Safe Harbor Law

Covered entities (CEs) and business associates (BAs) that deal with protected health information (PHI) and maintain accredited security standards for more than one (1) year could face lesser fines/penalties and audit scrutiny by the Office for Civil Rights (OCR) in the event of a cyberattack or data breach. H.R. 7898 – Public Law 116-321, also known as the HIPAA Safe Harbor Law, became law on Jan. 5, 2021.1 The law’s name is a bit of a misnomer, because the exact requirements remain unclear until those are promulgated by the U.S. Department for Health and Human Services (HHS). A better description may be a “protected harbor.”