Capitol Building at Sunset
HR 7898/Public Law No. 116-321
by Kristin Easterling

The HIPAA Safe Harbor Act amends Subtitle D of the Health Information Technology for Economic and Clinical Health (HITECH) Act act to require the Department of Health and Human Services (HHS) to consider whether organizations have “recognized cybersecurity practices” in place when investigating a data breach, and to be lenient with their fines or other enforcement actions if the practice has met all basic technical safeguard requirements.

This means that if a health care provider is following the basic HIPAA Privacy Rule provisions and safeguards to mitigate threats, the fine for a data breach should be lower.

Recent reports indicate that cyberattacks against health care providers increased 45% in December 2020 and January 2021. A new law will protect owners who have taken reasonable cybersecurity precautions from large fines due to an audit.

To better understand the changes, providers must first know that the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law to promote the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.

More Details to Note:

  • Organizations must be able to demonstrate they have had industry-standard security measures in place for 12 months before getting the benefits of reduced enforcement.
  • HHS will consider specific cybersecurity efforts made by the health care company when calculating fines related to security incidents. This means having a single measure in place that’s unrelated to the reason for the breach won’t matter. Organizations must have their Security Risk Analysis and accompanying mitigation efforts documented and demonstrable to receive the benefits.
  • HHS can’t increase the fine amount or extent of the audit process if a practice is found to not meet basic security standards.
  • The law also corrected technical elements of the 21st Century Cures Act related to the information-blocking enforcement authority of HHS’s Office of the Inspector General (OIG). Under the new law, the OIG is authorized to obtain information, assistance and other support from federal agencies when investigating claims of information blocking by developers or other entities offering health information technologies.

What are Recognized Cybersecurity Practices?

1. Following the HIPAA Security Rule to identify weaknesses and areas requiring mitigation through a completed Security
Risk Analysis.

2. Implementing the right technical safeguards to mitigate identified risks.

3. Following all other security practices identified as standards that health care organizations should hold themselves to, consistent with the HIPAA Security Rule and the Cybersecurity Act of 2015.


Former President Donald Trump signed into law on Jan. 5, 2021.

Find more information about HIPAA and cybersecurity here

Kristin Easterling is managing editor of HomeCare magazine.