In 2020, hospitals found themselves facing more than just a viral pandemic. They were facing a digital pandemic of attacks and data breaches. According to a Health IT Security article, healthcare accounted for 79-percent of all reported data breaches and attacks in 2020, and the end of the year was the worst with a 45-percent spike in attacks against healthcare providers from November on.
To add insult to injury, even if a healthcare provider had industry standard security and were breached, the Department of Health and Human Services (HHS) could punish providers through the HITECH Act’s penalties for HIPAA violations, no matter how strong their security was.
Luckily, hospitals and providers are now less likely to be fined with a breach. In early January, former President Trump officially signed HR 7898 into law. The HIPAA Safe Harbor bill amends the HITECH Act to require HHS to incentivize best practice cybersecurity for meeting HIPAA requirements.
First introduced on July 31, 2020, the bill easily passed the House Energy and Commerce Committee with the Senate unanimously passing the legislation without amendment on December 19, 2020.
With this bill, the HHS is to take into account the use of industry-standard security practices over the course of 12 months when investigating and undertaking HIPAA enforcement actions, or other regulatory purposes.
Additionally, the bill requires that HHS take cybersecurity into consideration when calculating fines related to security incidents. This will protect hospitals and providers from getting fined if they are the victim of an attack or breach. HHS is also required to decrease the extent and length of an audit, if it is determined that the impacted entity has met industry-standard best practice security requirements.
With the announcement of the bill, the Health Sector Coordinating Council (HSCC) noted that HIPAA enforcement actions often have applied severe penalties against organizations victimized by cyber-attacks even when they employ industry best cybersecurity practices. They said that the bill rebalances the inequity by directing HHS to take into account the use of recognized security best practices during the last 12 months when making determinations against HIPAA-covered entities, such as hospitals and providers.
While cyberattacks and data breaches will continue to impact the healthcare industry, HR 7898 should help hospitals and providers on the regulation side, assuming they are using industry-standard best practice security – which Americollect does as a HITRUST certified company. This is an excellent time to review your security and ensure you meet the requirements to minimize not only attacks, but the HHS inquiry that follows.
Ridiculously Nice Legal Disclaimer
The content provided in this communication (“Content”) is presented for educational and general reference purposes only. Americollect, Inc and/or AmeriEBO LLC either directly or indirectly through speakers, independent contractors, or employees (collectively referred to as “Americollect”) is providing this Content as a courtesy to be used for informational purposes only. The Contents are not intended to serve as legal or other advice. Americollect does not represent or warrant that the Content is accurate, complete, or current for any specific or particular purpose or application. This information is not intended to be a full and exhaustive explanation of the law in any area, nor should it be used to replace the advice of your own legal counsel. By using the Content in any way, whether or not authorized, the user assumes all risk and hereby releases Americollect from any liability associated with the Content.