Speaker 1: Hey, welcome back. Joe Brunsman, insurance broker to the stars. And finally, some good news for any of those entities regulated under HIPAA. This is HIPAA's new compliance and cybersecurity safe harbor. This is meant to actually help you. So let's go ahead and jump on into it. All right. Formally, this is still known as HR 7898, at least it was in Congress. This is actually what it's called. I'm not going to read that to you. You can pause the video here if you'd really like to. What is it? This is meant to provide relief for those covered entity and business associates under HIPAA. How does it actually do that? Well, it goes in and it says, hey, when you're calculating fines, this is HHS OCR. When you're calculating those fines, when you're evaluating those audits, when you're proposing any follow on mitigation steps that that business needs to engage in, HHS will, right? So you'll see there, they must. They must consider whether the entity had, quote, recognized security practices for the previous 12 months that would have mitigated any of those HIPAA fines resulted in early termination of a favorable HIPAA audit. So they're saying, hey, if you would have been audited and you would have passed with flying colors, maybe we don't need to throw the book at you anymore. And if it would have mitigated any resolution agreements and remedies, therefore, if you really want to kind of jump into that subject, I will post right above here the million dollar laptop story, which is. Quite interesting. Now, of course, the question is, OK, what are these recognized security practices? Is this like a new checklist of things I have to do? Not necessarily. This is what the text of the law says. But let's go ahead and jump into what that means in practice, because I think that's way more important. So generally they're saying, hey, let's say you're hearing of some sort of cybersecurity framework. You have risk management plans in place. You have an appropriate risk analysis that's been conducted within the last 12 months. You have appropriate. Administrative, physical and technical safeguards that were in place. Well, now they're not going to penalize you. They're going to say, hey, kudos to you. Let's put that in your favor. In addition, it does not increase any of the fines or penalties associated with a violation of HIPAA high tech, nor does it create any type of new security practices. But what it does do is it's really meant to help incentivize those HIPAA regulated entities to implement those. Best practices that we're going to see on the market. It's also supposed to incentivize proactive and increased cybersecurity measures. So finally, if you're an I.T. guy out there and you're working in the HIPAA world and you've been screaming at the top of your lungs this whole time, you know, you're saying, I know that HIPAA only says we have to do annual security awareness training, but it's really a best practice that we do at least monthly cybersecurity awareness training. Or you've been screaming from the rooftops talking about 2FA or MFA and everybody just turns a blind eye. Because they're like, ah, HIPAA doesn't really require that. So we're not going to do it. You finally have a ball in your court. You have some ammunition where you can go back to that entity and you can say, hey, I know this isn't strictly required, but now we have this new law that's out there that's saying, hey, they're trying to incentivize this. And on the back end, if anything happens, this could actually make us look better, help mitigate those fines, make our all of our lives easier. Finally, those types of investments, those additional security controls you're trying to put in place. Finally, it makes sense to actually bring that in front of the board and try and make that happen. And then finally, of course, it also does provide relief to those well-meaning entities that have been breached. So likely you're going to see lower penalties on the back end. Ultimately, that's going to have really a couple of ramifications kind of put in total here. One is you're going to have probably lower cyber insurance costs. So that's going to be a bonus for you. Also, if you do eventually get breached, now you're looking at lower. Well, potentially lower. Fines, penalties and assessment action. That's going to mean that the renewal of your cyber insurance policy is going to be that much easier. There's a big difference between costing the insurance company, say, 100 grand and 4 million. That's a big difference there. So make sure you keep that in mind. All right. Let's talk about some considerations moving forward here. Obviously, work with your IT or your MSP. Think about adhering to some sort of security framework. I'm a big fan of NIST CSF. We know that generally HIPAA when they're coming in and they're looking. at your security program, they're going to be judging that against NIST CSF. So I think it just kind of makes sense there. Make sure that you're updating those risk management plans. Obviously, new threats are coming out all the time. You need to make sure that you are staying on top of those. Conduct that appropriate risk analysis. Implement those appropriate safeguards, even if it's above and beyond within the strict guidelines of what HIPAA is requiring. Before I mentioned 2FA, MFA, monthly security awareness training at a minimum, dark web scanning, for example. All of these things could finally now be in your benefit, and you could really have the ammunition to go in front of the appropriate people and actually make the case for why that additional money needs to be spent, because it could save you potentially a lot of money and heartache on the back end. And then obviously, if you have any questions, make sure that you're working with qualified legal counsel. All right. If you enjoyed that presentation, this is Damage Control Cyber Insurance Compliance. That is where you can go to download it for free. If you want. Wanted to learn more about cyber insurance and the compliance side, specifically HIPAA, if you're watching this video. Also, you can purchase a physical or digital copy on Amazon if you want to keep the wife happy. And with that, I hope you guys stay safe.