HackFirstAidMedical
All playbooks
Playbook

Your EHR or practice-management vendor was breached

Change Healthcare is the archetype. When the vendor is down or breached, the practice is still the covered entity in the eyes of OCR — and the patients still expect their refills.

The first hour

  1. 1Confirm the incident with the vendor directly (status page, account manager, official notification) — not by social media.
  2. 2Pull your signed BAA. Note the breach-notification commitments, the timeline obligations the vendor owes you, and what they will and won't pay for.
  3. 3Inventory what PHI the vendor processes for you. EHR vs PMS vs clearinghouse vs analytics — each may be a separate vendor with a separate scope.
  4. 4Document the operational impact in writing — scheduling down, claims down, eligibility down — with timestamps. This is the basis for any business-interruption insurance claim.
  5. 5Move to manual workflows for the most time-sensitive tasks: prior auths in progress, refill requests, urgent-care diversions, lab result callbacks.
  6. 6Open a line with your cyber insurer. A vendor breach is often covered even when your own systems weren't touched.

Frequently asked

Is the breach our fault if it was the vendor?+

Under HIPAA, the practice (the covered entity) and the vendor (the business associate) each have independent obligations. The BA is liable for the breach; the practice is liable for picking and managing the BA. OCR will look at whether you had a current BAA, whether you did vendor due diligence, and whether you notified patients in time once the BA notified you.

When does our 60-day patient notification clock start?+

From the date your practice discovered the breach — which is typically the date the BA notified you, not the date the vendor's incident began. Save that notification email. If the BA delays, the HHS guidance is that your clock starts when you reasonably should have known.

Can we sue the vendor?+

Often yes, subject to the BAA's limitation-of-liability clause. Most BAAs cap vendor liability at fees paid in the prior 12 months, which rarely covers a real breach. Read the cap before you build a financial recovery plan around it.

Need to walk through this with someone?

Free first call. If we're the right fit, we'll tell you. If we're not, we'll tell you that too.

Book a call

This page is general guidance, not legal advice. Reading it does not create a Business Associate relationship with HackFirstAid. See scope of use.