HIPAA Security and the Safe Harbor Law - Following Good Practices Limits Audits and Penalties

Webinar Details


Jim Sheldon Dean




HIPAA and Compliance


All Days


90 Minutes


Penalties for HIPAA violations have often been in the millions of dollars and may have resulted even when an organization has followed industry-established practices and HHS guidance.  But the new HIPAA Safe Harbor Law, signed in January 2021, provides for more limited investigations and penalties when an organization can show it has been following established good practices for at least a year. 

Now the reasons for investing in information security are even stronger since you can reduce your exposure to investigations and penalties by following established good practices.

The US Department of Health and Human Services has shown no reluctance to enter into settlement agreements and collect financial penalties when a HIPAA entity suffers a breach or other hack that results in security issues. Even when an entity took reasonable steps based on established good practices in security and privacy, a penalty could result from an incident that involves a violation of the rules. 

The new HIPAA Safe Harbor Law now intends to limit entities’ exposure to investigations resulting from information security issues, and limit potential penalties, but only when the entity has had good information security practices in place for at least a year.  If good practices have not been in place, investigations can be expanded and penalties can soar into the millions of dollars.

Session Highlights

  • The problem that the HIPAA Safe Harbor Law addresses
  • What the HIPAA Safe Harbor Law says
  • How the Safe Harbor protects an entity from lengthy investigations and high penalties
  • What steps need to be taken to qualify for the Safe Harbor
  • How to show you have had good security practices in place for at least a year
  • How the HIPAA Safe Harbor Law incentivizes good information security practices
  • How a lack of good security practices leads to higher penalties and deeper investigations

Areas Covered

For many years, health information has been threatened by information security incidents caused by hackers and by lax practices at HIPAA entities. But even entities that take reasonable and appropriate steps to protect health information can sometimes suffer a breach or incident that results in a penalty.

There is concern that penalties are overly severe and investigations are overly broad when an entity has taken reasonable, responsible steps to protect the information, and the HIPAA Safe Harbor Law is designed to ease that burden. If an entity follows standards and guidance issued by the National Institute of Standards and Technology, and pursuant to the Cybersecurity Act of 2015, investigations and penalties are more limited.

On January 5, 2021, HR 7898 was signed into law. The HIPAA Safe Harbor bill amends the HITECH act to require HHS to incentivize best practice cybersecurity for meeting HIPAA requirements. The legislation directs HHS to take into account a covered entity’s or business associate’s use of industry-standard security practices within the course of 12 months, when investigating and undertaking HIPAA enforcement actions, or other regulatory purposes.

Further, the bill requires that HHS take cybersecurity into consideration when calculating fines related to security incidents. HHS is also required to decrease the extent and length of an audit if it’s determined the impacted entity has indeed met industry-standard best practice security requirements.

The law also expressly noted that the HITECH changes do not give HHS the authority to increase fines or the extent of an audit when an entity is found to be out of compliance with the recognized security standards.

The term “recognized security practices” means the standards, guidelines, best practices, methodologies, procedures, and processes developed by NIST, the approaches promulgated under the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized or promulgated through regulations under other statutory authorities. The law says that such practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security rule.

Once the appropriate practices are in place, they must be documented and applied, documentation, to show that they have been in place over time. The Safe Harbor doesn’t apply unless good practices can be shown to have been in effect for at least a year.

In essence, the HIPAA Safe Harbor Law makes the case for improving information security practices by reducing the penalties and investigations that may occur in the event of an information security incident or breach. Not implementing a good information security management process can clearly lead to tougher investigations and higher penalties.

Who Should Attend

Individuals responsible for risk management, compliance, privacy, and security of health information, individuals implementing electronic health care information systems, such as,

  • CEO
  • HIPAA Privacy Officers
  • HIPAA Security Officers
  • Information Security Officers
  • Risk Managers
  • Compliance Officers
  • Privacy Officers
  • Health Information Managers
  • Information Technology Managers
  • Information Systems Managers
  • Medical Office Managers
  • Chief Financial Officers
  • Systems Managers
  • Chief Information Officer
  • Healthcare Counsel/lawyer
  • Operations Directors
  • Office Manager
  • HR Director
  • CIO
  • Records Release Manager
  • HIM Manager
  • Counsel

Registration Options

Choose Your Options

Error Conference Exists In Wish-list.

Congrats Conference Added In Wish-list.

  • * For more than 6 attendee call us at +1-800-803-7592 or mail us at cs@conferencepanel.com
  • * For Check and ACH payment call us at +1-800-803-7592 or mail us at cs@conferencepanel.com
  • * Click to download the Order Form
Jim Sheldon Dean
Jim Sheldon Dean

(Principal and Director of Compliance Services)

Jim Sheldon-Dean is the founder and director of compliance services at Lewis Creek Systems, LLC, a Vermont-based consulting firm founded in 1982, providing information privacy and security regulatory compliance services to a wide variety of health care entities.  He is a frequent speaker regarding HIPAA, including speaking engagements at numerous regional and national healthcare association conferences and conventions and the annual NIST/OCR HIPAA Security Conference. Sheldon-Dean has more than two decades of experience specializing in HIPAA compliance, four decades of experience in policy analysis and implementation, business process analysis, information systems, and software development, and eight years of experience doing hands-on medical work as a Vermont certified volunteer emergency medical technician.  Sheldon-Dean received his B.S. degree, summa cum laude, from the University of Vermont and his master’s degree from the Massachusetts Institute of Technology.