December 6, 2022

Volume XII, Number 340


December 05, 2022

Subscribe to Latest Legal News and Analysis

Cyber-Attack Response Guidance for Covered Entities and Business Associates

The Health Insurance Portability and Accountability Act (“HIPAA”) contains minimum security standards that Covered Entities and Business Associates must employ to safeguard protected health information (“PHI”).  As part of HIPAA’s security standards, Business Associates are obligated to report all security incidents to the Covered Entity. The HIPAA Security Rule defines a “security incident” as “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.” Thus, a Business Associate’s reporting obligation is triggered by both successful breaches of PHI and unsuccessful attempts to access PHI. Covered Entities should ensure their Business Associate Agreements are compliant and require Business Associates to report both successful and unsuccessful security incidents.    

Review the Office for Civil Rights’ (“OCR”) checklist and infographic to ensure your organization is prepared to respond to a security incident with the following actions:

  1. Execute your response and mitigation procedures and contingency plans. The Covered Entity or Business Associate must take steps to stop the security incident or fix the issues that led to the security incident.  This includes mitigating any impermissible disclosure of PHI. 

  2. Report the crime to law enforcement agencies. Many security incidents arise from criminal behavior; report these crimes to local, state or federal law enforcement as relevant.  Be mindful that PHI can only be disclosed to law enforcement under certain circumstances (see 45 C.F.R. § 164.512(f)) and that an active law enforcement investigation may require delayed breach notice (see 45 C.F.R. § 164.412).   

  3. Report cyber threat indicators to federal agencies and Information-Sharing and Analysis Organizations. Cyber threat “indicators” may include a description of the harm caused by the security incident, identification of security vulnerabilities that permitted the incident, or any other information that is necessary to describe or identify the cybersecurity threat.  While these reports are not mandated by HIPAA, OCR strongly encourages this type of information-sharing with the Department of Homeland Security or other federal agencies and private-sector organizations.

  4. Assess if a breach occurred. 
        a. If a breach occurred, the Covered Entity must report the breach to affected individuals,   OCR, and potentially the media (see the HIPAA Breach Notification Rule at 45 C.F.R. § 164.402-414).      
        b. If a security incident was not a breach, document and maintain your breach analysis in your HIPAA compliance files.

Covered Entities and Business Associates can face tremendous liability for violations of the HIPAA Security Rule. Thus, it is imperative for Covered Entities and their Business Associates to ensure their procedures for responding to security incidents comply with the HIPAA requirements.  

© 2022 Dinsmore & Shohl LLP. All rights reserved.National Law Review, Volume VII, Number 257

About this Author

Stacey A. Borowicz, Regulatory, Law and Healthcarre industry attorney at Dinsmore Shohl

Stacey Borowicz is an accomplished attorney who dedicates the majority of her business and regulatory practice to health care providers. Stacey brings with her more than a decade of front line experience in the health care industry as she acquired a rare set of skills as a medical researcher/scientist prior to entering the practice of law.

Stacey's experience in the healthcare representation is diverse and includes Medicare/Medicaid audit and overpayment appeals, voluntary disclosures and refunds. Stacey also brings a wealth of experience in...

Courtney White, Dinsmore Law Firm, Corporate Attorney

Courtney is a member of our Corporate Department where she focuses her practice on health care law.

While at the Ohio State University Moritz College of Law, she was a managing editor on the Ohio State Law Journal. She also earned the Ernest Karam Book Award for academic achievement in Legal Analysis and Writing and was named a Public Service Fellow with Dean’s Special Recognition.