HIPAA Law Incentivizes Adoption of Cybersecurity Best Practices

July 2021

Healthcare cybercrime is on the rise. As a result, Congress is seeking ways to help protect individuals’ personal data and information, including encouraging healthcare organizations and businesses to adopt cybersecurity best practices.

Congress recently passed a safe harbor law requiring that the Department of Health and Human Services (HHS) consider a healthcare organization’s established cybersecurity practices when reviewing HIPAA violations. If healthcare organizations have followed cyber best practices, the law requires that HHS take that into consideration when determining the severity of potential penalties and the length of required audits. By ensuring that cybersecurity controls are in line with industry standards — such as leveraging System and Organization Controls (SOC) reports or HITRUST (Health Information Trust Alliance) certification — healthcare organizations and businesses can improve their chances of receiving a smaller penalty or an easier audit process.

We provide more information on the law, H.R.7898, and what it means for healthcare covered entities.
 

How the Law Changes HHS’s Review of HIPAA Violations

H.R.7898 stipulates that in the event of a HIPAA violation, the Department of Health and Human Services (HHS) is required to “consider certain recognized security practices of covered entities and business associates” when determining the length and outcome of an audit or the severity of any penalties or fines that may be imposed. Importantly, the law specifies that to qualify for this consideration, healthcare entities need to have had such security practices in place for at least the previous 12 months.

The law does not promise immunity from HIPAA liability when cybersecurity best practices are in place, nor does it allow HHS to impose more severe fines, penalties, or audits if best practices are not followed. The law does, however, offer the potential for milder penalties and shorter, less extensive audits if the entity can demonstrate that appropriate cybersecurity measures are in place. In this way, H.R.7898 incentivizes healthcare organizations to adopt or increase their investment in industry-standard cybersecurity practices, such as HITRUST certification.
 

Addressing a Pressing Issue

The new law shines a light on one of the most critical issues facing the healthcare industry today. Data breach statistics indicate a steady rise in incidents over the past decade. In fact, 2020 saw the most breaches since the HHS began compiling and publishing data in 2009. Between 2009 and 2020, thousands of breaches have resulted in the loss, theft, or exposure of some 268 million healthcare records.

While healthcare organizations strive to shore up key vulnerabilities, it can be challenging to keep current with the ever-changing methods of attack. The laws seeks to address this by incentivizing organizations to increase investment in cybersecurity for the benefit of regulatory compliance.
 

HITRUST Certification as a Potential Solution

One-way healthcare covered entities and businesses can assess the appropriateness of their security practices is through HITRUST certification, a core service offered by BDO Third Party Attestation.

HITRUST Common Security Framework (CSF), the most widely adopted security framework in the U.S. healthcare industry, is a comprehensive framework that merges many regulatory requirements and best practices while also allowing for dynamic customization based on an organization’s size, structure, and specific risk factors. Though HITRUST was designed for all industries, its origins are closely linked to the challenges and numerous applications of controls specific to HIPAA.

As a HITRUST Authorized CSF Assessor, BDO helps healthcare organizations achieve HITRUST certification and keeps clients apprised of the ever-evolving requirements of the HITRUST certification process. Guided by the HITRUST CSF, BDO’s team translates multiple security frameworks into a common language and develops a prescriptive roadmap to help clients implement security controls in line with regulatory standards. As part of the service, third-party assessments verify clients’ compliance both with HITRUST CSF and HIPAA security regulations. 

Contact your BDO representative to learn more about how HITRUST CSF certification can help your organization test, strengthen and gain certification over its security controls.