HIPAA Safe Harbor Bill Signed Into Law: OCR to consider mitigation efforts when evaluating HIPAA violations

By: Cristina N. Hyde, JD

On January 5, 2021, the President signed H.R. 7898 – the HIPAA Safe Harbor Bill – into law.  The new legislation amends the Health Information Technology for Economic and Clinical Health Act; addressing health information technology as it relates to security practices.  The full text of the new public law will be published here.  However, as it has not been published yet, the text of the bill as of December 21, 2020, can be found here.

 Simply put, the law requires that the Department of Health and Human Services (HSS) consider a covered entity’s application of “recognized security practices” (over the course of 12 months) when investigating violations of the HIPAA security rule.  Notably, while a finding of compliance could lead to the reduction of sanctions, penalties or audit lengths, the amendment does not authorize HHS to increase consequences for those found to be noncompliant.  The bill not only creates and incentive for health care practitioners to focus on cybersecurity, but also necessitates covered entities to demonstrate that they have done so with appropriate documentation.

We anticipate that the HHS will now proceed with the notice and rule making process which normally accompanies implementation.  Our office will keep you updated, as necessary. For more information and if you would like assistance reviewing your security compliance and documentation policies, Contact Us. 

Comments are closed.