In our blog earlier this year that provided an overview of 2009’s Health Information Technology for Economic and Clinical Health (HITECH Act) we discussed how this was designed to promote the use of electronic health records (EHR) within the healthcare system and its providers.

As is with most things, time goes on and often reveals how decisions and laws may be better utilized to provide better resolution and coverage to the issues that were being addressed in the first place.  With the recent passing of the bill HR7898, or the Safe Harbor Bill, by the House Energy and Commerce Committee, we are seeing just that.

The goal of this bill is to amend the HITECH Act so that the Department of Health and Human Services must recognize whether or not the best cybersecurity practices are adopted by entities that fall under HIPAA compliance requirements. This would be applicable when determining financial penalties that follow a violation or breach.

If these covered entities and business associates have met standards in cybersecurity for no less than 12 months prior, then they would be responsible for reduced financial penalties and shortened financial audits.

Who Sets the Standard?

These recognized security practices are identified as “standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.”

This bill would not only reduce sanctions, penalties, and audit lengths for those in compliance, but it would also allow the Department of Health & Human Services the right to INCREASE those very same outcomes for providers that do not follow recommended cybersecurity practices.

The healthcare IT industry seems to be in full support of this bill, as would be expected.  It would not only strengthen the healthcare channel, a notoriously high-risk industry, but also encourage those who do not follow strong cybersecurity standards, to realize the importance to not only their patients with regard to a strong cyber program, but also to protect their business from the risk of higher penalties should a breach occur.

We see this as a win for all involved should it pass.