Under the Health Insurance Portability and Accountability Act (HIPAA), a covered entity that experiences a ransomware attack or other cyber-related security incident must take immediate steps to prevent or mitigate any impermissible release of protected health information (PHI).
The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued a checklist to help HIPAA-covered entities determine the specific steps they must take in the event of a data breach.
Entities subject to HIPAA should become familiar with the OCR’s checklist and other guidance for handling cyber security breaches involving PHI. These entities should also ensure they have plans for mitigating the effects of breaches.
OCR Quick-response Checklist In the event of a cyber attack or similar emergency, a covered entity must do the following:
Execute its response and mitigation procedures and contingency plans.
Report the crime to appropriate law enforcement agencies.
Report all cyber threat indicators to federal and information-sharing and analysis organizations.
Report the breach to affected individuals and to the OCR as soon as possible.
Reportable Incidents HIPAA regulations also require covered entities to report certain cyber-related security incidents to affected individuals, the OCR and other agencies. In general, a reportable breach occurs anytime PHI was accessed, acquired, used or disclosed.
While every effort has been taken in compiling this information to ensure that its contents are totally accurate, neither the publisher nor the author can accept liability for any inaccuracies or change circumstances of any information herein or for the consequences of any reliance placed upon it. This publication is distributed on the understanding that the publisher is not engaged in rendering legal, accounting, or other professional advice or services. Readers should always seek professional advice before entering into any commitments.