HIPAA Safe Harbor: How H.R. 7898 Affects Healthcare Organizations

by | Mar 4, 2021

HIPAA Safe Harbor: How H.R. 7898 Affects Healthcare Organizations

TL;DR

New legislation (H.R. 7898) allows healthcare providers to reduce enforcement actions by using security best practices.

 

Background: H.R. 7898

On January 5, 2021, H.R. 7898 was signed into law to incentivize healthcare organizations to implement leading practices for meeting HIPAA requirements. The latest amendment to the HITECH Act provides organizations dealing with a breach the opportunity for relief during a time when attacks on the healthcare industry have reached unprecedented levels. It acts as a positive incentive for healthcare providers and business associates to invest in leading cybersecurity practices.

H.R. 7898 requires the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) to consider if an organization has implemented recognized security practices when determining fines, the length of audits, and any other remedies. The amendment provides some consistency to the post-breach experience, which has been an area of criticism in the past. While it is certainly no “Get Out of Jail Free” card, the relief granted by this amendment provides incentives for implementing security practices beyond just the fear of severe repercussions.

To take advantage of the protections, the organization must be able to demonstrate that recognized security practices were followed for the 12 months prior to a breach.

 

What exactly are “recognized security practices”?

The amendment defines recognized security practices as:

“The standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology (NIST) Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities. Such practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security Rule.”

Much like the HIPAA Security rule itself, H.R. 7898 leaves the exact approach up to the organization, but references the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP) guidance released in 2018 as well as the National Institute for Standards and Technology (NIST) publications.

Blog: New Health Industry Cybersecurity Practices (HICP) Guidance Released: What You Need to Know

 

Why does H.R. 7898 matter?

Whether you are a high-maturity organization looking to further protect yourself against cyber threats and compliance fines, or you are a low-maturity organization working towards HIPAA compliance, your next steps are clear. Adhering to industry best practices is now a 2-for-1 deal in defending against cyber threats and compliance fallout. By documenting your alignment with a recognized cybersecurity framework, your organization can:

  • Improve its security posture
  • Maintain evidence of alignment with recognized industry best practices
  • Reduce possible fines and compliance costs should it become the victim of a cyber incident or breach
  • Reduce the scope or length of a compliance audit

If your organization is a healthcare entity of any size or maturity, this is a no brainer.

 

How should healthcare organizations respond to H.R. 7898?

  • You’ve probably heard it a million times: perform an annual risk analysis.
    • Covered organizations and business associates should be performing and documenting a periodic security risk analysis as well as ongoing risk management activities. Don’t stop there.
  • Make sure you are aligning your risk analysis and risk management efforts with the recommendations in the HICP publication and NIST guidance.
    • Start by identifying which threats your organization faces and work backwards to identify what controls you have in place or need to have in place to detect and protect against those threats. This approach is the heartbeat of the HICP publication, which focuses on five threats that have a high likelihood and impact for healthcare providers. In our experience, ransomware continues to lead the pack.
    • Blog: Getting Specific with Ransomware Preparedness
  • Consider selecting NIST SP 800-53 or a framework that maps directly to it; at a minimum – select any ONE framework to use as a baseline that satisfies the criteria for recognized security practices. Document the results of assessments and track gaps identified and the remediation plans. Evaluate progress annually against the defined roadmap and be prepared to show evidence of compliance.

 

If you’re not sure where to start, let us help you. Whether you want advice on a specific topic, help tailoring your existing assessment processes, or need an independent risk analysis, we can help. SRA has a strong HIPAA risk assessment methodology which includes the concepts covered by the HICP framework.

 

Alex Papadoplos
Consultant, CISA, CPA AWS Certified Practitioner | Archive

Alex focuses on cloud security and vulnerability management. Most recently, Alex has worked on vulnerability management program operation and enhancements for a fortune 500 pharmaceutical company.

Alex has experience with NIST CSF, NIST 800-53, SOC 2, HITRUST, HIPAA, and other frameworks.

Prior to joining SRA, Alex worked for a public accounting firm in risk advisory and internal audit with a focus on the healthcare and higher education sectors.

Bryan Bolesta
Consultant | Archive

Bryan is a recent graduate of Drexel University’s College of Computing and Informatics. Bryan graduated in June of 2020 with a B.S. in Computing & Security Technology with a concentration in Computing Security.

Bryan joined SRA for the first time in September of 2018 as a part of Drexel’s cooperative education program. Bryan worked on multiple Threat Management projects and a handful of GRC projects during his 6 months as a full-time co-op employee.

Bryan continued his work with SRA for 9 additional months as a part-time employee until he graduated from Drexel University. Upon graduation, Bryan rejoined SRA as a full-time consultant on the Threat Management team.

Prior to Security Risk Advisors, Bryan worked as a co-op at Chubb on the Global IT Compliance team, assisting with PCI and SOX compliance activities.

Bill Lyons
Consultant, PMP, GSEC, FAIR | Archive

Bill’s focus is on managing and executing projects including toolset deployments, compliance assessments, and program developments. Bill is also experienced with many frameworks including H24 and NIST CSF.

Bill has experience at multiple organizations undergoing significant change and is skilled at working with multiple vendors/clients simultaneously on complex projects with numerous stakeholders. He has worked with companies across industries such as medical, pharmaceutical, and aerospace.

Bill is skilled at balancing industry best practices with real world client situations and requirements to determine the most practical approaches to deliver projects.

Bill is PMP, GSEC, and FAIR certified.