The HIPAA safe harbor provision is designed to lessen financial penalties and shorten compliance inspections for covered entities and business associates who can prove that they implemented recognized security practices for at least one year.
The HIPAA safe harbor law is not actually a direct HIPAA law but rather an amendment to the HITECH Act. The amendment to the HITECH Act originated from a Request for Information issued by the Department of Health and Human Services (HHS) in 2018. The request garnered over 1,300 responses, with numerous healthcare associations advocating for the implementation of a "safe harbor."
This safe harbor provision would exempt covered entities and business associates from financial penalties and corrective action plans if they could demonstrate the adoption of a recognized security framework prior to a data breach or any other security-related HIPAA violation.
Although the HIPAA safe harbor law does not entirely exempt covered entities and business associates from financial penalties when they have implemented a recognized security framework, it does offer an opportunity for the HHS to exercise discretion in enforcing penalties, mitigating liabilities, or reducing administrative burdens in specific situations. These specific circumstances include:
Additionally, the law allows HHS to be flexible regarding the duration and scope of audits. However, this relief, as well as the provisions to reduce penalties for HIPAA violations, are contingent upon covered entities and business associates demonstrating at least twelve months of compliance with standards and guidelines as outlined in the HIPAA Security Rule.
Related: HIPAA compliant email: A definitive guide
Organizations that have implemented appropriate security standards and documented their measures to adhere to the Security Rule are not required to take additional steps to comply with the HIPAA safe harbor provision. If, despite the organization's best efforts, a violation still occurs, the impact of the provision is limited to the discretion of the HHS regarding fines and/or remedial actions.
For organizations uncertain about potential gaps in their HIPAA compliance, the HIPAA safe harbor provision should be seen as an incentive to conduct a comprehensive risk assessment. Addressing any compliance gaps reduces the likelihood of a violation and potentially lowers the penalties and administrative burden in the event of non-compliance.
Note: Since the HIPAA safe harbor provision is an amendment to the HITECH Act, it exclusively applies to failures to comply with the Security Rule.
There is often confusion between this law and the safe harbor method of de-identification due to how it is also often referred to as a safe harbor provision.
While the safe harbor method pertains to sharing de-identified PHI for research purposes, the HIPAA safe harbor law provision affects HHS's discretion on fines and remedial actions related to HIPAA violations. Organizations that have implemented appropriate security standards and documented their compliance measures need not take additional steps to comply with the HIPAA safe harbor act.
Under HIPAA, there are two methods to de-identify data: the Expert Determination method and the Safe Harbor method.
The Safe Harbor method, according to the U.S. Department of Health & Human Services, requires the removal of 18 types of PHI identifiers.
Once these identifiers are removed, and the covered entity has no knowledge that the remaining information could be used to identify an individual, the data is considered de-identified.
Conducting a thorough risk assessment to address any compliance gaps reduces the likelihood of violations and potentially lessens the penalties and administrative burden in case of non-compliance.
Related: How to perform a risk assessment