The HIPAA Safe Harbor Bill was signed into law by the President on January 5, 2021. It calls for the Department of Health and Human Services (HHS) Secretary to consider whether an entity has adequately demonstrated recognized security practices that have been in place for at least 12 months and to reduce the potential penalties which might have otherwise been implemented as a result of potential HIPAA Security Rule violations.
The HIPAA Safe Harbor Bill defines Recognized Security Practices as “standards, guidelines, best practices, methodologies, procedures and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015 (CSA), and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.” 
What does that mean for your organization? What do you need to do to demonstrate that you have security practices in place that meet the requirements of the HIPAA Safe Harbor Bill? Below we will discuss both the CSA and “other programs” that might be the standards set in the Safe Harbor Bill.
Section 405(d) of the Cybersecurity Act of 2015
Section 405(d) lead the Department of Health and Human Services to create the 4052(d) Task Group to develop a common set of voluntary, consensus-based, and industry-led guidelines, practices, methodologies, procedures, and processes that allowed healthcare organizations to reduce cybersecurity cost-effectively . The Task Group outlined their recommendations in the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HIPC). The HIPC included a main document and two technical volumes:
- Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients examined the threats facing the healthcare industry and explored five current threats, and presented ten practices to mitigate those threats
- Technical Volume 1: Cybersecurity Practices for Small Health Care Organizations discussed the ten practices to mitigate threats for small healthcare organizations
- Technical Volume 2: Cybersecurity Practices for Medium and Large Health Care Organizations discussed the ten practices to mitigate threats for medium and large healthcare organizations 
The HIPC identified the five main cybersecurity threats as:
- Email Phishing Attacks
- Ransomware Attacks
- Loss or Theft of Equipment or Data
- Internal, Accidental, or Intentional Data Loss
- Attacks Against Connected Medical Devices that May Affect Patient Safety
The HIPC identified the ten cybersecurity practices as:
- Email Protection Systems
- Endpoint Protection Systems
- Access Management
- Data Protection and Loss Prevention
- Asset Management
- Network Management
- Vulnerability Management
- Incident Response
- Medical Device Security
- Cybersecurity Policies
While the HIPC has not been updated since 2018, a review of recent data breaches in healthcare suggests that the identified threats are still relevant. For example, a 2019 study by the Journal of American Medicine of 95 simulated phishing campaigns at six US health care institutions noted almost one in seven test emails sent were clicked by employees . And recently, a ransomware attack affected 250 Universal Health Systems facilities taking their systems offline for almost a week . These reports agree with the 2020 HIMSS Cybersecurity Survey, which noted the top security events included phishing events, harvesting and ransomware .
Other Programs and Processes
The Safe Harbor Rule also called out “other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.” The HIMSS 2018 Cybersecurity Survey noted that for healthcare organizations, the most common cybersecurity frameworks were NIST, Critical Security Controls (CSC), ISO and HITRUST .
As discussed above, NIST is also the basis for HIPC, which demonstrates the commitment of HHS to NIST. The NIST Cybersecurity Framework provides a policy framework of guidance on how an organization can assess and improve its ability to prevent, detect and respond to cybersecurity attacks. In addition to the controls included in the HIPC, there are several other NIST control documents that organizations can use to develop their cybersecurity controls environment.
Most healthcare organizations base their security framework on NIST 800-53. NIST 800-53 is an extensive framework developed to provide both security and privacy controls for all federal information systems except for those related to national security. The NIST SP 800-53 is comprised of 18 control families, with each control split into high, medium, and low priority. NIST is an extensive control framework that an organization will need to review and tailor to its environment.
The Center for Internet Security Critical Security Controls (CSC) is a series of 20 controls that provide detailed guidance on what an organization should do to defend itself against cyber threats. These 20 controls are broken down into implementation groups based on the organization’s size, allowing for the control framework to be tailored to the organization’s needs. However, while these controls will help protect an organization from a cyberattack, they are not intended to be a comprehensive cybersecurity framework. They are usually used alongside other frameworks such as NIST.
ISO 27001 is a globally recognized standard for the maintenance and protection of information systems. Organizations use ISO to develop a security management system to manage their cybersecurity risk proactively. ISO requires organizations to identify risks and develop processes and policies to protect against those risks.
HITRUST incorporates multiple regulatory and statutory requirements, including NIST, ISO, HIPAA, PCI, GDPR and more, into a Common Security Framework. Obtaining a HITRUST certification requires significant effort. HITRUST is scoped to provide relevant controls based on your organization’s risk. Organizations can have between 250 and 800 controls based on the relevant risk factors. Of all the frameworks discussed, HITRUST is probably the most comprehensive as it incorporates several other frameworks, which also increases the complexity involved in meeting the HITRUST standards.
How do you demonstrate and confirm that you met the standard called for in the HIPAA Safe Harbor Rule? A good option that demonstrates compliance with both the Safe Harbor Bill and HIPAA Security Rule is to perform a risk assessment based on the appropriate controls for your organization using the NIST SP 800-30 Guide for Conducting a Risk Assessment.
In addition to providing evidence of adoption of recognized security practices, a NIST-based risk assessment would also meet the risk analysis requirement of the HIPAA Security Rule (§ 164.308(a)(1)(ii)(A)), which requires that organizations conduct an accurate and thorough assessment of the risks and vulnerabilities to the confidentiality, integrity, and availability of protected health information.
While this rule has been in place since 2006, enforcement actions by the Office of Civil Rights (OCR) for the Department of Health and Human Services continue to note failure to perform a risk analysis as part of the reason for enforcing monetary fines and corrective action plans. In 2020, the OCR cited failure to perform comprehensive risk assessments in 75% of their breach-related enforcement actions with fines ranging from $25,000 to $6.85 million. Additionally, the HIMSS 2020 Cybersecurity Survey noted that only 50% of the respondents were conducting comprehensive risk assessments.
Obtaining a HITRUST Certification also would demonstrate compliance with the requirements of the HIPAA Safe Harbor Rule. HITRUST would inarguably show that you have adopted best practices in cybersecurity. However, if you have not previously developed a cybersecurity program based on NIST or ISO, you may find that the requirements to obtain a HITRUST certification will require significant investment in time and resources. Many organizations chose to start by implementing a NIST or ISO-based cybersecurity framework before seeking HITRUST certification. Additionally, one of the HITRUST requirements is an enterprise risk assessment which may make starting with the NIST risk assessment a good first step if you believe HITRUST is your ultimate goal.