A Practical Approach to The Safe Harbor Law

1st Talk Compliance features guest Raymond Ribble, CEO and Founder at SPHER, Inc., on the topic of A Practical Approach to The Safe Harbor Law. Ray joins our host Catherine Short to discuss how HIPAA data breach penalties typically get measured in millions of dollars, even following an organization implementing NIST cybersecurity framework measures. However, with the new HIPAA Safe Harbor Law, signed in January 2021, HHS and OCR may consider some penalty mitigation. It is important to understand that the Safe Harbor Law, while offering substantial protection, does not provide a true safe harbor and only offers some protection. This episode will examine what the established security practices for healthcare are, and how to pivot your organization’s security profile to mitigate breach penalties if an event occurs.

Catherine Short 0:01

Welcome, and let’s, 1st Talk Compliance. I’m Catherine Short, Marketing Manager for First Healthcare Compliance, a division of Panacea Healthcare Solutions. Thanks for tuning in. This show is brought to you by First Healthcare Compliance as part of our commitment to provide high quality complimentary educational resources. Please show your support by taking a moment to provide a review on Google, Facebook, or iTunes, and be sure to follow us on social media and subscribe to our YouTube channel.

On today’s episode, we are speaking with Raymond Ribble, CEO and Founder at SPHER Inc, on the topic of A Practical Approach to The Safe Harbor Law. HIPAA data breach penalties typically get measured in millions of dollars even following an organization implementing NIST cybersecurity framework measures. However, with the new HIPAA Safe Harbor Law signed in January 2021, HHS and OCR may consider some penalty mitigation, it is important to understand that the Safe Harbor Law while offering substantial protection does not provide a true Safe Harbor and only offers some protection. This episode will examine what the established security practices for healthcare are, and how to pivot your organization’s security profile to mitigate breach penalties if an event occurs.


Catherine Short 1:39

So Ray, thank you so much for joining me on 1st Talk Compliance. It’s a pleasure to have you on.


Raymond Ribble 1:42

Thank you for having me, I appreciate it.


Catherine Short 1:43

Again, I’m so happy you’re here today. Today we’re discussing about the Safe Harbor Law and we’re going to be talking about a practical approach. For people who are new to this, can you give us a good background or a brief description about what we are going to be discussing as far as some compliance background? Or how we got here as far as I know that HIPAA has a Safe Harbor Law? And I know that that affects how people need to protect their health data and their data in general. Can you give us a little bit of background of what we should be protecting and what we should be careful of and what we should be discussing?


Raymond Ribble 2:27

Sure. For our listeners, I’ll try to give you the cliff note version of what it is. What I wanted to do for everybody who’s listening today is just give you a brief introduction to what is the Safe Harbor Law. I don’t want you to become experts on the Safe Harbor Law, I don’t want you to be able to click off the five things that it does. That’s not the background. It’s just that some well thought politicians in both the Senate and the House got together and said, Hey, look, we’ve provided all this money to help these medical institutions move from paper to digital. In doing so, we’ve exposed them to a brand new set of risks in terms of data breaches that can occur that didn’t exist before. And now we’re asking them to spend more money to implement policies and procedures and potentially technology solutions in order to protect that digital data. So that’s the first part of it. And they said look, for the organizations that embrace these ideas that go the extra mile that implement these policies and procedures, that are not experts on the Privacy Rule in the Security Rule and HIPAA, but they do understand that protecting patient data is a new requirement that they have to adhere to, and they want to do their best. They don’t want to do the best. They want to do their best to protect that data. They wanted to incentivize those organizations for implementing cybersecurity best practices.

And in doing so, they put out what was called the House Resolution 78 98, which became the Safe Harbor Law. It was signed into law on January 5, 2021, by the President, and basically, that became public law 116-321, which is affectionately called the Safe Harbor Law. There are Safe Harbor Laws in other industries. This particular Safe Harbor Law is specific to the healthcare industry. So that’s why it’s important to you and I and to our listeners today.


This Safe Harbor Law again, 116-321 is the high-tech Safe Harbor Law if you want to think of it that way. And what it says is that if you implement policies and procedures, technologies, training, documentation around protecting your patients PHI (Protected Health Information), and you still experience a breach, that when the investigation from the OCR auditors occurs, and it will occur, that you will not be penalized as heavily as an organization who did nothing. That you should be incentivized ie through that lack of penalties and monetary penalties, you should be incentivized to do that, so that there is a risk-reward type scenario that’s set up in this. If you’re going to spend the money to protect that data, and then ultimately, it really happens and you have a breach, you should be getting a pat on the back and a reward for having spent that money and the time and the investment and the education with your staff to do the best that you can do. Nobody can fully prevent a breach, but you went the extra mile, and they wanted those organizations to be rewarded.

The word they use, is it mitigates the probability of a major penalty, but in my opinion, really what they’re saying is attaboy, it’s not going to cost you 8.1 3 million and might cost you 50,000. You had a breach, that’s a bad thing. There’s some risk slapping that has to take place, but you’re not going to pay millions of dollars, because you paid up front, you made the investment to do the best that you could do, those cybersecurity best practices that I spoke about, you implemented parts of NIST, you went out and purchase some third party products, you educated your staff, you documented all of that, you did your security risk assessment every year, you did what was reasonable and appropriate for an organization of your size, and you still had a breach. Should you be blamed for that? The bad guys can basically spend 365 days a year trying to break into your system. You’re not going to spend 365 days trying to prevent them from breaking into your system. So there’s got to be some risk reward there. That’s where the Safe Harbor Law is coming from.


Catherine Short 7:17

That was a really great explanation. Thank you so much. That actually was a very practical approach. Concerning standards of security. What should we be using as a guide? For example, does HHS  provide a guidebook?


Raymond Ribble 7:32

I think a great starting point is NIST. For those of you who don’t know what NIST is or what it stands for, so National Institute of Science and Technology. Basically what they do is they provide a security framework for many industries, not just the healthcare industry. What I’ve recommended to organizations is if you take a look at NIST in the five key areas that they identify, and then you put that together with the recommendations coming from the 405(d) taskforce, then I think that that is a blueprint that you can start going down towards protecting your organization without making mistakes or spending money where you don’t need to spend money.


Catherine Short 8:16

What is NIST cybersecurity framework?


Raymond Ribble 7:20

The NIST cybersecurity framework comes from the National Institute of Standards and Technology. It was developed many years ago, as a guideline to help organizations to understand what they need to do in order to identify, protect, detect, respond, and recover important data. So outside of healthcare, it might be PII, in healthcare world what we call PHI (Protected Health Information).

It’s a set of guidelines that we can look at and apply to our organization. Some of them are procedural. Some of them are technical in terms of third party products, or downloadable products from manufacturers that cost us nothing, that we can put in place that allows us to see who’s looking at our data, when are they looking at the data? Is that appropriate for them to look at the data? If it’s not appropriate, and we’ve determined that it’s a problem, then how do we recover that and how do we respond to that? So NIST security framework would be complimentary to us following the HIPAA rules, whether it’s the Security Rule, the Privacy Rule, the Breach Notification Rule. By following NIST and the NIST cybersecurity framework. This is very much in line with what we’re doing for our HIPAA compliance


Catherine Short 9:53

If a facility can afford to do this does that in itself, grant them the protection and penalty mitigation that you’ve talked about previously?


Raymond Ribble 10:04

I like that question. Let me do my best to answer it. Let’s just take make the assumption that we don’t have a lot of money and historically, my organization has never spent a lot of money on technology to protect patient data. Let’s just that’s our example for this question. But I took the time to look at this NIST cybersecurity framework and I can see what the five key areas are. They’re making some recommendations, I went over to 405(d) task group, and I saw what they had and I said, Okay, I’m going to pick two or three things from each of those five things. I’ll repeat them just for the sake of the audience: identity, protect, detect, respond, and recover. And I’m going to apply a few of these rules to each of these that I think best aligns with the type of organization we have, whether we’re a pediatrics, an oncology, dermatology, plastic surgery, whatever type of practice we are, we all fall under that HIPAA umbrella. And what I’m trying to do is apply certain rules or guidelines that NIST provides in order to protect the data. Even if none of the things that I do involve me purchasing a third party product to do it. If I can accurately, regularly and appropriately document that I’m doing that, then the answer to your question is yes, that would allow us to mitigate, in the event of a breach mitigate the

exposure to penalties that might come from an OCR investigation.


Catherine Short 11:40

If you had to name perhaps three security practices, what do you see as being the most important first to use today?


Raymond Ribble 11:50

Three that I think would be the most important, I think protecting your email is extremely important. It is probably the one thing that everybody listening today uses and probably uses almost from the minute they get up until just before they go to bed. They’re accessing email, they’re looking at messages, they’re opening emails from third party, some of them are unknown third parties. So having email protection on your devices, especially devices that handle PHI, to me, is extremely important.

Two, access management. Knowing who’s coming into my system, and who is accessing the PHI and are they accessing that information for the purpose of providing care to our patients, would be equally important to me.

The last thing, if I look at this, I would say is going to be having good cybersecurity policies. So that’s more of not a technical thing. So email, access management, and cybersecurity policies. Educating my staff on what to do, and what to look for, if they see something that seems suspicious, just teaching them not to click on it, not to open it, to ask questions first, can save us millions of dollars. So if I broke down those 10 to three that I feel are important, and a different person might give you three different answers. Those would be the three I would pick off the top of my head.


Catherine Short  13:22

If you’re just tuning in, you’re listening to 1st Talk Compliance brought to you by First Healthcare Compliance as part of our commitment to provide high quality complimentary educational resources. We help create confidence among compliance professionals throughout the United States. My guest today is Raymond Ribble, CEO and Founder at SPHER Inc, on the topic of  A Practical Approach to The Safe Harbor Law. Please show your support by taking a few minutes to provide a review of First Healthcare Compliance on Google or Facebook. You can also follow us and subscribe on all forms of social media.


Catherine Short  13:57

If we’re discussing phishing emails, does it help if we monitor them, if we implement encrypted email?


Raymond Ribble 14:04

If we’re trying to prevent phishing emails from getting into our system, we would typically install something like Malwarebytes or Bitdefender, or Sophos, or many of these third-party products. Some of them are even sold with your laptop and your PCs, your Mac books when you buy them. You want to make sure that you activate those licenses and that you use them and they help to prevent certain types of phishing emails to come in.

Having said that, your question was also with regard to just email encryption as well. Email encryption is very different from phishing emails. Email encryption is encrypting, so it’s codifying the email that you’re using to do business and ensuring that if some third-party intercepts that email which is not phishing, that they cannot encode that and look at it unencoded, and see what was in there. Two different things completely. Just to be clear, I hope I’m answering this question correctly.

So I do recommend that you don’t use products like Gmail, or AOL, or any at home third party email system to be sending information to your patients. I think something that was discussed before is, you should be using the portal that’s provided to you by your EHR company, in the best of my knowledge 90% more provide those types of portals that you can use that as a way of communicating and that data is encrypted. So that email is encrypted, they’re providing that encryption for you as a byproduct of using their solution. So that solves a lot of problems for you.


If you have your own email server, that you communicate with your patients with for whatever reason, then you should be installing some type of third-party email encryption on that system. The responsibility under the law is you must encrypt that email going out. There is not the equivalent of the patients sending you email and having ePHI in that email, that is not a violation because HIPAA doesn’t apply to them the way it applies to you. So let me pause there and make sure. Am I answering the question correctly?


Catherine Short 16:32

Yes, sure.


Raymond Ribble 16:34

Okay. Because there are two different things there that you asked me actually.


Catherine Short 16:38

So yeah, that was great.


Raymond Ribble 16:42

Okay, good. So again, phishing, I want to use third party products, to catch the majority of the phishing emails. And then let me add to that, Catherine, is, let’s be careful. If we see something we recognize, just because we recognize it, please don’t click, look first, put that cursor over wherever it says click here. Look down in the lower left hand corner and see where it’s actually going. Ask yourself, was I expecting this email? Is this email something that I normally get from this organization? And if those answers are no, hey, just leave it alone. Go to your interface that you might interact with that company, whether it’s your bank, or your cable company, or you’re a third party hosting site, and call them and say, Hey, by the way, I got an email from you guys, it says, and I guarantee you 99% of the time, they will say to you, we would never send you an email for something like that, right? You hear it all the time. They don’t send those things because they know that’s what the bad guys are doing. So they don’t send them. So when in doubt, don’t click in check first. That’s I want to add that as a caveat to the answer for phishing. Okay,


Catherine Short  17:57

Perfect.  When you’re talking about phishing emails, you probably look at this a lot more as far as where they’re coming from. With phishing emails, do you think that they coming more from organizations, either organizations as far as foreign entities or from criminal organizations and working as employers, there’s a head person, and then they have people working for them? And then they’re sending out tons? Or are there lots of individual people, 15-year-olds out there who are trying to make some dough? What does the stats say about what they think people are doing?


Raymond Ribble 18:34

Clearly, you understand the issue, because your examples are really good examples. So, I can share with you a couple of my own personal observations. I think I told you before Catherine, I lived in China for two and a half years and while I was there, and this was in the midst of the explosion of the internet, between 2005 and 2010 I had an opportunity to visit a couple of sites, where there were 1000s of employees who were working in these warehouses and what they were doing was hacking. They were paid to sit down and to hack into various systems using bots, using phishing mechanisms, using third party software, in order to break into the systems. Why I was allowed to go there and why I was there would be a different story, but I saw that, and then it was explained to me that these types of sites exist not only in China, but in a number of other countries, including Africa, Europe, and even unfortunately, here in the United States or in South America. So it’s not one nation, nation state sponsored attempt, but it could be a private industry, it could be for somebody, it’s a business. That’s what scary.


How do they target you? They can get third party data. You know, I always tell people, if you’re on Facebook or some social media, don’t answer your friends quizzes about who is your favorite teacher in fifth grade or what was the name of the street you lived on when you were growing up, because unfortunately, nine times out of 10, those are hints to the types of security passwords that you use. These companies are the ones sponsoring those social media trivia contests. They gather that data, they now have your email, they have some answers from you, they know that your proclivity is to answer those questions. And they start to put a behavioral reveal map together. Then what they do is they target you with an Amazon or Barnes and Noble, or they know somehow they figured out you’re an Anthem customer, or you’re using Signa, or whatever the case may be. Verizon, T Mobile AT&T. The probability that you’re using one of those three mobile companies is pretty high. I keep getting this one on my phone for a PayPal, I don’t use PayPal. But I’m getting emails and text messages saying that my PayPal account has been compromised, please login to correct right away. Well, it’s pretty obvious, somebody’s got bad information. But they got my phone number. That’s pretty easy for them to get my phone number. But they keep sending me these messages. And I just laugh at it. And I delete it. And I’ve tried to teach myself to be very diligent to anything that I’m not expecting. And I have a pretty good idea of what I have set up in terms of my automatic payments. I don’t trust anybody. I’m terrible. But what I’m doing is I’m looking at all of this data, and I’m just naturally suspicious. Sounds terrible to be that way.

To answer your question, I think it’s more external than it is internal. I think it is organized by a very large group. If it wasn’t working, if they weren’t able to get what they were looking for, they wouldn’t be doing it. So the bad news is that it’s an effective way for them to reach out to people and to steal data, and sometimes money.


Catherine Short  21:54

Great. Well, right. I had a question about employee snooping. I know, there’s probably a number of people who work on their own. And I know that you’ve said that there’s a lot of people who of course, are very curious so that’s always an issue. When we have an issue with employee snooping, is it usually just individuals working or do we sometimes find there are people working in concert with others, and it is sometimes some kind of a criminal type of element?


Raymond Ribble  22:30

It could be more of the former and very, very less of the latter. I’ll expand on that answer. What we find at SPHER, because one of the things that SPHER does is it actually monitors for snooping. So I can give you some firsthand examples here. We’re looking at employees that might be looking at their own files, might be looking at files that belong to their neighbors, or to their co workers, or to some VIP. We’re able to determine with our technology, whether or not that glance, or that long look at the record is consistent with their profile and the way that they use the system. Now that’s our perspective. That’s what SPHER is looking for. It’s one of the things we do. Your question isn’t how to SPHER do, your question is how does snooping occur? Who does it and the damage that occurs? So I do believe that snooping is somewhat nefarious for almost all instances.


A lot of people snoop just for the sake of gossip, unfortunately. I will tell you for example, that our highest rate of snooping is with our rural customers moreso than our big city customers, if that makes any sense whatsoever. We find that during the pandemic, snooping spiked quite a bit. People working from home, they were finding themselves not as busy or having as many tasks as they might have had in the office, or they weren’t in an environment where people could see over their shoulders to see what they were looking at, so they thought, hey, it’s okay to take a peek, right? All of that fit into that model where they went and took a look at something and forgot that there was some system that was in place that was looking at what they were doing and all of a sudden, they had a knock on their door or phone call from their manager saying, Hey, can you explain to me why you were in so and so’s file because that has nothing to do with anything that you had assigned to you or within your workflow.


And so people love what we do in that stage because that’s something they can lock down on. I’ll give you one example if you don’t mind me doing that.


Catherine Short  24:47

I would love it.


Raymond Ribble  24:48

We had a large organization in the south. I’m going to be very vague here.

Very large organization. When they went live with our technology. In the first month of use, they had 1800 snooping incidents in one month. Yes, it’s pretty bad. Now, the CIO called us and said, you know, I hate you guys, for two reasons. One is, now that I know that, I have to go fix it, and you’ve made my life a living hell, because clearly I don’t have a problem. I have systemic, across the organization problem. Everybody’s looking at everybody’s data. It has nothing to do with their day jobs. Right? So she put together a strategy, she went to market, nobody got fired because she figured it was the entire company doing it.

A side note, the two people who were assigned to review the data coming from SPHER were two of her biggest transgressors. So the guys who are responsible for watching were the ones watching the wrong stuff. Within two months, she was down to eight instances of snooping. Once a new culture was established, once the employees knew they were being watched, that somebody was looking at what they were doing, and what they were looking at, it changed the culture, it changed the habit that fast. Which I think is a testament to okay, we had a bad problem, we got forward, we taught everybody what we’re gonna do. We explained to them what we implemented, and we did it, and they changed. That’s great. That’s a great story. So that was us working together where a client and a really good outcome that happened from that but snooping is really a big issue. And I think a lot of it is gossip.

So I hope that helps to provide some insight.


Catherine Short  26:47

Yeah. The eight people who didn’t get the memo?


Raymond Ribble  26:52

Well, there’s always the ones who think, hey, I can beat the system. Right? Maybe. Right.


Catherine Short  26:58

So I wanted to thank you so much for being on 1st Talk Compliance today. Right? I appreciate it so much. Your explanations were excellent and concise,  and very practical. So thank you so much.


Raymond Ribble  27:12

Well, as always, thank you for having me, Catherine. Thank you to everybody at First Healthcare Compliance. And to everybody listening today, I appreciate your time and your efforts as well.


Catherine Short  27:21

Thank you. I can’t wait to talk to you again. So appreciate it. Did you have any actual final thoughts before we totally wrap up?


Raymond Ribble  27:28

Please don’t be afraid of the answers that I just gave Catherine or the information that I presented. It’s not hard. Take it one step at a time. You’ve probably done better than you think you’ve done. But sitting down and just having a conversation with somebody within your organization and reaffirming that you have done the right things and that you have a plan that you’re working towards is the first step towards protecting your data. And I just recommend everybody do that.


Catherine Short  27:48

Great advice. So Ray, I wanted to thank you again so much for being here.

And thanks to our audience for tuning in to 1st Talk Compliance. You can learn more about the show on the program’s page on healthcarenowradio.com and lend your voice to the conversation on Twitter @1sthcc or #1stTalkCompliance. You can also email me at catherineshort@1sthcc.com. I’m Catherine Short of First Healthcare Compliance. Remember, compliance is the key to achieving peace of mind.