Blog | 24By7Security

HIPAA Safe Harbor: H.R. 7898's Impact on Healthcare Organizations

Written by Brian Gomez | January, 31 2023

By implementing security best practices, HR 7898 enables healthcare providers to potentially decrease enforcement actions.

In a time when assaults on the healthcare sector have increased to previously unheard-of levels, the most recent addition to the HITECH Act offers firms struggling with a breach the chance for remedy.

HR 7898 was signed into law by former president Donald Trump at the beginning of 2017. The purpose of this bill was to compel the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) to promote specific cybersecurity practices across all its covered businesses and business partners. The law defines them as "recognized security practices" and ensures that everyone handling sensitive health information abides by the HIPAA security rules already in place.

Fast forward to January 5, 2021, new amendments were signed into law that will encourage healthcare businesses to adopt cutting-edge procedures for complying with HIPAA regulations. The amendment gives the post-breach experience some consistency, which has been criticized in the past. Although it is not a "Get Out of Jail Free" card, the relief made possible by this amendment offers incentives for employing security methods that go beyond the threat of serious consequences.

To benefit from the protections, the company must be able to show that for the previous 12 months, recognized security practices were followed.

"Recognized Security Practices" – What Are They?

According to the bill, these security measures consist of:

  • Standards, guidelines, recommended practices, methods, and processes created in accordance with the National Institute of Standards and Technology Act (NIST Act).

  • The cybersecurity procedures created in accordance with Section 405(d) of the 2015 Cybersecurity Act.

  • Programs and procedures that were created under are recognized by or are specified in federal statutes other than HIPAA.

HR 7898, like the HIPAA Security rule itself, leaves the organization's specific strategy up to them. Other organizations like the NIST and others have already established these standards. The government has chosen to reward good behavior even though healthcare organizations should already be adopting these best practices in theory.

Why is HR 7898 Important?

Whether your healthcare organization is a low-maturity firm moving towards HIPAA compliance or a high-maturity organization looking to better defend itself against cyber-attacks and compliance fines, the importance of the new law cannot be understated. Following industry best practices now offers a 2-for-1 defense against cyber risks and compliance repercussions. By demonstrating your adherence to a well-known cybersecurity framework, your company can: 

  • Boost the state of its security

  • Keep track of your compliance with recognized best practices in your industry

  • Reduce potential penalties and compliance expenses in the event that it suffers a cyber incident or breach

  • Cut back on the size or duration of a compliance audit

The proposed measure will advise that factors be considered when fining institutions for adhering to this bill. According to the proposed legislation, if an offender follows these rules, fines should be reduced, and the scope and duration of the audit should be condensed.

The penalties for breaking HIPAA regulations might be severe. Still, if making a good faith attempt would help reduce those penalties, it might be worthwhile to make the extra effort and confirm that all your covered organizations and other business associates (BAs) are adhering to the current cybersecurity standards outlined in HR 7898.

Does HR 7898 Prevent Fines Altogether?

HR 7898 does not shield healthcare-covered businesses or business partners from liability for HIPAA violations. According to the statute, "Nothing in this section shall be construed to limit the Secretary's authority to enforce the HIPAA Security rule (part 160 of title 45 Code of Federal Regulations and subparts A and C of part 164 of such title), or to supersede or conflict with an entity or business associate's obligations under the HIPAA Security Rule." Instead, it mandates that the HHS Office for Civil Rights (OCR) consider whether the covered firm or business associate sufficiently proved that it implemented specific acknowledged cybersecurity procedures for the year before an audit or review. If so, OCR should take this into account when deciding the scope and outcome of the audit, any fines, or the terms of the resolution agreement.

Thus, HR 7898 does not stop OCR from levying fines or other sanctions. It does not offer a protected area for HIPAA compliance. Instead, it aims to motivate organizations to adopt cybersecurity best practices; if they do, OCR enforcement actions might be less scrutinizing and harsh toward them. In short, if healthcare companies have previously embraced acknowledged best practices, they should benefit from having been the subject of an audit or investigation.

How Should the Healthcare Industry React to HR 7898?

  • Performing a Security Risk Assessment: A periodic security risk analysis should be conducted and documented, as well as continuing risk management procedures, by covered entities and business associates.

  • Aligning Your Organization’s Risk Analysis and Risk Management Efforts: Work backward from the threats your business confronts to determine what controls you already have in place or must implement to detect and defend against those threats. The HICP publication, which focuses on five dangers with a high likelihood and impact for healthcare professionals, is driven by this strategy. In our experience, ransomware is still the most common threat.

  • Consider NIST CSF: The NIST CSF contains a baseline of security criteria for recognized security practices. If not NIST CSF, a framework that also has the same language or standards is acceptable. Nonetheless, select any ONE framework to use as a baseline that satisfies the criteria for recognized security practices. Document the results of assessments and track gaps identified and the remediation plans. Evaluate progress annually against the defined roadmap and be prepared to show evidence of compliance.

Summary

According to the law, HHS must consider whether a covered company or business associate used industry-standard security procedures over the previous 12 months when investigating, enforcing HIPAA or for other regulatory purposes.

In addition, the bill mandates that HHS take cybersecurity into account when determining fines for security-related incidents. If it is discovered that the impacted organization has really complied with industry-standard best practice security requirements, HHS may reduce the scope and duration of an audit.

The law follows several other industry initiatives aimed at supporting healthcare cybersecurity efforts at a time when hackers are increasingly targeting the industry.