The House Energy and Commerce Committee passed a new bill (HR 7988), which tries to change the HITECH Act to necessitate the Department of Health and Human Services to identify whether or not HIPAA-covered entities and business associates follow cybersecurity best practices when making particular decisions, for example, financial penalties related to security breaches or other regulatory reasons.
The HIPAA Safe Harbor Bill, in case approved, will compensate covered entities and business associates that have satisfied cybersecurity practices by means of lower financial penalties and shorter compliance inspection. The law requires the HHS Secretary to look at whether the covered entity has sufficiently shown that it has safety practices set up for at least 12 months, which may minimize financial penalties, bring about a quick, favorable dismissal of an audit, or offset other remedies that could otherwise have been agreed with regard to dealing with potential violations of HIPAA Security Rule.
The ‘Recognized Security Practices’ can be defined as “standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.”
The bill states that its goal is to minimize possible sanctions, penalties, and the duration of audits as long as cybersecurity best practices are adopted, and not to grant the HHS the power to lengthen audit durations, increase fines, and penalties if an entity is found to be not complying with recognized security practices.
The bill was quickly approved by the house and it is expected that the Senate will also approve it next week. The bill has gotten substantial support from a lot of health IT industry stakeholder groups, such as HITRUST. HITRUST is convinced the bill will better the cybersecurity status of the healthcare sector, will inspire healthcare companies to be more proactive with respect to HIPAA compliance and will make sure entities have received HITRUST Cybersecurity Standard Framework (CSF) Certification in recognition of their proactive solution to safeguarding healthcare information.
The bill additionally has the support of the Healthcare and Public Health Sector Coordinating Council (HSCC), which thinks the law will serve as a favorable incentive for health companies to invest more in cybersecurity for making sure of regulatory compliance and patient security.