Cybersecurity Threats

This new law joins other industry efforts aimed at bolstering health-care cybersecurity efforts in an age when health care is being targeted by hackers in record numbers.

The sixth annual Healthcare Breach Report from Bitglass recorded 599 health-care breaches affecting more than 26-million people in 2020, with 91.2% of the records exposed as a result of hacking and IT incidents.

A recent report from VMware Carbon Black found over 230-million attempted cyberattacks targeting their health-care customers in 2020. The surge in attacks began in February as the pandemic started to spread worldwide. In October 2020, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the FBI, and the HHS issued a joint release about the increased and imminent threat to hospitals and health-care providers of cybercriminals targeting health-care systems with ransomware for financial gain.

The same increased threat of cybercriminals using the pandemic for financial gain and disruption of services is supported by other sources, including a report from Health Security and one by Fortified Health Security. This is most often done with ransomware attacks that infect systems so that they can’t be accessed. The attacker will ask for an amount to be paid as ransom before providing a decryption key for access to the information. Due to the urgency and need for medical personnel to have access to patient health records, health-care systems are a prime target for these types of attacks.

Next Steps

The goal of the HIPAA Safe Harbor law is to incentivize CEs and BAs to implement cybersecurity measures to help protect health-care systems from outside and inside threat actors, and HHS must now develop regulations that implement the law. While there’s no specific timeline for HHS to do so, CEs and BAs can benefit from beginning to prepare by reviewing controls and alignment with the NIST CSF or other cybersecurity best practices and frameworks, such as the HITRUST Alliance’s Common Security Framework (CSF).

We’re Here to Help

For more information about how the HIPAA safe harbor law affects your organization—or for help understanding your current risk posture, maturity levels, and controls as they pertain to the NIST CSF or HIPAA safeguards—please contact your Moss Adams professional.