In recognition of National Cybersecurity Awareness Month, the Office of Civil Rights (OCR) issued its October 2022 Cybersecurity Newsletter addressing best practices and tips for compliance with HIPAA’s Security Rule. The Newsletter discussed the ever-increasing need for members of the healthcare industry to be vigilant in their practices, as research shows a 42% increase in cyber-attacks in the first half of 2022 compared to 2021, and a 69% increase in cyber-attacks targeting the healthcare sector alone. Moreover, OCR reported that in 2021, 74% of the reported breaches involved hacking/IT incidents. As a result, OCR has identified hacking as the greatest threat to the privacy and security of protected health information (PHI) in the healthcare sector.

These statistics underscore the importance of providers ensuring that their HIPAA programs are in full compliance with the law. OCR notes the significance of entities ensuring they have sufficient plans in place to: (1) identify security incidents; (2) respond to security incidents; (3) mitigate harmful effects of security incidents; and (4) document security incidents and their outcomes in compliance with the HIPAA Security Rules. The Newsletter provides helpful summaries of key items to keep in mind when planning to address each of these key tasks.

Moreover, the OCR underscores the importance of forming a security incident response team prior to the identification of a potential cybersecurity incident or breach. Having a trained and organized team is critical to ensure that when an incident does occur, as is almost certain in any organization, the team is prepared to take action with an appropriate and timely response.

When forming a security incident response team, factors that should be considered in identifying a well-rounded group include sufficient expertise, those with sufficient lines of communication to key individuals, ensuring key internal groups are represented (i.e., management, IT, legal, public affairs, etc.), and identifying key services that the team will need to provide as part of their duties.

The value of a well-prepared security incident response protocol is best summed up in the Newsletter’s conclusion, which states, “The policies and procedures regulated entities create to prepare for and respond to security incidents can pay dividends in the long run with faster recovery times and reduced compromises of ePHI. A well thought-out, well-tested security incident response plan is integral to ensuring the confidentiality, integrity, and availability of a regulated entity’s ePHI.”

With the pandemic, the struggling economy, and so many other issues impacting providers and consuming their daily attention, it is easy to become complacent and/or overlook the constant threats that cyber-attacks pose to the healthcare sector. The OCR’s Newsletter serves as a key reminder of that threat and provides a helpful overview of key areas for providers to review in assessing the sufficiency of their respective HIPAA programs.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of John W. Kaveney John W. Kaveney

Partner, Healthcare and Litigation Departments

Mr. Kaveney focuses his practice in the area of healthcare law, representing a range of clients that includes for-profit and non-profit hospitals and health systems, academic medical centers, individual physicians and physician groups, ambulatory surgery centers, ancillary service…

Partner, Healthcare and Litigation Departments

Mr. Kaveney focuses his practice in the area of healthcare law, representing a range of clients that includes for-profit and non-profit hospitals and health systems, academic medical centers, individual physicians and physician groups, ambulatory surgery centers, ancillary service providers, medical billing companies, skilled nursing and rehabilitation facilities, behavioral health centers and pharmacies.

His practice in the healthcare field encompasses advising healthcare clients on corporate compliance matters, including the implementation of new, and the assessment of existing, corporate compliance programs. He also assists healthcare clients with compliance audits and investigations, as well as guiding clients through the self-disclosure and repayment processes. Finally, he provides general legal advice concerning compliance and regulatory matters under state and federal healthcare laws.

In the area of information privacy and data security, Mr. Kaveney advises healthcare clients on issues arising under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). This includes the implementation and assessment of privacy and security policies and procedures to ensure the proper protection and utilization of protected health information both by healthcare providers and the business associates with which they contract. In addition, he represents healthcare clients in investigating, reporting, and remediating information breaches and the liability such breaches create under various information privacy and security laws.

Additionally, Mr. Kaveney provides counsel on Medicaid and Medicare reimbursement matters before the Division of Medical Assistance and Health Services and the Provider Reimbursement Review Board, as well as assisting clients in civil litigation and with professional licensing and medical staffing concerns.

Contact information:

jkaveney@greenbaumlaw.com | 973.577.1796 | vCard | LinkedIn

For more information visit the Greenbaum, Rowe, Smith & Davis LLP website.