top of page


Privacy and Security

Healthcare providers are required to comply with several information privacy and security regulations, namely HIPAA and its subsequent expansions. Such regulations protect patients from privacy and security risks, including data breaches that may result in identity theft and financial loss.


In 2017, over 50% of all data breaches involved healthcare providers totaling over 6M records. Of those breaches, nearly half were due to hacking by outside parties as opposed to unintended disclosures or other breaches. By the numbers, healthcare providers are the most at risk entities for cyber attacks.


Regulatory Overview

The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to comply with the Privacy Rule located of 45 CFR Part 160 and Subparts A and E of Part 164 and the Security Rule located at 45 CFR Part 160 and Subparts A and C of Part 164. Both rules outline a covered entity’s responsibilities concerning protected health information (PHI).


In 2009, HIPAA was expanded by the Health Information Technology for Economic and Clinical Health Act (HITECH), which addressed the privacy and security of electronic protected health information (ePHI). Then, in 2013, the Omnibus Rule expanded the application of privacy and security rules to business associates. These regulations, combined with administrative rulings by HHS, form the regulatory authority to which covered entities must comply. Many small medical providers struggle with the complexity of the rules as well as with their implementation.


Other rules may apply to healthcare providers who are engaged in research activities, drug addiction treatment, and medical device manufacturing, among other scenarios.


Recently, HHS’ Office for Civil Rights (OCR) increased its audit activity through what is known as "Phase 2" audits and has brought more HIPAA enforcement actions, including against smaller providers. However, even if the risk of being selected for an official audit is still relatively low, the risk of experiencing a data breach continues to rise. The consequences of which could be far more serious than technical noncompliance.


Potential Risks

  • Financial penalties of up to $1.5M for serious violations

  • Imprisonment for up to 10 years for serious violations

  • Professional sanction by state medical boards (including loss of licensure)

  • Civil and criminal actions under state law

  • Civil actions by aggrieved parties

  • Damage to reputation

  • Disruption to services

  • Loss and corruption of patient information

  • Costly breach response, forensic analysis, and remediation


Risk Mitigation

Healthcare providers should take proactive steps to reduce their privacy and security risks. Small providers should especially consider the potential impact of a data breach. There are reasonable measures providers can take to reduce their risk. The key is identifying opportunities, closing vulnerabilities, and shoring up compliance gaps.


A good risk mitigation strategy must consider both the regulatory and broader privacy and security issues that create risk. Providers should employ a holistic approach that recognizes compliance, privacy, and security as interdependent concepts, as not all regulations apply to all entities and meeting minimum compliance standards does not eliminate all risk.


Sensible risk management involves implementing thoughtfully considered policies and procedures, and administrative, physical, and technical safeguards. The starting point is identifying your practice’s specific challenges and focusing on the issues that pose the greatest risk. Even a relatively small amount of well-concentrated resources can have a sizable impact.


Privacy and Security Management Plan

Healthcare providers should develop and adopt a comprehensive information management plan that comports with HIPAA requirements. The plan should address all applicable laws and regulations as well as other privacy and security risks impacting the organization.


Affordability and practicability are central considerations for small providers. The law allows compliance activities to be tailored to your practice. Hollow compliance exercises are insufficient if the goal is to meaningfully improve your privacy and security posture and fully protect your interests.

Plan Elements

  • HIPAA compliance assessment

  • NIST SP800-30 risk assessment

  • *Cybersecurity vulnerability test (recommended)​

  • Information Management Plan

    • Policies and procedures

    • Information controls

    • Training

    • Auditing

    • Review

  • Business Associate security

  • Contingency plan

  • Breach response plan

  • Insurance review


*Performed by expert cybersecurity consultant at the direction of counsel

bottom of page