HR 7898 – What is it?

In early 2017 former President Donald Trump passed HR 7898, the HIPAA Safe Harbor bill. This bill was designed to require the Department of Health and Human Services to encourage certain cybersecurity practices be practiced by all their covered entities and business associates. The bill aims to ensure everyone involved with handling personal health information are abiding by HIPAA security standards that are already in place and defines these as "recognized security practices." So, let's go over the details of the bill and how you can remain compliant with this new law moving forward.

What are the recognized security practices defined in this bill?

The bill defines these security practices as:

  • Standards, guidelines, best practices, methodologies, procedures, and processes developed under the National Institute of Standards and Technology Act (NIST Act).
  • The cybersecurity practices developed under section 405(d) of the Cybersecurity Act of 2015.
  • Programs and practices that are developed in, recognized by, or set forth in federal laws other than HIPAA.

This standards are already defined by other institutions like the NIST and others. Although in theory you should already be doing these things, the government has decided to incentivize good practice.

What benefits come with best cybersecurity practices?

The proposed bill will recommend that considerations be taken when fining institutions based on their adherence to this bill. The bill will ask regulatory institutions to consider if the violator has followed the is following these guidelines, then fines should be lower and the length and extent of the audit shortened.

The fines associated with violating HIPAA standards can be hefty, but if showing a good faith effort can help lower those then it may be worth the extra effort. So, be sure that all your covered entities and other business associates are abiding by all existing cybersecurity standards defined in HR 7898.