HIPAA Safe Harbor Bill: Understanding What It Means for Your Practice

  During 2020, the country focused on the COVID-19 pandemic. Between January and October, the healthcare industry became a big target for cyberattacks. Provider facilities accounted for 79 percent of all breach reports to The Department of Health and Human Services (HHS). One malware attack halted IT systems at Universal Health Services, Inc's 26 hospitals. An email hack exposed the personal data of about 500,000 Aetna health plan members. This interferes with facilities' ability to care for patients and violates HIPAA laws. Many of the victims had taken good-faith measures to prevent attacks. Yet, they were still liable. The HIPPA Safe Harbor Bill impacts the management of protected health information (PHI). Keep reading to learn everything you need to know to ensure compliance.


The Health Insurance Portability and Accountability Act (HIPAA) became law in 1996. It created a national standard designed to secure patient PHI. The HHS's Office of Civil Rights (OCR) is the primary enforcer for this law. Other entities involved in HIPAA enforcement include:

  • Centers for Medicare and Medicaid Services (CMS)
  • Federal Communications Commission
  • State Attorney General
  • S. Food and Drug Administration

The HIPAA Law includes five rules that include the following.

Privacy Rule

The Privacy rule focuses on protecting individual's PHI and medical records. It establishes limits and procedures addressing the use and disclosure of PHI. A key issue is when the release of PHI requires patient authorization. The Rule specifies the use of specific forms as part of compliance. These forms include:

  • Authorization for Use or Disclosure
  • Notice of Privacy Practices
  • Privacy Complaint Form
  • Request for Accounting Disclosures
  • Request for Restriction of Patient Health Care Information
  • Request Access to Protected Health Information

Patients have the right to get a copy of their records, review them, and request corrections.

Security Rule

The Security Rules addresses electronic PHI. It defines and regulates the standards, procedures, and methods that apply to ePHI. This includes how it's stored, used, and sent. The Rule created three safeguard security levels. Administrative safeguards address the creation of HIPAA security compliance teams. Technical safeguards focus on encryption and authentication methods to protect data access. Physical safeguards protect all electronic systems, equipment, and data within the facility. Organizations must follow risk analysis and management protocols outlined in this rule. This pertains to qualifying software, hardware, and transmission systems.

Transactions Rule

This rule regulates medical coding to guard the accuracy, safety, and security of PHI. It addresses HIPAA transactions that are assigned codes. Examples include CPT-3, CPT-4, ICD-9, ICD-10, HCPCS, and NDC codes.

Identifiers Rule

There are three unique identifiers used under HIPAA for covered entities (CEs). CEs include healthcare providers, health plans, and health care clearinghouses (HCC). An HCC processes nonstandard health information.  This moves data content from or to other entities using standard electronic formats. These CEs handle HIPAA financial and regulated administrative transactions. The following describes the three identifiers.

National Provider Identifier (NPI)

The NPI is a 10-digit, intelligence-free numeric identifier. Thus, the NPI doesn't contain data about the healthcare provider. For example, what state they live or work in. The NPI replaces the legacy provider identifiers formerly used in HIPAA standards transactions.

National Health Plan Identifier (NHI)

The NHI identifies CMS health plans and payers. This eliminates ambiguity with electronic standard healthcare transactions. In the past, issues resulted from the varied ways health plans perform functions. Different definitions of the term "health plan" also caused problems.

Standard Unique Employer Identifier (SUEI)

The SUEI is the same as the Employer Identification Number (EIN). It denotes the entity involved in HIPAA transactions.

Enforcement Rule

This Rule increases the penalties for violating HIPAA Privacy and Security. It focuses on five areas related to CEs and business associates (BA) including:

  • HIPAA privacy and security standards
  • Mandatory federal security and privacy breach reporting criteria
  • New privacy and accounting disclosure requirements and sales/marketing standards
  • New civil and criminal penalties including punishment for HIPPA non-compliance
  • New security rules to be part of all business associate contracts

HIPAA Violations

Almost 250 million people experienced healthcare data breaches between 2005 and 2019. This type of data breach often results from failure to comply with HIPAA standards. A violation describes any incident involving the use, access, or disclosure of PHI. The increased use of electronic health records can contribute to cyber-related security breaches. This puts the patient's PHI at significant risk. HIPAA violations may also lead to fines as high as millions of dollars. Individuals who violate HIPAA rules can face fines or even up to 10 years in jail.

HIPAA Safe Harbor Bill

The HIPAA Safe Harbor Bill (HR 7898) sought to amend the HITECH Act. The HHS must determine if HIPAA CEs and BAs follow best cybersecurity practices. This Bill requires HHS to consider cybersecurity practices during the last 12 months. These findings impact the assignment of penalties for breaches or other regulatory issues. It bases the Recognized Security Practices on the National Institute of Standards and Technology (NIST) Act. CEs and BAs must adhere to section 2(c)(15) of the NIST including all:

  • Best practices
  • Guidelines
  • Methodologies
  • Procedures
  • Processes
  • Standards

The goal is to limit penalties for entities following cybersecurity best practices. It also strives to prevent prolonged audits.

HIPAA Safe Harbor Act

The President signed the HIPAA Safe Harbor Bill into law on January 5, 2021. This Act directs the HHS to incentivize healthcare entities to implement best practice security. It also specifically notes that HHS doesn't have the authority to raise fines or extend audits. This ruling applies even when entities aren't compliant with recognized security standards. HHS' Office of the Inspector General (OIG) may investigate claims of information blocking. This applies to entities or developers that provide health information technologies. The OIG may receive assistance, information, and support from other federal agencies. In the past, severe HIPPA penalties were levied against facilities victimized by cyberattacks. This occurred even if they had installed well-resourced programs for cybersecurity. The Bill works to rebalance this inequity. The ACT also serves to encourage health facilities to invest in cybersecurity systems. This increases their regulatory compliance and increases patient safety.

HIPAA Privacy Rule Provisions Using the Safe Harbor Method

The Safe Harbor Act method defines healthcare entities' HIPPA Privacy Rule compliance. They are to remove identifiers for individuals, employers, household members, or relatives. This specifically includes the following:

  • Names
  • All geographic subdivisions smaller than a state
  • Any dates (except year) directly related to an individual
  • All dates including the year for those over the age of 89
  • Telephone numbers
  • Vehicle serial numbers and identifiers
  • Fax numbers
  • Device serial numbers and identifiers
  • Email addresses
  • Universal resource locators (URLs)
  • Social security numbers
  • Internet Protocol (IP) address
  • Medical record numbers
  • Biometric identifiers including voice and fingerprints
  • Health plan beneficiary numbers
  • Full-face pictures or images
  • Account numbers
  • Certificate or license numbers

The law applies to any other number that offers a unique way to identify an individual. This may be via a number, code, or characteristic. De-identified health data that follows these rules no longer meets the definition of PHI.

What is HIPAA Training?

The HIPAA law mandates HIPAA Training for all individuals that have contact with PHI. Training must describe how the facility restricts access, tracks, and traces PHI data. Workers should learn about HIPAA compliance and facility policies and procedures (P&P). Employees must know how to document and keep records of compliance with the P&Ps. These records will be invaluable in the event of a breach or attack. Teach employees about the organization's plan for reviewing data security measures. Also, explain the remedial plan to follow if a gap in compliance occurs. Provide a list of actions to take if they suspect or detect a PHI data breach. It's key to understand that all the organization's BAs and CEs must be HIPAA compliant. Thus, the healthcare facility should request proof of compliance from these entities.

How Often Do Employees Need HIPAA Training?

Neither the Privacy Rule nor the Security Rule mandates a time frame for training. The Privacy Rule requires that new employees complete HIPAA training in a "reasonable" time. It also mandates training when changes to the P&P impact the worker's function. The "reasonable" time is typically interpreted as within the first few days or weeks. Not months after hiring a new employee. The Security Rule requires "periodic" HIPPA training. Most healthcare facilities complete training programs annually for all applicable workers.

What is HIPAA Certification?

In fact, there isn't a HIPAA certification for providers or facilities. Yet, they're required to follow all HIPAA standards related to PHI. HIPAA Exams offers a comprehensive course and certification to manage staff HIPAA training. It explains the five HIPAA Rules and strategies for meeting federal regulations.

Would Your Organization Benefit from a Trusted HIPAA Training Provider?

In today's environment, regulations and threats are constantly changing. This creates a big challenge for facility leaders to maintain employee HIPAA training. HIPAA Exams has been the trusted source for HIPAA training since 2008. Our program is one of the few to receive IACET accreditation and SBA 8(a) certification. We offer annual mandatory HIPAA and OSHA training at affordable prices. Employees can view our computer-based courses on any PC, MAC, or mobile device. You can download, email, or print certification after successful completion of online courses. Contact us today so we can help you meet all HIPPA training.

For 2021 Guidelines for Healthcare Workers, please click here. For 2021 Guidelines for Business Associates, please click here.