“HIPAA Safe Harbor Offers Limited but Important Protection,” Journal of Healthcare Risk Management

In a Journal of Healthcare Risk Management article about the HIPAA Safe Harbor Law in which HIPAA-covered entities and their business associates receive certain protections when potentially facing fines and other penalties under HIPAA, Richard Sheinis, Partner and Leader of the Data Privacy and Cyber Security Practice Group at Hall Booth Smith, said the law can only be introduced after a data breach has occurred.

According to Sheinis, the entity also should be aware that simply complying with the HIPAA Security Rule likely will not be sufficient to meet the standard of recognized security practices: “Meeting the standard of recognized security practices is not easy and is not done quickly. Rather, it takes a great amount of coordination by the entity’s IT professional to demonstrate in writing that the standards have been met,” he said. “Keep in mind that this safe harbor does not provide automatic immunity from a finding that a security breach occurred or that a penalty should be imposed. However, it can serve as an aid after the fact, to reduce the likelihood or amount of a penalty.”

The Safe Harbor Law is an incentive to entities to improve their security practices, Sheinis said. However, even if this standard is met, an entity still can be penalized for a security breach.

Subscribers to the Journal of Healthcare Risk Management may read the full article here.