Cybersecurity, NIST/OCR Annual Security Conference: September Privacy and Security Updates
Thursday, September 15, 2016

Although National Cyber Security Month isn’t until October, September has brought plenty of privacy and security updates that health care companies need to be aware of.  In this post, we review guidance from the Office for Civil Rights (OCR) on cyberattacks, describe new state breach notification laws, and highlight the upcoming NIST/OCR security conference.

Cyberattacks

OCR warned health care companies on September 7 of the recent increase in the frequency and harm of cyberattacks and encouraged Covered Entities and Business to use information-sharing as a tool to fight these attacks. OCR cited the Cybersecurity Information Security Act and Executive Order 13691 as recognizing the importance of information-sharing to help prevent attacks or vulnerabilities through exchanges both among health care companies and between the federal government and private sector.

However, OCR noted that while information-sharing has many benefits, sensitive information like Protected Health Information (PHI), detailed security information, trade secrets, or other proprietary information should remain private through de-identification or non-disclosure. OCR also dedicated a new FAQ to the topic last week, explaining that a Covered Entity or Business Associate may not disclose PHI for cybersecurity information-sharing purposes unless the disclosure is otherwise permitted under HIPAA. OCR stated that disclosure of PHI is often not necessary to alert other entities of threats to or vulnerabilities of particular systems. Therefore, OCR’s emphasis on information-sharing should not be viewed as giving Covered Entities and Business Associates more flexibility in disclosing PHI for information-sharing purposes. Covered Entities and Business Associates must continue to ensure that all disclosures comply with the requirements of the Privacy Rule, even when having the best intentions of trying to help other entities prevent cyberattacks.

NIST/OCR Annual Security Conference

OCR has also announced the dates for its annual security conference held in connection with the National Institute of Standards and Technology (NIST). This year’s conference will be held on October 19 and 20 and participants can attend in-person or via webcast.

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins