OCR Releases Cyber-Attack Checklist to Help HIPAA-Covered Organizations

The HIPAA Security Rule requires covered entities and business associates to identify and respond to security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are know the covered entity or business associated; and document security incidents and their outcomes.  The HIPAA Security Rule also requires HIPAA-Covered entities and business associates to establish and implement contingency plans, including data backup plans, disaster recovery plans and emergency mode operation plans.

In June, the Office for Civil Rights released a Quick Response Checklist to help HIPAA Covered organizations deal with any cyber-attack that potentially exposes or exposes patient healthcare information.  Here are some excerpts from the Checklist.

In the event of a cyber attack or similar emergency, an entity:

  • Must execute its response and mitigation procedures and contingency plans.  For example, the entity should immediately fix any technical or other problems to stop the incident.  The entity should also take steps to mitigate any impermissible disclosure of protected health information, which may be done by the entity’s own information technology staff, or by an outside entity brought in to help.
  • Should report the crime to other law enforcement agencies, which may include state or local law enforcement, the FBI and/or the Secret Service.  Any such reports should not include protected health information, unless otherwise permitted by the HIPAA Privacy Rule.  If a law enforcement official tells the entity that any potential breach report would impede a criminal investigation or harm national security, the entity must delay reporting a breach for the time the law enforcement official requests in writing.
  • Should report all cyber threat indicators.  Reports should be made to federal and information-sharing and analysis organizations, including the Department of Homeland Security, the HHS Assistant Secretary for Preparedness and Response, and private-sector cyber-threat ISAOs.  Any such reports should not include PHI.
  • Must report the breach to OCR as soon as possible.  The breach must be reported no later than 60 days after discovery of a breach affecting 500 or more individuals, and notify affected individuals and the media unless a law enforcement official has requested a delay in the reporting.  OCR presumes all cyber-related security incidents where protected health information was accessed, acquired, used or disclosed are reportable breaches unless the information was encrypted by the entity at the time of the incident or the entity determines, through a written risk assessment, that there was a low probability that the information was compromised during the breach.  An entity that discovers a breach affecting fewer than 500 individuals has an obligation to notify:  individuals without unreasonable delay, but no later than 60 days after discovery; and OCR within 60 days after the end of the calendar year in which the breach was discovered.

For additional information, please visit the OCRs webpage.