HIPAA Safe Harbor

A new law was signed on January 5, 2021, that provides safe harbor for organizations seeking to prove that they were compliant with the HIPAA security rule. This new law, which has not taken effect yet but has been signed into law, allows an organization to prove that they had reasonable security practices in place for the previous twelve months. That would provide them safe harbor to not receive the normal fines and stipulations from the department of health and human services. This can be very important in this day and age of data breaches and unprecedented attacks that we’re going through from nation-state actors and other unknown vulnerabilities in order for an organization to avoid a fine because they can show and demonstrate that they had these security best practices in place. The law specifies NIST as a source of these best practices. The NIST cyber security framework is part of that. Being able to demonstrate that those have been put into place. Also, other well-known and respected frameworks that guide you into security practices such as something like the Center for Internet Security would be possible sources of this. But, in order to prove that you have this in place, having a well-documented thorough and accurate risk assessment is an important place to start in order to prepare for your safe harbor plan. Putting this into place for your organization would be very important and could potentially protect you from heavy fines and findings that come out of the regulators in these cases.  

Related Videos