On January 5, 2021, the President signed H.R. 7898, The HIPAA Safe Harbor Bill, into law. This new legislation amends the HITECH act to require the Department of Health and Human Services (HHS) to incentivize best-practice cybersecurity for meeting HIPAA requirements.
Previously, organizations that experienced cyberattacks were subject to HIPAA enforcement actions that included severe penalties and fines despite such organization’s cybersecurity practices. Now, H.R. 7898 specifically requires that HHS evaluate whether the organization is using recognized security practices by reviewing the previous 12 months when calculating fines or penalties based on a cyberattack. However, the law also expressly states that it does not give HHS the authority to increase fines or even the extent of an audit when an organization is found to be out of compliance with recognized security practices.
According to the law, “the Term ‘recognized security practices’ means the standards, guidelines, best practices, methodologies, procedures, and processes developed under…the NIST Act, the approaches promulgated under… the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.”
This new law is important since the healthcare industry continues to be the most impacted sector when it comes to cyberattacks. The healthcare industry accounted for 79 percent of all reported data breaches from January to November 2020, and attacks against healthcare organizations increased overall by 45 percent between November 2020 and January 2021. In addition, HIPAA violation fines can range from $100 per violation all the way up to $59,522 per violation. Since these fines are calculated on a “per violation” basis, in 2020 the fines imposed ranged from $3,500 to $6,850,000, with multiple fines imposed totaling over $1,000,000.
A recent example is when University of Texas M.D. Anderson Cancer Center was fined $4,300,000 for violations of the HIPAA and HITECH Act. However, on January 14, 2021 the United States Court of Appeals for the Fifth Circuit vacated the fine stating that it was “arbitrary, capricious, and otherwise unlawful.” The Court held that HIPAA does not require entities to use “bulletproof protection” and instead held that M.D. Anderson had adopted sufficient security practices. This case shows that even courts are now looking at security practices when determining if a HIPAA violation fine is reasonable.
For more information about your entity’s cybersecurity risks and HIPAA compliance, reach out to one of FGHW’s healthcare attorneys. Our attorneys have extensive experience with reviewing and analyzing HIPAA and cybersecurity practices to determine if they comply with recognized security practices under the new law. If your cybersecurity practices are not up to the new standards, FGHW’s attorneys can assist in implementing practices that are compliant.
Tahlia Clement’s primary practice areas are marketing, advertising and promotions law, health law, internet law, and general business transactions. Tahlia graduated from SMU Dedman School of Law and holds a B.A. in journalism and mass communications from Arizona State University.