Cyber-Attack Response Guidance for Covered Entities and Business Associates
The Health Insurance Portability and Accountability Act (“HIPAA”) contains minimum security standards that Covered Entities and Business Associates must employ to safeguard protected health information (“PHI”). As part of HIPAA’s security standards, Business Associates are obligated to report all security incidents to the Covered Entity. The HIPAA Security Rule defines a “security incident” as “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.” Thus, a Business Associate’s reporting obligation is triggered by both successful breaches of PHI and unsuccessful attempts to access PHI. Covered Entities should ensure their Business Associate Agreements are compliant and require Business Associates to report both successful and unsuccessful security incidents.
Review the Office for Civil Rights’ (“OCR”) checklist and infographic to ensure your organization is prepared to respond to a security incident with the following actions:
Execute your response and mitigation procedures and contingency plans. The Covered Entity or Business Associate must take steps to stop the security incident or fix the issues that led to the security incident. This includes mitigating any impermissible disclosure of PHI.
Report the crime to law enforcement agencies. Many security incidents arise from criminal behavior; report these crimes to local, state or federal law enforcement as relevant. Be mindful that PHI can only be disclosed to law enforcement under certain circumstances (see 45 C.F.R. § 164.512(f)) and that an active law enforcement investigation may require delayed breach notice (see 45 C.F.R. § 164.412).
Report cyber threat indicators to federal agencies and Information-Sharing and Analysis Organizations. Cyber threat “indicators” may include a description of the harm caused by the security incident, identification of security vulnerabilities that permitted the incident, or any other information that is necessary to describe or identify the cybersecurity threat. While these reports are not mandated by HIPAA, OCR strongly encourages this type of information-sharing with the Department of Homeland Security or other federal agencies and private-sector organizations.
Assess if a breach occurred.
a. If a breach occurred, the Covered Entity must report the breach to affected individuals, OCR, and potentially the media (see the HIPAA Breach Notification Rule at 45 C.F.R. § 164.402-414).
b. If a security incident was not a breach, document and maintain your breach analysis in your HIPAA compliance files.
Covered Entities and Business Associates can face tremendous liability for violations of the HIPAA Security Rule. Thus, it is imperative for Covered Entities and their Business Associates to ensure their procedures for responding to security incidents comply with the HIPAA requirements.