Skip to Main Content
Our Commitment to Diversity

Government Investigations Into Cybersecurity Breaches In Healthcare

Date: 11 February 2016
Cyber Law and Cybersecurity Alert
By: Eric M. Matava, Patricia C. Shea

In September 2015, a U.S. Department of Health and Human Services (HHS), Office of the Inspector General (OIG), report found that the Office of Civil Rights (OCR), the agency charged with ensuring compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), had not “fully implemented the required audit program to proactively assess possible noncompliance from covered entities.” The HHS OIG report described OCR’s oversight as “primarily reactive.” As a result, the report recommended the implementation of a permanent audit program, scheduled to begin in early 2016. This development poses risks to healthcare providers faced with cybersecurity breaches and the potential for government investigations into the steps taken to address them.

In order to minimize exposure and prepare for any subsequent government investigation, healthcare providers must ensure that they have implemented the safeguards HIPAA requires. In the event these safeguards are unsuccessful in preventing a breach, healthcare providers must have an effective incident response plan in place. This article reviews the reporting obligations under HIPAA, provides an overview of state notification laws that may supplement HIPAA, reviews the potential consequences associated with noncompliance, and highlights several key steps for responding to a data breach.

Click here to read the full alert.

Mark A. Rush
Mark A. Rush
Washington DC

This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. Any views expressed herein are those of the author(s) and not necessarily those of the law firm's clients.

Return to top of page

Email Disclaimer

We welcome your email, but please understand that if you are not already a client of K&L Gates LLP, we cannot represent you until we confirm that doing so would not create a conflict of interest and is otherwise consistent with the policies of our firm. Accordingly, please do not include any confidential information until we verify that the firm is in a position to represent you and our engagement is confirmed in a letter. Prior to that time, there is no assurance that information you send us will be maintained as confidential. Thank you for your consideration.

Accept Cancel