07 Sep BDO: HIPAA LAW INCENTIVIZES ADOPTION OF CYBERSECURITY BEST PRACTICES
Healthcare cybercrime is on the rise. As a result, Congress is seeking ways to help protect individuals’ personal data and information, including encouraging healthcare organizations and businesses to adopt cybersecurity best practices.
Congress recently passed a safe harbor law requiring that the Department of Health and Human Services (HHS) consider a healthcare organization’s established cybersecurity practices when reviewing HIPAA violations. If healthcare organizations have followed cyber best practices, the law requires that HHS take that into consideration when determining the severity of potential penalties and the length of required audits. By ensuring that cybersecurity controls are in line with industry standards — such as leveraging System and Organization Controls (SOC) reports or HITRUST (Health Information Trust Alliance) certification — healthcare organizations and businesses can improve their chances of receiving a smaller penalty or an easier audit process.
We provide more information on the law, H.R.7898, and what it means for healthcare covered entities.
How the Law Changes HHS’s Review of HIPAA Violations
H.R.7898 stipulates that in the event of a HIPAA violation, the Department of Health and Human Services (HHS) is required to “consider certain recognized security practices of covered entities and business associates” when determining the length and outcome of an audit or the severity of any penalties or fines that may be imposed. Importantly, the law specifies that to qualify for this consideration, healthcare entities need to have had such security practices in place for at least the previous 12 months.
The law does not promise immunity from HIPAA liability when cybersecurity best practices are in place, nor does it allow HHS to impose more severe fines, penalties, or audits if best practices are not followed. The law does, however, offer the potential for milder penalties and shorter, less extensive audits if the entity can demonstrate that appropriate cybersecurity measures are in place. In this way, H.R.7898 incentivizes healthcare organizations to adopt or increase their investment in industry-standard cybersecurity practices, such as HITRUST certification.