As ransomware attacks on the healthcare sector continue to rise, organizations face growing legal, operational, and reputational risks. Nixon Peabody Healthcare Privacy attorney Valerie Montague answers common questions about HIPAA compliance, breach notification, and how to prepare for and respond to cybersecurity incidents.
- What should we do if our healthcare organization is hit by ransomware?
- If protected health information (PHI) is encrypted or accessed without authorization, it may be considered a reportable breach under HIPAA. Simultaneous with a forensic investigation, an impacted organization should conduct a breach risk assessment to determine applicable notification obligations.
- What does a HIPAA breach risk assessment involve after a cyberattack?
- A HIPAA-compliant risk assessment evaluates the type of PHI involved, whether it was accessed or viewed, who the attacker was, and how much the risk was mitigated. Forensic analysis is essential to support your findings.
- If the organization is not regulated under HIPAA or if a HIPAA breach risk assessment indicates that reporting is not required, are we in the clear?
- Not always. An incident may trigger a state data breach law even if HIPAA is not implicated due to the type of information involved or because the state requirement does not allow for a risk-based analysis. Additionally, vendor contracts often require notification of any security incident, even if it doesn’t meet HIPAA’s definition of a breach.
- What is a Business Associate Agreement (BAA), and why does it matter?
- BAAs are contracts between healthcare providers and vendors that handle PHI. They should clearly define who reports a breach, how quickly, what information must be shared, and who covers the costs.
- How can we prepare for a ransomware attack before it happens?
- Start with a robust privacy and security compliance program. Conduct regular security risk analyses, maintain a current incident response plan, and back up your data in multiple secure locations. Workforce training is also essential—your security is only as strong as your weakest link.
- What are the legal risks of delaying breach notification or mishandling our response?
- Delays or missteps can lead to regulatory penalties, reputational damage, and class-action lawsuits. Regulators expect a timely, thorough response.
- What’s one common cybersecurity mistake healthcare organizations overlook?
- One of the biggest missteps is failing to update privacy and security protocols to respond to changing risks, new processes, or technology updates. Ensuring health information confidentiality and security means implementing a “living” compliance program that adapts to your organization’s changing environment.
Need help strengthening your healthcare cybersecurity program or responding to a data breach? Nixon Peabody Healthcare & Privacy attorneys work with healthcare organizations nationwide to build compliance strategies, manage breach response, and reduce legal risk.