HIPAA Safe Harbor

In January, HR 7898 was signed into law, which some are calling the HIPAA Safe Harbor law. It’s not really a “safe harbor”, which implies the 100% elimination of legal and compliance risk. The encryption guidance is a Breach Safe Harbor, in that if you do what the guidance requires, your organization is exempt from the requirements of the HIPAA Breach Notification Rule. HR 7898 does not lift any requirements, or even lighten any penalties.  It merely states the Secretary of HHS “shall consider” the cybersecurity practices in place and it “may” lessen the HIPAA penalties. To be precise, the Secretary may lessen the severity of the resolution agreements and lower civil monetary penalties. OCR still has its full discretion to enforce the HIPAA Rules, with the full amount and range of monetary and procedural penalties.

HIPAA and Section 405(d) of the Cybersecurity Act of 2015

That said, the 405(d) HICP (Health Industry Cybersecurity Practices) Publication is still a very useful resource. Out of the universe of possible threats to electronic PHI, it highlights five specific ones that need dedicated attention from healthcare organizations:

1.       Email Phishing Attacks
2.       Ransomware Attacks
3.       Loss / Theft of Equipment or Data
4.       An insider’s Accidental or Intentional Data Loss
5.       Attacks Against Connected Medical Devices That May Affect Patient Safety

(In our experience, #4 is really two distinct threats, but this is nitpicking). As part of your Security Risk Analysis, you should address these threats specifically. These threats have all happened before, they will all happen again, and they all should be prepared for. If they occur, they can have devastating consequences to a healthcare organization. These are not the only threats to your PHI, of course, but they should be included in your Security Risk Analysis.

The Top Ten HIPAA Controls

In addition to these five specific threats, Section 405(d) also identifies ten specific controls you should have in place – not just for these threats, but as a good general practice:

1.       Email Protection Systems (i.e., securely configured email systems, phishing tests, user education)
2.       Endpoint Protection Systems (i.e., anti-virus, removal of local admins, enabling of local firewalls. encrypted hard drives)
3.       Access Management (i.e., implement “minimum necessary”, prohibit shared accounts, remove access promptly, require multi-factor authentication)
4.       Data Protection and Loss Prevention (i.e., Acceptable Use Policies, secure transmission, using a data destruction schedule)
5.       Asset Management (i.e., hardware and software inventory management, wiping of drives before disposal)
6.       Network Management (i.e., firewalls, network segmentation, intrusion prevention systems)
7.       Vulnerability Management (i.e., scanning systems and patching software)
8.       Incident Response (i.e., having a plan to respond to incidents and testing it)
9.       Medical Device Security (i.e., device isolation, physical security of the devices)
10.   Cybersecurity Policies (i.e., policies for Acceptable Use, Data Classification, and the use of Personal Devices)

HIPAA Safe Harbor Checklist

It’s important to note that these specific threats and controls are a starting point, not a checklist to complete and forget about. Each of these controls must be tailored to your organization in a “reasonable and appropriate” fashion. For example, how often should you scan for vulnerabilities? How quickly should you apply patches? How aggressive should your firewall settings be? What systems need multi-factor authentication for access, and how often should the use re-validate? These are questions that can only be answered by performing a security risk analysis. Contact Techumen for help with this foundational task.

Show your work

It’s not enough to have these controls in place. The HIPAA Safe Harbor is available to those who can “adequately demonstrate … that it had, for not less than the previous 12 months, recognized security practices in place”. The controls you have in place must generate some form of evidence as part of their operation. This is how you “adequately demonstrate” that the practices are in place. In the case of a firewall, this is the log file; in the case of a phishing test, this is the results report; in the case of a policy, it’s evidence that the policies are reviewed, read by all employees, and followed.

Make your own HIPAA Safe Harbor

Since your controls are producing all this evidence, you may as well make use of it.  Your organization itself should review this evidence on a regular basis as part of your own, internal HIPAA Audit program. Once a quarter, or once every six months, review your controls and ask three questions:

1. Is this safeguard still functioning as designed? (One breach victim had a fine firewall, but didn’t realize it had been turned off).
2. Is the safeguard sufficient? Your anti-virus may be doing what you thought it would, but if it’s letting malware through once a month, it’s time to tighten it up.
3. Can you show this? As an example, you should check that your log files are still there, that your policies have a review history, and that you record each hard drive’s deletion.

Conclusion

There is no such thing as a HIPAA Safe Harbor, unfortunately. Security threats will always be with us. But Section 405(d) of the Cybersecurity Act of 2015 is a great start to a mature, optimized security program, which is the safest harbor a healthcare organization can have.