In the wake of several recent international cyber-attacks focusing on the health care sector, the U.S. Department of Health & Human Services (HHS), Office for Civil Rights (OCR) has developed a checklist and a corresponding infographic that explains the steps for a HIPAA covered entity or its business associate (BA) (collectively, the “entity”) to take in response to a cyber-related security incident.

 In the event of a cyber-attack or similar emergency an entity:

  • Must execute its response and mitigation procedures and contingency plans. For example, the entity should immediately fix any technical or other problems to stop the incident. The entity should also take steps to mitigate any impermissible disclosure of protected health information (PHI), which may be done by the entity’s own information technology staff, or by an outside entity brought in to help (which would then become a BA if it has access to PHI for that purpose). 
  • Should report the crime to other law enforcement agencies, which may include state or local law enforcement, the Federal Bureau of Investigation (FBI), and/or the Secret Service. Any such reports should not include PHI, unless otherwise permitted by the HIPAA Privacy Rule. If a law enforcement official tells the entity that any potential breach report would impede a criminal investigation or harm national security, the entity must delay reporting a breach for the time the law enforcement official requests in writing, or for 30 days, if the request is made orally. 
  • Should report all cyber threat indicators to the appropriate federal and information-sharing and analysis organizations (ISAOs), including the Department of Homeland Security, the HHS Assistant Secretary for Preparedness and Response, and private-sector cyber-threat ISAOs. Any such reports should not include PHI. OCR does not receive such reports from its federal or HHS partners. 
  • Must report the breach to OCR as soon as possible, but no later than 60 days after the discovery of a breach affecting 500 or more individuals, and notify affected individuals and the media unless a law enforcement official has requested a delay in the reporting. OCR presumes all cyber-related security incidents where PHI was accessed, acquired, used, or disclosed are reportable breaches unless the information was encrypted by the entity at the time of the incident or the entity determines, through a written risk assessment, that there was a low probability that the information was compromised during the breach. An entity that discovers a breach affecting fewer than 500 individuals has an obligation to notify: individuals without unreasonable delay, but no later than 60 days after discovery; and OCR within 60 days after the end of the calendar year in which the breach was discovered.

OCR considers all mitigation efforts taken by the entity during any particular breach investigation.  Such efforts include voluntary sharing of non-protected breach-related information with law enforcement agencies and other federal and analysis organizations as described above.

Previous articleNew S & C Letter: Formatting for Plans of Correction
Next articleCMS Clarifies Effective Date of Compliance and Ethics Program
Rachel Monger
Rachel Monger, JD, LACHA is President/CEO. Rachel joined LeadingAge Kansas in 2011 as the Director of Government Affairs and has been a powerful voice for our membership ever since. Rachel is a Kansas licensed attorney and adult care home administrator. She received her bachelor’s degree from Bard College at Simon’s Rock in Great Barrington, MA, and her Juris Doctorate from the University of Kansas School of Law. Over the years, Rachel has served in many volunteer roles in her community and in the state of Kansas to support senior needs, aging services education, and community mental health services. She is also a member of the Board of Governors for the Kansas Health Care Stabilization Fund. As an award-winning trial lawyer, turned award-winning senior care advocate, she has spent nearly two decades passionately supporting quality of care and quality of life for Kansas seniors. When not at work, Rachel loves reading, crafting, volunteering with her church, and spending time with her partner Steven. You can reach Rachel directly at 785.670.8046.

RELATED ARTICLESMORE FROM AUTHOR