Skip to main content

Nixon Peabody LLP

  • People
  • Capabilities
  • Insights
  • About
Trending Topics
    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    Practices

    View All

    • Affordable Housing
    • Community Development Finance
    • Corporate & Finance
    • Cybersecurity & Privacy
    • Entertainment & Media
    • Environmental
    • Franchising & Distribution
    • Government Investigations & White Collar Defense
    • Healthcare
    • Intellectual Property
    • International Services
    • Labor, Employment, and Benefits
    • Litigation
    • Private Wealth & Advisory
    • Project Finance
    • Public Finance
    • Real Estate
    • Regulatory & Government Relations
    Industries

    View All

    • Aviation
    • Cannabis
    • Consumer
    • Energy
    • Financial Services
    • Healthcare
    • Higher Education
    • Infrastructure
    • Manufacturing
    • Nonprofit Organizations
    • Real Estate
    • Sports & Stadiums
    • Technology
    Value-Added Services

    View All

    • Alternative Fee Arrangements

      Developing innovative pricing structures and alternative fee agreement models that deliver additional value for our clients.

    • Continuing Education

      Advancing professional knowledge and offering credits for attorneys, staff and other professionals.

    • Crisis Advisory

      Helping clients respond correctly when a crisis occurs.

    • DEI Strategic Services

      Providing our clients with legal, strategic, and practical advice to make transformational changes in their organizations.

    • eDiscovery

      Leveraging law and technology to deliver sound solutions.

    • Environmental, Social, and Governance (ESG)

      We help clients create positive return on investments in people, products, and the planet.

    • Global Services

      Delivering seamless service through partnerships across the globe.

    • Innovation

      Leveraging leading-edge technology to guide change and create seamless, collaborative experiences for clients and attorneys.

    • IPED

      Industry-leading conferences focused on affordable housing, tax credits, and more.

    • Legal Project Management

      Providing actionable information to support strategic decision-making.

    • Legally Green

      Teaming with clients to advance sustainable projects, mitigate the effects of climate change, and protect our planet.

    • Nixon Peabody Trust Company

      Offering a range of investment management and fiduciary services.

    • NP Capital Connector

      Bringing together companies and investors for tomorrow’s new deals.

    • NP Second Opinion

      Offering fresh insights on cases that are delayed, over budget, or off-target from the desired resolution.

    • NP Trial

      Courtroom-ready lawyers who can resolve disputes early on clients’ terms or prevail at trial before a judge or jury.

    • Social Impact

      Creating positive impact in our communities through increasing equity, access, and opportunity.

    • Women in Dealmaking

      We provide strategic counsel on complex corporate transactions and unite dynamic women in the dealmaking arena.

    1. Home
    2. Insights
    3. Articles
    4. OCR issues reminder of security incident obligations

      Articles

    Article

    OCR issues reminder of security incident obligations

    Oct 28, 2022

    LinkedInX (Twitter)EmailCopy URL

    By Valerie Montague

    HIPAA covered entities and business associates should review their compliance programs and incident response plans to ensure a process is in place to address security incidents.

    On October 25, 2022, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) published its latest cybersecurity newsletter, reminding HIPAA covered entities and business associates of their obligation under the HIPAA Security Rule to implement policies and procedures addressing security incidents. While much attention in the industry is focused on whether an event is a reportable data breach, it is important that HIPAA-regulated entities do not bypass their obligations regarding security incidents.

    A security incident is defined within the HIPAA Security Rule as “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.” OCR stated that seventy-four percent of breaches reported to OCR in 2021 involved hacking or information technology incidents.

    Viewing security incidents as “inevitable,” OCR’s guidance reminds covered entities and business associates of their obligation to maintain a documented plan to identify, respond to, mitigate the harmful effects of, and document security incidents. OCR also encourages organizations to develop a security incident response team in order to have a process and personnel in place who are trained to effectively and efficiently respond to security incidents. Developing, or updating, an incident response plan is critical to best-position an organization to address a security incident or any other type of data incident.

    Within an organization’s incident response plan, OCR suggests that organizations have “sub-plans” in place to address specific types of security incidents, particularly if the organization deals with such incidents repeatedly, such as a plan to address a ransomware attack, a plan specific to phishing attacks, and a plan to respond to malicious actions of organization insiders.

    The guidance outlines the requirements for covered entities to report breaches of unsecured protected health information (PHI). Although not stated in the guidance, business associates also should take care to understand not only their obligations to report breaches of unsecured PHI to their covered entity clients, but also their obligations to report security incidents, as well as potential breaches of unsecured PHI. These obligations, including the timing, the content, and any carve-outs (many covered entities do not require reporting of “unsuccessful” security incidents, or require such reporting on a periodic basis, rather than following each event) should be detailed in the business associate agreement between the parties.

    With respect to security incidents, an “ounce of prevention,” in the form of a robust incident response plan, comprehensive, documented policies and procedures, and workforce training, can go a long way to mitigate the impact of these events.

    Practices

    Health Information - Privacy, Security & Data Sharing

    Industries

    Healthcare

    Insights And Happenings

    • Video

      Healthcare outlook: HIPAA and data privacy

      Healthcare
      Feb 10, 2023
    • Podcast

      OCR enforcement actions emphasize focus on HIPAA Right of Access Initiative

      Healthcare
      Oct 12, 2022
    • Alert

      Data privacy in the post-Roe era

      July 12, 2022
    The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

    Subscribe to stay informed of the latest legal news, alerts, and business trends.Subscribe

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    • Cookie Preferences
    • Privacy Policy
    • Terms of Use
    • Accessibility Statement
    • Statement of Client Rights
    • Purchase Order Terms & Conditions
    • Nixon Peabody International LLC
    • PAL
    © 2025 Nixon Peabody. All rights reserved