What is the HIPAA Safe Harbor Law?
The HIPAA Safe Harbor Law (HR 7898) is an amendment to the HITECH Act passed by Congress in 2021 which instructs the Secretary of Health and Human Services to take into account existing security practices when determining penalties for HIPAA violations. Organizations that have adopted a recognized security framework will also benefit from less disruptive corrective action plans and audits.
In 2009, the HITECH Act amended the HIPAA Enforcement Rule by introducing a four-tiered penalty structure and by increasing the maximum civil monetary penalties that could be imposed by HHS’ Office for Civil Rights for HIPAA violations. The structure has stayed in place ever since and the penalties have increased annually since 2015 to account for inflation.
The 2021 amendment to the HITECH Act came as the result of a Request for Information issued by the Department of Health and Human Services (HHS). The Request for Information had the objectives of exploring ways the administrative burden on Covered Entities and Business Associates could be reduced and data sharing could be improved for better coordination of healthcare.
The Request for Information received more than 1,300 responses – with many healthcare associations calling for a “safe harbor” that exempted Covered Entities and Business Associates from financial penalties and corrective action plans if it could be shown they had implemented a recognized security framework prior to a data breach or other security-related HIPAA violation.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The HIPAA Safe Harbor Law in More Detail
While the HIPAA Safe Harbor Law did not go as far as exempting Covered Entities and Business Associates from financial penalties when they had implemented a recognized security framework, it provided an opportunity for HHS to refrain from enforcing penalties, mitigating penalties, or reducing the administrative burden in specific circumstances. The specific circumstances were:
- When a HIPAA violation results in a fine for non-compliance.
- When a HIPAA violation results in a corrective action plan.
- When a HIPAA audit identifies failures to comply with HIPAA.
The HIPAA Safe Harbor Law also provided HHS with an opportunity to be flexible in the length and extent of audits. However, this relief – and the provisions to mitigate penalties for HIPAA violations – were subject to Covered Entities and Business Associates demonstrating at least twelve months compliance with:
“Standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the NIST Act, the approaches promulgated under section 405(d) of the 2015 Cybersecurity Act, and other programs that address cybersecurity and that are developed, recognized, or promulgated through regulations […] consistent with the HIPAA Security Rule.”
Safe Harbor Integrated into Security Rule Update
Because the text of HR 7898 was limited in detail, this led to questions being raised regarding what constituted a recognized security framework and how eligible entities could “adequately demonstrate” they had implemented and maintained a recognized security framework for twelve months prior to a compliance investigation.
To resolve the questions, the HHS’ Office for Civil Rights published a further Request for Information in 2022 seeking public comment on what potential information or clarifications the agency needed to provide through future guidance or rulemaking to help regulated entities understand the application of the HIPAA Safe Harbor Law. The responses were used to shape the proposed Security Rule update published in January 2025.
The proposed update notes that, because HR 7898 requires any adopted security framework to be consistent with the HIPAA Security Rule, “it is appropriate for the Department to develop and adopt its own standards to meet the statutory objective of ensuring the security of ePHI.” Consequently the goals of the HIPAA Safe Harbor Law will ultimately be integrated into the HIPAA Security Rule.
How to Comply with the HIPAA Safe Harbor Law
Organizations that have adopted appropriate security standards and have documented the measures put in place to comply with the existing Security Rule do not have to do anything extra to comply with the HIPAA Safe Harbor Law at present. If, despite the best efforts of the organization, a violation still occurs, the Law only impacts HHS’ discretion on fines and/or remedial actions.
Organizations unsure whether or not gaps exist in HIPAA compliance should view the proposed updates to the HIPAA Security Rule as an incentive to conduct a thorough risk assessment. Not only will filling gaps in compliance reduce the likelihood of a violation occurring, should a violation still occur, the penalty and/or administrative overhead for non-compliance will likely be significantly less.
Like all efforts made to comply with HIPAA, it is important everything is documented to demonstrate compliance in the event of an investigation or audit. This not only includes the documentation of measures implemented to comply with the HIPAA Security Rule, but also the documentation of security awareness training provided to workforce members.
Security Training and Documentation Requirements
The documentation of a strong cybersecurity training program can support the goals of the HIPAA Safe Harbor Law by showing that an organization has made proactive efforts to embed recognized security practices into day-to-day behavior. While the Safe Harbor Law focuses on documented security frameworks and technical and administrative safeguards, regulators still look closely at how staff are trained to follow those safeguards in practice.
Well designed, regularly updated security awareness training helps demonstrate that policies are not just written down but are actively communicated, tested, and reinforced across the workforce. When training is clearly documented over time, it becomes part of the evidence that a Covered Entity or Business Associate has taken reasonable, good faith steps to prevent violations, which can support more favorable consideration of penalties, investigations, and corrective action plans if a security related HIPAA incident still occurs despite those efforts.
With regard to complying with the HIPAA Safe Harbor Act the proposed update to the HIPAA Security Rule requires HIPAA-regulated entities to document when training is provided, document the type of training and training materials, and document evidence of workforce participation – for example, the results of quizzes and end-of-training performance assessments.
Not to be Confused with the Safe Harbor Method of De-Identification
It is unfortunate the 2021 amendment to the HITECH Act was referred to as the HIPAA Safe Harbor Bill or HIPAA Safe Harbor Law because a) it was not an absolute “safe harbor” (as reduced fines could still be issued), and b) some organizations may have been confused by the similarity to the safe harbor method of de-identification as this is sometimes referred to as the HIPAA Safe Harbor standard.
The safe harbor method of de-identification is one of two approved methods for sharing de-identified PHI for large-scale medical research studies, policy assessments, comparative effectiveness studies, and other studies and assessments. The de-identification process ensures patient privacy is maintained and eliminates the need to obtain an authorization when PHI is shared or disclosed to third parties for a purpose not permitted by the HIPAA Privacy Rule.
