BMN Blog

OCT 12

of September 30, 2017, the Department of Health and Human Services Office of Civil Rights (OCR) has received notices of 237 breaches. 46% occurred as result of hacking or IT security incidents; many at the business associate level.  Ransomware is rampant and projected to increase 670%.  As a covered entity, although a breach occurs at your business associate, under HIPAA, you are responsible for your protected health information and responding to the breach.  OCR has been clear that breaches of 500 or more records will be investigated. Given the significant increase in breaches over the past few years, advance preparation is critical and can reduce the cost and burden of breach response. 


  • Conduct due diligence of any prospective and current business associate’s HIPAA security compliance
  • Enhance business associate obligations in Business Associate Agreements
    • Separate notice timelines for impermissible uses and disclosures, security incidents, and breaches; tiered reporting ranging from initial informal notice to full notice of all factors necessary for a breach risk assessment to assess the probability of risk to the PHI
    • Include state law notice obligations
    • Indemnification for costs of breach mitigation, investigation, response, notice and regulatory investigation and no limitation of liability
    • Notice to individuals and press release by business associate at request and with prior approval of health care provider
    • Appropriate cyber-insurance coverage and identification of covered entity as an additional covered insured
    • Obligation to maintain all logs and technical forensic records relating to a security incident and impermissible use and disclosure
    • Full and timely access to technical logs and other records, including forensic reports without regard to any claim of privilege
    • Cooperation requirements
    • Covered Entity’s breach risk assessment is binding
  • Know your cyber insurance
    • Verify coverage limits
    • Know the notice requirements
    • Pre-approve legal counsel, forensic examiners, credit monitoring services and other vendors needed for response, notice and regulatory defense
    • Assess appropriateness of coverage limits
  • Conduct security risk analysis
    • Mandated by HIPAA
    • Comprehensive SRA including all locations, systems and business associates
    • Update annually and with security incidents or breaches
    • Failure to perform and update may result not only in HIPAA liability but also reduction in reimbursements under Medicare and False Claims Act liability if health care provider attested that the activity had been performed
    • Establish, implement and document a corrective action plan
  • Conduct regular data back-ups
    • Encrypt backups
    • Test restoration time and data integrity
  • Prepare Breach Response and Notice Plan
    • Prepare in advance and update
    • Designate a breach response team, include legal counsel, forensic examiners, and resources for providing notice such as printing and mailing and credit monitoring services
    • Train all employees to identify potential security issues and respond in accordance with the plan
    • Test your plan
  • Don’t forget state laws
    • Many states have varying breach notice obligations; prepare according 
Bookmark and Share


Post a Comment

Please login to post a comment.
Powered by Bondware
News Publishing Software

The browser you are using is outdated!

You may not be getting all you can out of your browsing experience
and may be open to security risks!

Consider upgrading to the latest version of your browser or choose on below: