Cybersecurity: HIPAA with Teeth

Skilled nursing facilities are often an attractive target for cybercriminals, given the vast amount of personal information they collect about their residents and the unique vulnerabilities of seniors and others who rely on such facilities for their long-term care needs. Under the Health Insurance Portability and Accountability Act (HIPAA), facilities and health care providers already have a duty to safeguard personal information. However, in the wake of increasing ransomware and other attacks on healthcare digital information systems, the need to protect such information is more pressing than ever. 

In response to these growing threats, legislators introduced a new law in the U.S. Senate on September 26, 2024, known as the Health Infrastructure and Accountability Act. The new law would require the Department of Health and Human Services to develop and enforce minimum cybersecurity standards for healthcare providers. If this measure is adopted, healthcare entities would be mandated to conduct annual cybersecurity audits and “stress tests” on their systems. The existing cap on fines for large corporations under HIPAA would be removed, providing HHS with a powerful weapon to enforce the new standards and requirements. In extreme cases, if executives and leaders of healthcare entities including skilled nursing facilities knowingly filed false information about cybersecurity precautions, they could even face jail time. 

Regardless of whether this Act is enacted now or in the future, skilled nursing facilities should make cybersecurity a priority and take affirmative steps to educate their staff. In April 2023, HHS released Knowledge on Demand, a new online platform that offers free training on key cybersecurity issues, including social engineering, ransomware, loss or theft of equipment or data, accidental or malicious data loss, and attacks against network connected medical devices. The platform allows providers to tap into a free resource designed to educate their workforce on avoiding activities that may leave a facility vulnerable to cyberattacks. 

Cona Elder Law’s experienced attorneys continue to monitor the most recent developments regarding this legislation as well as other important legal matters concerning the skilled nursing facility, assisted living and CCRC industry.  Contact us at 631.390.5000 or click here to learn more about how our firm can help your facility preserve your bottom line and ensure your ability to continue to provide quality services to your nursing home residents.