The HITECH Law Amendment, informally known as the “Safe Harbor Law” (HR 7898), was signed by President Trump in January 2021. This amendment directs the Secretary of Health and Human Services (HHS) to consider a Covered Entity (CE) or Business Associate’s (BA) existing security measures when imposing penalties for HIPAA violations. Additionally, the law allows for a reduction in duration and scope of a HIPAA audit following a breach if appropriate Recognized Security Practices (RSPs) were in place.

A vibrant painting of a sailboat anchored in a safe harbor

What does this mean for you?

Data breaches in healthcare are increasing at an alarming rate and must be considered inevitable, but you can limit your exposure to regulatory risk when one occurs. Per the Safe Harbor Provision, if you do not have qualifying security measures or RSPs in place during a breach, you will be exposed to the highest penalties possible. However, if you have had these RSPs in place for the past twelve months, the penalty damages can be mitigated, and the subsequent audit may be narrower in scope and shorter in duration.

The civil monetary penalties for HIPAA violations continue to increase, this year rising to an annual penalty limit of $1.9 million. Although this is a considerable sum, it is likely less than what an organization will have to spend over the duration of an audit, on oversight during a Corporate Integrity Agreement (CIA), or in implementing the subsequent corrective action plan.

Audits are expensive not only in monetary terms but also in terms of business continuity, operations, and opportunity. They are disruptive, often requiring participation from crucial resources to complete. CIAs are even more troublesome. Audits and CIAs can impact strategic initiatives which cost valuable time and often result in missed opportunities.

What are these “Recognized Security Practices”? 

There are three main types of qualifying programs that implement Recognized Security Practices: 

  1. NIST’s Cybersecurity Framework
  2. Programs that implement the security practices described under section 405(d) of the Cybersecurity Act of 2015: Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP) 
  3. Programs that are developed, recognized or promulgated through regulations under “other” statutory authorities

These programs are not one size fits all, and it is possible that your existing practices and procedures map to controls that are already defined in one or more of these programs. 

Qualifying for Safe Harbor Protection: Expert Guidance from Quandary Peak

If your organization is diligent about data security, you probably have some of these RSPs already in place. We can help you document what you have, identify the gaps, and prepare a plan to bridge those gaps. 

The experts at Quandary Peak have years of experience on both sides of high-stakes regulatory investigations and understand the evidence needed to satisfy qualifying obligations for safe harbor protection. We can help you answer questions such as:

  • Do our existing security measures qualify as Recognized Security Practices?
  • What adjustments or enhancements to our security practices might be necessary to meet the criteria for Safe Harbor protection?
  • How can we maintain and demonstrate compliance with relevant security standards and practices over time?

To get the answers to these questions and more, schedule a consultation with one of our experts today. We will help you navigate the complex world of regulatory risk and the HIPAA Safe Harbor Law, ensuring your organization is better prepared in the event of a data breach.