Last month, the U.S. Senate introduced the Health Infrastructure Security and Accountability Act to address multiple recent data breaches and ransomware attacks affecting multiple health care entities, insurers, and health care technology providers. If passed, the bill will amend the Health Insurance Portability and Accountability Act (HIPAA) and establish new “mandatory minimum cybersecurity standards for health care providers, health plans, clearinghouses and business associates.” The Act would also require certain health care entities to conduct annual cybersecurity audits (except for small providers who may be eligible for waivers of this requirement). Additionally, the bill would allocate an additional $1.3 billion to large health care entities, such as hospitals, for implementation of more robust cybersecurity measures. The bill was introduced in part due to one of the largest ransomware attacks in U.S. history, the Change Healthcare data breach which significantly impacted health care providers and patients. Data breaches of various large entities are on the rise and pose a serious risk to protected health information (PHI), trade secrets and other proprietary information. Regardless of whether the Health Infrastructure Security and Accountability Act passes, ensuring the security of PHI is more important than ever.

The attorneys of Nicholson & Eastin routinely represent health care providers and covered entities in HIPAA compliance matters. If you are a health care provider, covered entity or business associate and would like regulatory and compliance advice regarding HIPAA,  or have questions about how to comply with HIPAA after a breach of PHI, please do not hesitate to contact us to evaluate your case.