A new HIPAA cybersecurity law promises to lower fines and provide audit relief. On January 5, 2021, President Trump signed HR 7898 which amends the HITECH Act providing Safe Harbor for HIPAA Covered Entities and Business Associates that have consistently implemented government-recognized cybersecurity practices.
According to an article published by Healthcare IT Today, in order to benefit from the new law, the entity must show that they have implemented cybersecurity programs recognized by “statutory authorities,” such as the NIST Cybersecurity Framework (NIST CSF), for at least 12 months.
The amendment did not increase the penalties for entities that do not implement recognized security practices. Rather, according to the Baker Data Council, “…the amendment expressly states that nothing in the amendment either grants HHS the authority to levy increased fines or increases an entity’s liability due to lack of compliance with recognized security practices. As such, the amendment does not establish these recognized security practices as a new minimum level of compliance for HIPAA-regulated entities. Instead, the amendment serves to incentivize those entities that are able and willing to invest in robust cybersecurity programs with these recognized security practices to safeguard health information with a safe harbor that should result in a less punitive outcome should a security incident occur. “
