What is the New HIPAA Safe Harbor Law?

HIPAA safe harbor law

Share this article on:

The new HIPAA Safe Harbor Law (HR 7898) was signed into law by President Trump in January 2021. It instructs the Secretary of Health and Human Services to take into account existing security practices when determining penalties for HIPAA violations and when determining the length and extent of HIPAA audits.  

Strictly speaking, the new HIPAA Safe Harbor Law isn´t actually a HIPAA law, but rather an amendment to the HITECH Act which, in 2009, introduced tougher penalties for HIPAA violations. The tougher penalty structure introduced by HITECH was enacted via the HIPAA Final Omnibus Rule in 2013 and the structure has stayed in place ever since.

The amendment to the HITECH Act came as the result of a Request for Information issued in 2018 by the Department of Health and Human Services (HHS). The Request had the objectives of exploring ways the administrative burden on Covered Entities and Business Associates could be reduced and data sharing could be improved for better coordination of healthcare.

The Request received more than 1,300 responses – with many healthcare associations calling for a “safe harbor” that exempted Covered Entities and Business Associates from financial penalties and corrective action plans if it could be shown they had implemented a recognized security framework prior to a data breach or other security-related HIPAA violation.

The HIPAA Safe Harbor Law in More Detail

While the HIPAA Safe Harbor Law doesn´t go as far as exempting Covered Entities and Business Associates from financial penalties when they have implemented a recognized security framework, it provides an opportunity for HHS to refrain from enforcing penalties, mitigating penalties, or reducing the administrative burden in specific circumstances. The specific circumstances are:

  • When a HIPAA violation results in a fine for non-compliance.
  • When a HIPAA violation results in a corrective action plan.
  • When a HIPAA audit identifies failures to comply with HIPAA.

The Law also provides HHS with an opportunity to be flexible in the length and extent of audits. However, this relief – and the provisions to mitigate penalties for HIPAA violations – are subject to Covered Entities and Business Associates demonstrating at least twelve months compliance with:

“Standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the NIST Act, the approaches promulgated under section 405(d) of the 2015 Cybersecurity Act, and other programs that address cybersecurity and that are developed, recognized, or promulgated through regulations […] consistent with the HIPAA Security Rule.”

How to Comply with the HIPAA Safe Harbor Act

Organizations that have adopted appropriate security standards and have documented the measures put in place to comply with the Security Rule do not have to do anything extra to comply with the HIPAA Safe Harbor Act. If, despite the best efforts of the organization, a violation still occurs, the Law only impacts HHS´ discretion on fines and/or remedial actions.

Organizations unsure whether or not gaps exist in HIPAA compliance should view the HIPAA Safe Harbor Act as an incentive to conduct a thorough risk assessment. Not only will filling gaps in compliance reduce the likelihood of a violation occurring, should a violation still occur, the penalty and/or administrative overhead for non-compliance will likely be significantly less.

Like all efforts made to comply with HIPAA, it is important everything is documented to demonstrate compliance in the event of an investigation or audit. It is also important to note that because the HIPAA Safe Harbor Act is an amendment to the HITECH Act, it only applies to failures to comply with the Security Rule. New Privacy Rule regulations are expected later this year.

Not to be Confused with the Safe Harbor Method of De-Identification

It is unfortunate the amendment to the HITECH Act signed by President Trump is being referred to as the HIPAA Safe Harbor Bill as a) it is not an absolute “safe harbor” (as reduced fines can still be issued), and b) some organizations may be confused by the similarity to the safe harbor method of de-identification as this is sometimes referred to as the HIPAA Safe Harbor provision.

The safe harbor method is one of two approved methods for sharing de-identified PHI for large-scale medical research studies, policy assessments, comparative effectiveness studies, and other studies and assessments. The de-identification process ensures patient privacy is maintained and eliminates the need to obtain consent when PHI is shared or disclosed to third parties.

Importantly, the HIPAA Safe Harbor provision applies to both PHI protected by the Privacy Rule and ePHI protected by the Security Rule; and it is important for organizations to be aware of the difference between the safe harbor method of de-identification and the changes to the HITECH Act implemented by the new HIPAA Safe Harbor Law.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On