In the article, “HIPAA Safe Harbor Offers Limited But Important Protection,” Healthcare Risk Management discusses the nuances of the HR 7898 HIPAA Safe Harbor Law that risk managers and compliance officers must consider. The publication turned to privacy, cybersecurity & data strategy partner Ken Dort to provide insight on how much protection the safe harbor law provides.
A typical safe harbor shields an entity from liability when certain conditions are met, whereas the HIPAA Safe Harbor Law only offers some protection in certain circumstances, shared Dort.
He further explained that the HIPAA Safe Harbor Law requires the Office for Civil Rights (OCR) to consider whether a covered entity had implemented certain technical safeguards for 12 months. If so, it allows OCR leniency in assessing the breach.
“It is very much not specific about how OCR must respond. Perhaps they will require audits by a third party every other year instead of every year, maybe for 10 years instead of 20 years,” Dort said. “I’ve wondered if OCR comes to the table in somewhat bad faith and says, ‘We’re going to fine you $1 million, but now we’ll only fine you $900,000,’ when really they always intended to fine you $900,000.”
For an entity seeking the best treatment from OCR after a breach, Dort emphasized that the key will be proving all reasonable and prudent steps were taken to prevent the breach, making it a one-off occurrence that does not reflect negatively on the compliance program. That will require extensive documentation — and probably third-party audits.
“If you can’t show that your regular practices meet the best standards in the way the statute says, OCR may not take that into account,” Dort warned. “Like anything in risk management, you have to prove that you did what you say you did, or it won’t matter.”