Paubox blog: HIPAA compliant email made easy

What is HIPAA's safe harbor provision?

Written by Liyanda Tembani | June 09, 2023

The HIPAA safe harbor provision is designed to lessen financial penalties and shorten compliance inspections for covered entities and business associates who can prove that they implemented recognized security practices for at least one year.

 

Background of the HIPAA safe harbor provision

The HIPAA safe harbor law is not actually a direct HIPAA law but rather an amendment to the HITECH Act. The amendment to the HITECH Act originated from a Request for Information issued by the Department of Health and Human Services (HHS) in 2018. The request garnered over 1,300 responses, with numerous healthcare associations advocating for the implementation of a "safe harbor."

This safe harbor provision would exempt covered entities and business associates from financial penalties and corrective action plans if they could demonstrate the adoption of a recognized security framework prior to a data breach or any other security-related HIPAA violation.

 

Breakdown of the HIPAA safe harbor provision

Although the HIPAA safe harbor law does not entirely exempt covered entities and business associates from financial penalties when they have implemented a recognized security framework, it does offer an opportunity for the HHS to exercise discretion in enforcing penalties, mitigating liabilities, or reducing administrative burdens in specific situations. These specific circumstances include:

  1. Instances where a non-compliance fine is imposed due to a HIPAA violation.
  2. Cases where a corrective action plan is required as a result of a HIPAA violation.
  3. Situations where failures to comply with HIPAA are identified during a HIPAA audit.

Additionally, the law allows HHS to be flexible regarding the duration and scope of audits. However, this relief, as well as the provisions to reduce penalties for HIPAA violations, are contingent upon covered entities and business associates demonstrating at least twelve months of compliance with standards and guidelines as outlined in the HIPAA Security Rule. 

Related: HIPAA compliant email: A definitive guide

 

Ensuring compliance with the HIPAA safe harbor provision

Organizations that have implemented appropriate security standards and documented their measures to adhere to the Security Rule are not required to take additional steps to comply with the HIPAA safe harbor provision. If, despite the organization's best efforts, a violation still occurs, the impact of the provision is limited to the discretion of the HHS regarding fines and/or remedial actions.

For organizations uncertain about potential gaps in their HIPAA compliance, the HIPAA safe harbor provision should be seen as an incentive to conduct a comprehensive risk assessment. Addressing any compliance gaps reduces the likelihood of a violation and potentially lowers the penalties and administrative burden in the event of non-compliance.

Note: Since the HIPAA safe harbor provision is an amendment to the HITECH Act, it exclusively applies to failures to comply with the Security Rule.

 

Links between the provision and the safe harbor method of de-identification

There is often confusion between this law and the safe harbor method of de-identification due to how it is also often referred to as a safe harbor provision. 

While the safe harbor method pertains to sharing de-identified PHI for research purposes, the HIPAA safe harbor law provision affects HHS's discretion on fines and remedial actions related to HIPAA violations. Organizations that have implemented appropriate security standards and documented their compliance measures need not take additional steps to comply with the HIPAA safe harbor act.

 

What is the safe harbor method of de-identification?

Under HIPAA, there are two methods to de-identify data: the Expert Determination method and the Safe Harbor method.

The Safe Harbor method, according to the U.S. Department of Health & Human Services, requires the removal of 18 types of PHI identifiers

Once these identifiers are removed, and the covered entity has no knowledge that the remaining information could be used to identify an individual, the data is considered de-identified.

 

The first step is a risk assessment

Conducting a thorough risk assessment to address any compliance gaps reduces the likelihood of violations and potentially lessens the penalties and administrative burden in case of non-compliance. 

RelatedHow to perform a risk assessment