How A HIPAA ‘Safe Harbor’ Could Change Data Breach Consequences

Healthcare Privacy Partner Shannon Hartsfield spoke with The Parallax View about an amendment to the HITECH Act that could significantly change how healthcare organizations are held responsible for data breaches affecting their patients. The amendment, known as H.R. 7898, empowers the head of the U.S. Department of Health and Human Services (HHS) to curtail or end audits of, and reduce or eliminate fines for, any healthcare organization deemed to have been complying with the latest cybersecurity standards for at least 12 months.

Ms. Hartsfield explains that the amendment is designed to minimize excessive penalizations for breaches given to healthcare organizations complying with cybersecurity and breach-reporting regulations. “Up until now, a lot of HIPAA enforcement has been on breach reports,” Hartsfield says. “Most enforcement has been when a company that’s a victim of a crime does what they’re supposed to do—notify HHS—and then they get hit with an investigation and a significant penalty. The government wouldn’t have known about it, if they didn’t report it.” The amendment “takes away the strict liability aspect of data breach liability. So if you do what the industry says you should be doing, and you still suffer a breach, the government can take that into consideration.”

READ: How A HIPAA ‘Safe Harbor’ Could Change Data Breach Consequences (Subscription Required)