The U.S. Department of Health & Human Services (HHS), Office for Civil Rights (OCR) has developed a checklist and a corresponding infographic that explains the steps for a HIPAA covered entity or its business associate (the entity) to take in response to a cyber-related security incident.
In the event of a cyber-attack or similar emergency an entity:
[i] The HIPAA Security Rule requires HIPAA covered entities and business associate to identify and respond to suspect or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. See 45 C.F.R. § 164.308(a)(6). The HIPAA Security Rule also requires HIPAA covered entities and business associates to establish and implement contingency plans, including data backup plans, disaster recovery plans, and emergency mode operation plans. See 45 C.F.R. § 164.308(a)(7). See also https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf?language=es.
[ii] Protected health information or PHI includes all individually-identifiable health information held by HIPAA covered entities and business associate, except for employment records, records covered by FERPA, or information about individuals deceased more than 50 years. PHI includes any health information that relates to the care or payment for care for an individual, and includes, for example, treatment information, billing information, insurance information, contact information, and social security numbers. See also https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html.
[iii] A business associate includes any vendor that creates, receives, maintains, or transmits protected health information (PHI) for or on behalf of a HIPAA covered entity. This includes vendors that have access to PHI to provide IT-related services to the covered entity. See 45 C.F.R. § 164.103, § 164.308, and § 164.502. See also https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html.
[iv] The HIPAA Privacy Rule permits the disclosure to law enforcement agencies under certain circumstances. See 45 C.F.R. § 164.512(f). See also https://www.hhs.gov/hipaa/for-professionals/faq/505/what-does-the-privacy-rule-allow-covered-entities-to-disclose-to-law-enforcement-officials/index.html.
[v] See the HIPAA Breach Notification Rule at 45 C.F.R. § 164.412.
[vi] The Cybersecurity Information Sharing Act of 2015 (CISA) describes cyber threat indicators as information that is necessary to describe or identify: malicious reconnaissance; methods of defeating a security control or exploitation of a security vulnerability; a security vulnerability; methods of causing a user with legitimate access to defeat of a security control or exploitation of a security vulnerability; malicious cyber command and control; a description of actual or potential harm caused by an incident; any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law; or any combination thereof. See also https://www.hhs.gov/hipaa/for-professionals/faq/2072/covered-entity-disclose-protected-health-information-purposes-cybersecurity-information-sharing/index.html.
[vii] The Cybersecurity Information Sharing Act of 2015 (CISA) in Sec. 106 provides that “Liability protections are provided to entities acting in accordance with this title that: (1) monitor information systems; or (2) share or receive indicators or defensive measures, provided that the manner in which an entity shares such indicators or measures with the federal government is consistent with specified procedures and exceptions set forth under the DHS sharing process.”
[viii] Breaches affecting fewer than 500 individuals should be reported to affected individuals as soon as possible, but within no later than 60 days, and reported to OCR within 60 days of the end of the calendar year in which the breach was discovered. See the HIPAA Breach Notification Rule at 45 C.F.R. § 164.404 and 164.408. See the HIPAA Breach Notification Rule at 45 C.F.R. § 164.402-414.
[ix] The HIPAA Enforcement Rule includes provides that in determining the amount of any applicable civil money penalty, OCR may consider mitigating factors, including matters that justice may require. See 45 C.F.R. § 160.408(e). See also https://www.hhs.gov/hipaa/for-professionals/special-topics/enforcement-rule/index.html.
[x] The HIPAA Privacy Rule permits the disclosure to law enforcement agencies under certain circumstances. See 45 C.F.R. § 164.512(f). See also https://www.hhs.gov/hipaa/for-professionals/faq/505/what-does-the-privacy-rule-allow-covered-entities-to-disclose-to-law-enforcement-officials/index.html.