New HIPAA Safe Harbor Law

The new HIPAA “Safe Harbor” law H.R. 9898 became law on Jan. 5, 2021. It amended the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”).

This new safe harbor requires that, in the case of a data breach investigation, when calculating fines, evaluating audits or reviewing proposed mitigation steps, the Department of Health & Human Services (HHS) consider whether the covered entity or business associate adequately demonstrated that it had in place “recognized security practices” for at least 12 months prior that would:

  1. Mitigate HIPAA fines.
  2. Result in the early, favorable termination of a HIPAA audit.
  3. Mitigate the remedies in a HIPAA resolution agreement with HHS.

Under the law, “recognized security practices” means “the standards, guidelines, best practices, methodologies, procedures, and processes developed under … the NIST Act, the approaches promulgated under … the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.”

Providers should take steps now to ensure that its internal practices use “recognized security practices” and ensure that vendors that handle protected health information (“PHI”) subject to HIPAA are compliant with the new HIPAA Safe Harbor law. This can be accomplished by including appropriate language in vendor agreements and/or business associate agreements; doing so should reduce exposure to HHS penalties for both the vendor/business associate and the provider/covered entity in the event of a data breach involving PHI.

Attorneys and practice areas related to this topic include:

Click here for a printable file.


This has been provided as an informational service and does not constitute legal counsel or advice, which can only be rendered in the context of specific factual situations. If a legal issue should arise, please contact an attorney listed or retain the assistance of other competent legal counsel. Case results depend on a variety of factors unique to each case and results do not guarantee or predict a similar result in any future case undertaken.