Nixon Peabody LLP

  • People
  • Capabilities
  • Insights
  • About

Trending Topics

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni

    Practices

    View All

    • Affordable Housing
    • Community Development Finance
    • Corporate & Finance
    • Cybersecurity & Privacy
    • Environmental
    • Franchising & Distribution
    • Government Investigations & White Collar Defense
    • Healthcare
    • Intellectual Property
    • International Services
    • Labor & Employment
    • Litigation
    • Private Wealth & Advisory
    • Project Finance
    • Public Finance
    • Real Estate
    • Regulatory & Government Relations

    Industries

    View All

    • Cannabis
    • Consumer
    • Energy
    • Entertainment
    • Financial Services
    • Healthcare
    • Higher Education
    • Infrastructure
    • Manufacturing
    • Non Profit
    • Real Estate
    • Technology

    Value-Added Services

    View All

    • Alternative Fee Arrangements

      Developing innovative pricing structures and alternative fee agreement models that deliver additional value for our clients.

    • Continuing Education

      Advancing professional knowledge and offering credits for attorneys, staff and other professionals.

    • Crisis Advisory

      Helping clients respond correctly when a crisis occurs.

    • DEI Strategic Services

      Providing our clients with legal, strategic, and practical advice to make transformational changes in their organizations.

    • eDiscovery

      Leveraging law and technology to deliver sound solutions.

    • Global Services

      Delivering seamless service through partnerships across the globe.

    • Innovation

      Leveraging leading-edge technology to guide change and create seamless, collaborative experiences for clients and attorneys.

    • IPED

      Industry-leading conferences focused on affordable housing, tax credits, and more.

    • Legal Project Management

      Providing actionable information to support strategic decision-making.

    • Legally Green

      Teaming with clients to advance sustainable projects, mitigate the effects of climate change, and protect our planet.

    • Nixon Peabody Trust Company

      Offering a range of investment management and fiduciary services.

    • NP Capital Connector

      Bringing together companies and investors for tomorrow’s new deals.

    • NP Second Opinion

      Offering fresh insights on cases that are delayed, over budget, or off-target from the desired resolution.

    • NP Trial

      Courtroom-ready lawyers who can resolve disputes early on clients’ terms or prevail at trial before a judge or jury.

    • Social Impact

      Creating positive impact in our communities through increasing equity, access, and opportunity.

    1. Home
    2. Insights
    3. Articles
    4. OCR issues reminder of security incident obligationsArticles

    Article

    OCR issues reminder of security incident obligations

    Oct 28, 2022

    Share

    By Valerie Montague

    HIPAA covered entities and business associates should review their compliance programs and incident response plans to ensure a process is in place to address security incidents.

    On October 25, 2022, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) published its latest cybersecurity newsletter, reminding HIPAA covered entities and business associates of their obligation under the HIPAA Security Rule to implement policies and procedures addressing security incidents. While much attention in the industry is focused on whether an event is a reportable data breach, it is important that HIPAA-regulated entities do not bypass their obligations regarding security incidents.

    A security incident is defined within the HIPAA Security Rule as “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.” OCR stated that seventy-four percent of breaches reported to OCR in 2021 involved hacking or information technology incidents.

    Viewing security incidents as “inevitable,” OCR’s guidance reminds covered entities and business associates of their obligation to maintain a documented plan to identify, respond to, mitigate the harmful effects of, and document security incidents. OCR also encourages organizations to develop a security incident response team in order to have a process and personnel in place who are trained to effectively and efficiently respond to security incidents. Developing, or updating, an incident response plan is critical to best-position an organization to address a security incident or any other type of data incident.

    Within an organization’s incident response plan, OCR suggests that organizations have “sub-plans” in place to address specific types of security incidents, particularly if the organization deals with such incidents repeatedly, such as a plan to address a ransomware attack, a plan specific to phishing attacks, and a plan to respond to malicious actions of organization insiders.

    The guidance outlines the requirements for covered entities to report breaches of unsecured protected health information (PHI). Although not stated in the guidance, business associates also should take care to understand not only their obligations to report breaches of unsecured PHI to their covered entity clients, but also their obligations to report security incidents, as well as potential breaches of unsecured PHI. These obligations, including the timing, the content, and any carve-outs (many covered entities do not require reporting of “unsuccessful” security incidents, or require such reporting on a periodic basis, rather than following each event) should be detailed in the business associate agreement between the parties.

    With respect to security incidents, an “ounce of prevention,” in the form of a robust incident response plan, comprehensive, documented policies and procedures, and workforce training, can go a long way to mitigate the impact of these events.

    HIPAA

    Practices

    Health Information - Privacy, Security, and Data Sharing

    Industries

    Healthcare

    Insights And Happenings

    • Video

      Healthcare outlook: HIPAA and data privacy

      Healthcare
      Feb 10, 2023
      Valerie Montague joins the American Health Law Association podcast to discuss HIPAA and data privacy updates the healthcare industry needs to know.
    • Alert

      Data privacy in the post-Roe era

      July 12, 2022
    • Article

      CMS the Largest Health Insurance Provider Sets the Stage for Health Equity for the Next 10 Years

      May 19, 2022

    Subscribe to stay informed of the latest legal news, alerts, and business trends.Subscribe

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    • © 2023 Nixon Peabody. All rights reserved
    • Privacy Policy
    • Terms of Use
    • Statement of Client Rights
    • Supplier Diversity Program
    • Nixon Peabody International LLC
    • PAL