Oct 5, 2022

HIPAA Safe Harbor Act Helps with Fines

The HIPAA Safe Harbor Bill was signed into law by President Trump on January 5, 2021. It amends the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act and may offer relief from HIPAA non-compliance fines and imposed corrective actions for organizations that engage in cybersecurity best practices.

In this blog post, we’ll provide an overview of the HITECH Act, HIPAA Safe Harbor Act, and how Tevora can help you comply with the HIPAA standards and best practices covered under the Safe Harbor Act, which can potentially reduce your liability for HIPAA violation fines.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) protects sensitive patient information. It outlines strict protocols that companies handling or encountering Protected Health Information (PHI) must adhere to.

HIPAA rules apply to “covered entities” and “business associates.” Healthcare providers, health plans, and healthcare clearinghouses are all considered covered entities. A business associate is a person or entity that performs functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity. 

If a covered entity engages a business associate to help it perform healthcare activities and functions, they must have a written contract or other arrangement with the business associate that establishes the functions they will perform and requires them to comply with HIPAA rules to protect the privacy and security of PHI.

What is the HITECH Act?

Before the implementation of the HITECH Act on February 17, 2009, many covered entities and business associates did not consider HIPAA compliance to be a high priority. At that time, there was no requirement for covered entities to have a contract with their business associates requiring HIPAA compliance. And when a breach of PHI occurred at a business associate, covered entities were able to avoid fines and sanctions for being out of compliance with HIPAA by claiming that they had no knowledge of their business associate’s compliance violations. In addition, the HIPAA non-compliance fines were relatively low ($100 to $25,000 per violation), which led many covered entities and business associates to risk incurring the fines rather than making the investment of time and money required to become HIPAA-compliant.

The HITECH Act introduced a variety of changes designed to encourage HIPAA compliance and increase penalties for non-compliance, including:

  • Increased upper limit for non-compliance fines to $1.5 million per violation category per year.
  • Required business associates to sign a contract with their covered entities stating that they have the same legal requirements as covered entities to protect PHI.
  • Required business associates to report PHI breaches to their covered entities.
  • Required covered entities to report PHI breaches to individuals using their services.
  • Gave individuals the right to obtain electronic copies of their health information from covered entities.
  • Required covered entities and business associates to determine that a HIPAA violation has resulted in unauthorized disclosure of PHI (before the HITRUST Act, the Department of Health and Human Services was required to prove that a violation had occurred).

What is the HIPAA Non-Compliance Fine Structure?

The structure of the HIPAA non-compliance fines introduced with the HITECH Act is summarized below:

Source: HIPAA Journal, January 23, 2022 (HIPAA Violations)

Have Large HIPAA Non-Compliance Fines Been Assessed?

Here are examples of large HIPAA non-compliance fines that have been assessed since the HITECH Act was implemented:

HIPAA Non-Compliance Fines – Top 10 since 2017
Fined OrganizationsYear FinedHIPAA Non-Compliance Fine Amount
Anthem2018$16.0 Million
Premera Blue Cross2020$6.9 Million
Memorial Healthcare System2017$5.5 Million
Excellus Health Plan2021$5.1 Million
University of Texas MD Anderson Cancer Center2018$3.5 Million
Fresenius Medical Center North America2018$3.5 Million
Children’s Medical Center of Dallas2017$3.2 Million
University of Rochester Medical Center2019$3.0 Million
Touchstone Medical Imaging2019$3.0 Million
Cottage Health2018$3.0 Million

A Bridge Too Far?

The elevated fines, penalties, and requirements implemented with the HITECH Act had the desired effect, leading most covered entities and business associates to no longer consider HIPAA compliance optional.

In 2018, the Department of Health and Human Services (HHS) issued a Request for Information (RFI) to explore alternatives for easing the administrative burden the HITECH Act imposed on covered entities and business associates and to gather information on how data sharing could be improved to enhance coordination of healthcare services.

The RFI received over 1,300 responses, with many healthcare associations asking for a “safe harbor” exemption from HITECH Act financial penalties and imposed remediation plans if covered entities or business associates could demonstrate that they had implemented a recognized security framework prior to a PHI data breach or other HIPAA security violation. Many healthcare organizations expressed their strong opinion that the HITECH Act imposed excessive and unfair fines and administrative burdens on organizations that were doing their best to comply with widely-recognized security standards in an effort to protect PHI.

The HIPAA Safe Harbor Act Addresses Concerns Raised in RFI

The HIPAA Safe Harbor Act amended the HITECH Act, addressing many but not all of the concerns raised in the HHS RFI. In the interests of incentivizing the adoption of cybersecurity best practices and reducing administrative burdens, the Safe Harbor Act instructs HHS to consider an organization’s existing security practices when determining penalties and corrective actions for HIPAA violations and defining the scope and duration of required HIPAA audits. HHS now has the discretion to refrain from assessing financial penalties entirely, reduce penalties, or reduce the administrative burden of imposed corrective action plans in specific circumstances, including:

  • When a HIPAA violation results in a fine for non-compliance.
  • When a HIPAA violation results in a corrective action plan.
  • When a HIPAA audit identifies failures to comply with HIPAA.

The Safe Harbor Act also allows HHS to be flexible in defining the length and scope of audits.

What Do You Need to Do to be Eligible for HIPAA Safe Harbor?

To be eligible for full or partial safe harbor from HIPAA non-compliance fines, corrective action plans, or audit requirements, covered entities and business associates must demonstrate at least twelve months of compliance with standards, guidelines, best practices, methodologies, procedures, and processes developed under Chapter 7 Section 272(c)(15) of Title 15 of the U.S. Code, the approaches promulgated under Title IV Section 405(d) of Act S. 754 114th Congress, and other programs that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.

Your Trusted Partner

Tevora’s healthcare team has deep knowledge of and experience with the requirements of:

We can be a trusted partner to help you understand the complexities and implications of these laws and standards. We can also help you implement best practices and controls to ensure that your organization will qualify for safe harbor from fines and administrative burdens in the event that you experience a PHI breach or HIPAA violation. As part of this, we can help you verify that your covered entity or business associate organization is HIPAA compliant. Furthermore, since RFIs and associated changes are continuously happening (with the most recent in April 2022 on the HITECH Act), Tevora can help organizations stay on top of compliance needs resulting from any changes. Please visit Tevora Healthcare Services to see the services we provide.

We Can Help

If you have questions about HIPAA, the HIPAA Safe Harbor Act, or the HITECH Act, or would like help aligning your organization with the requirements of these standards and laws, just give us a call at (833) 292-1609 or email us at sales@tevora.com.