Demystifying the New HIPAA Cybersecurity Law
Healthcare organizations are one of the most targeted sectors by cybercriminals. Any slightest weak link in a hospital’s cybersecurity system can leave sensitive patient data exposed to far-reaching malicious attacks. Hackers can take the opportunity to access the Electronic Health Records, EHS, encrypt them, and demand a ransom in exchange for the encryption key. And failing to pay the ransom may prompt the cybercriminals to sell sensitive patient data to dubious entities world-over.
Inspired by the need to protect patients and prevent the disclosure of sensitive health information, the State’s Congress enacted the Health Insurance Portability and Accountability Act, HIPAA. The statutory law requires that healthcare organizations uphold the protection and confidential handling of clients’ and patients’ personal information.
For companies dealing with protected health information (PHI), complying with HIPAA guidelines means setting up measures regarding network, process, and physical security and fully adhering to them. Traditionally, non-compliance with HIPAA guidelines attracted punitive actions like large fines and thorough scrutiny. But that’s bound to be relaxed a little if the new cybersecurity law is anything to go by.
This post demystifies what the new HIPAA cybersecurity rule modification means to Covered Entities (those offering treatments, operations, and payment in healthcare) and Business Associates (those who have access to personal patient information and provide treatment, operation, and payment in healthcare). So let’s get to it.
New HIPAA Security Rule Overview
The President recently signed into law a new statute to modify the Health Information Technology for Economic and Clinical Health (HITECH) Act. The new law requires the Department of Health and Human Services (HHS) to reevaluate the recognized security practices regarding the issuing of fines and other penalties for HIPAA non-compliance.
In particular, the new law dictates that if a HIPAA covered entity or business associate has remained compliant for the past twelve months, then they may qualify for ‘Safe Harbor.’ This may bear the following benefits for such organizations:
- Cushioning of fines imposed by HHS after conducting an investigation concerning a security incident
- Early or favorable termination of audits upon the fulfillment of specific HITECH requirements
- Cushioning of remedies agreed upon relating to the settling of possible HIPAA Security Rule violations.
The key takeaway is that the new law clarifies that HHS has no authority to raise the fines or audit period should a HIPAA covered entity or business associate fail to implement the recognized security practices. But for an organization to enjoy these privileges, it must have remained consistently compliant for at least 12 previous months.
Is the New HIPAA Security Law Already Effective?
Unfortunately, the new law is not yet effective as it must undergo the federal rulemaking process. In other words, the law must go through a Notice of Proposed Rulemaking (NPRM) plus a comment period before becoming an existing rule. The process may take time, considering that the last time HIPAA underwent modification, it took a whopping four years to transition from a mere law to an actionable rule.
The good news is that unlike the last amended 2013 HIPAA Omnibus Rule, which was 367 pages, the new rule is only 636 words; hence it won’t take long before becoming effective. But before then, the HHS Office for Civil Rights (OCR) will engage in a concerted rulemaking effort to oversee this statute’s implementation. On top of that, they’ll set aside an additional comments request period relating to the recognized security practices. Some of the statutes OCR will be looking to explore include:
“The standards, methodologies, guidelines, best practices, processes, and procedures under section 2(C)(15) of the NIST Act.”
The National Institute of Standards and Technology, NIST, has special publications that are generally deemed best practices for all industries looking to augment their data security. The publications are usually very in-depth, thorough, and subject to frequent updating. Thanks to their high credibility, OCR has a habit of referencing these special publications in its HIPAA guidance documents, and it’ll most likely do the same when rulemaking the new statute.
“The approaches promulgated under section 405(d) of the Cybersecurity Act 2015.”
For a long time, the HHS has fought to implement the Cybersecurity Act (CSA) of 2015, even going to the extent of forming a task force to develop the Health Industry Cybersecurity Practices (HICP) publication. Given the close relationship between the new HIPAA rule and the CSA, OCS will most likely reference any guidance captured in the publication as part of its rulemaking effort.
Are there any Previous HIPAA Updates
Before the passing of the new HIPAA rule, there were a number of changes and updates under review, some of which will become part of the new law. These include:
HIPAA Violations Penalty Updates
In 2019, potential penalties and fines were updated in a tiered structure, with violations correlating with “caps” now attracting a $25,000 penalty for Tier 1.
Better Enforcement and Violations Accountability
In 2019, the OCR tightened its enforcement efforts, placing an average financial penalty of more than $1.2 million for every violation. However, the enforcement was loosened a little bit through the better part of 2020, thanks to the global pandemic.
Potential Permanent Audit Programs
The HHS has always welcomed the idea of a permanent audit program, and it’s a good thing that the new HIPAA rule is likely to provide an audit relief. For now, the audit program doesn’t capture a permanent structure, but we’re likely to witness a change after the full implementation of the new rule.
Let Kraft Technology Group Help
If you’re a HIPAA covered entity or business associate, then you know that you must figure out how the recognized security practices fit into your organization, right? It is the only way of avoiding penalties and fines under the HIPAA Security Rule. So here’s the rub; the statute is still new and confusing, given that it seeks to reevaluate almost the entire recognized security best practices.
This is where Kraft Technology Group comes in. Our team has the expertise, credentials, experience, and commitment to identify, implement, and support the HIPAA cybersecurity requirements that your organization needs to remain compliant and avoid penalties. Contact us today, and let us help you create a risk-free working environment.
Brian Gray, MCP, is the President at Kraft Technology Group, LLC (KTG), an affiliate of KraftCPAs PLLC. Within his role, Brian is responsible for all aspects of service delivery to our clients. Brian has a decade of experience working for managed service providers. He has worked with clients in a variety of industries, including financial services, accounting, legal, healthcare, manufacturing, and retail.