On April 6, the U.S. Department of Health and Human Services, Office of Civil Rights (HHS) called for public comment on an existing statutory provision that provides a safe harbor for entities that have voluntarily implemented “recognized security practices” as part of their compliance with the Health Insurance Portability and Accountability Act (HIPAA). The scope of the safe harbor has practical and legal consequences for HIPAA-regulated entities subject to enforcement actions, audits, and fines from HHS.
In 2021, Congress passed the HIPAA Safe Harbor Act, Public Law 116-321 (Safe Harbor Act), which requires the HHS secretary to consider whether an entity has “recognized security practices” in place when determining fines, audits, and remedies of potential HIPAA violations. Covered entities and business associates that can demonstrate compliance with recognized security practices for the 12 months prior to an audit or investigation may benefit from lower financial penalties and reduced scrutiny by the agency. Furthermore, the law does not give HHS the authority to increase fines or extend an audit should an entity be found “out of compliance” with recognized security practices. In essence, the law incentivizes regulated entities to follow industry-standard best practices when it comes to information security.
The Safe Harbor Act provides potentially significant practical and legal benefits for regulated entities. Health care providers commonly experience data security breaches, often resulting from (1) malware or ransomware, (2) the intentional or unintentional disclosure of patient data by an insider, and/or (3) lost devices. The vast majority of reportable incidents involve a threat actor accessing a health care provider’s systems through malware or ransomware. In the past 24 months alone, HHS has received over 850 reports from HIPAA-covered organizations of data breaches involving more than 500 individuals; of these, over 650 are classified as a “hacking / IT incident.” Such incidents could potentially lead to significant enforcement actions and fines by HHS. Given the increasing sophistication and greater frequency of cyberattacks, even a well-prepared organization could find itself subject to HHS scrutiny. In such cases, an organization should be prepared to demonstrate its compliance with recognized security practices to take advantage of the Safe Harbor Act protections. Being able to rely on the safe harbor has practical benefits in that it limits the amount of time and expense an entity needs to devote to responding to an audit, paying a fine, and/or complying with a corrective action plan, as well as legal benefits in that it potentially limits liability for a data breach.
Although the Safe Harbor Act does not expressly require rulemaking, HHS is seeking public comment to inform future guidance that will help regulated entities and other stakeholders better understand the application of the statute. Specifically, HHS is seeking comment on (1) how regulated entities understand and implement recognized security practices, (2) how regulated entities can demonstrate that recognized security practices are in place, (3) what event or action would trigger the 12-month look-back period, and (4) any other implementation issues that require clarification. Each of these areas is covered in more detail below.
Recognized Security Practices
The Safe Harbor Act defines “recognized security practices” as “the standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards of Technology Act, approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations or other statutory authorities.” Essentially, a regulated entity has the freedom to select the existing industry framework that best fits with the entity’s unique systems, risks, and existing processes. Because the exact parameters vary by organization, the Safe Harbor Act also provides that “such practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security Rule.”
The Safe Harbor Act does not provide specific criteria for a regulated entity to reference when selecting which category of “recognized practices” to implement. As a result, HHS is seeking comment on how regulated entities understand and implement recognized security practices to provide additional information and clarification if necessary.
Evidence of Compliance
The Safe Harbor Act does not define what it means for recognized security practices to be “in place.” However, in its request for comment, HHS provides that the term “in place” should be construed as equivalent to the term “implemented,” as used and clarified in the HIPAA Security Rule. Specifically, “procedures must be in use … [and] the requirement to implement policies and procedures requires, as an antecedent condition, the establishment or adaptation of those policies and procedures.”
Furthermore, HHS states that “the entity must also demonstrate that the practices are fully implemented, meaning that the practices are actively and consistently in use” over the relevant period of time to take advantage of the safe harbor.
Regulated entities should therefore examine existing practices to ensure such practices are “fully implemented,” including establishment of policies and procedures that are “actively and consistently in use.”
The Safe Harbor Act does not indicate what action or event initiates the 12-month look-back period for which recognized security practices must be in place. The start date of the look-back period can have practical implications, particularly as regulated entities begin to come into compliance. For example, the 12 months immediately prior to the start of an audit or investigation by HHS may include certain remediation activities following a breach that would not be included in a 12-month period looking backwards from the date of the breach itself. Furthermore, if the start date of the look back is identified as the date of the breach, it would be important to know whether that means the date of discovery, the date of initial access by a threat actor, or the date systems were restored. Beyond the practical implications for a regulated entity’s documentation and reporting, additional clarity as to the look-back period will ensure consistency across investigations and help regulated entities to better understand their documentation and reporting requirements during a period of breach response.
HHS also welcomes comment on any other implementation concerns that do not fall within the categories outlined above.
HIPAA-covered organizations should be cognizant of any future rulemaking by the agency that would lead to more defined requirements for the implementation and maintenance of “recognized security practices,” and be prepared to adjust compliance and reporting controls accordingly. In the meantime, regulated entities should review existing controls to ensure that they can demonstrate the appropriate policies and procedures are not just “in place,” but also actively in use to take full advantage of the practical and legal benefits of the safe harbor if necessary.
 Safe Harbor Act, Pub. L. No. 116-321, § 1, 134 Stat. 5072 (2021).
 Health Insurance Reform: Security Standards; Final Rule. 68 FR 8334, 8349 (February 20, 2003).
 Considerations for Implementing the Health Information Technology for Economic and Clinical Health (HITECH) Act, as Amended, 87 FR 19833, 19834 (issued Apr. 6, 2022) (to be codified at 45 C.F.R. pt. 164).