Cyber Attack Quick-Response Checklist for HIPAA Covered Entities

Written by: Anthony E. Stewart, Esq.

Ransomware attacks, like other cyber-attacks, are occurring more and more frequently, and healthcare entities are common targets.  The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has issued a quick-response checklist and infographic detailing steps a HIPAA covered entity or its business associate should take to respond to a cyber-related security incident.

1. RESPOND The entity must execute its response and mitigation procedures and contingency plans.

a. Immediately fix any technical or other problems to stop the incident.

b. Mitigate any impermissible disclosure of protected health information

2. REPORT CRIME The entity should report the crime to criminal law enforcement agencies, which may include:

a. State or local law enforcement

b. Federal Bureau of Investigation

c. Secret Service

Any reports to law enforcement should not include protected health information, unless otherwise permitted by the HIPAA Privacy Rule.

3. REPORT THREAT The entity should report all cyber threat indicators to the appropriate federal agencies and information-sharing and analysis organizations (ISAOs), which includes:

a. Department of Homeland Security

b. HHS Assistant Secretary for Preparedness and Response

c. Private-sector cyber-threat ISAOs

Any reports to these organizations should not include protected health information.

4. ASSESS BREACH The entity must assess the incident to determine if there is a breach of protected health information.  If a breach has occurred:

a. Affects 500 or more individuals.  The entity must report to OCR and the media as soon as possible, but no later than 60 days after the discovery of the breach.

b. Affects less than 500 individuals. The entity must report to OCR no later than 60 days after the calendar year of the breach.

If a breach has not occurred, the entity must document and retain all information considered during the risk assessment of the cyber-attack, including how it determined no breach occurred.

If you have experienced a cyber-related security incident or need assistance developing an Incident Response Plan, we can help.  Contact us today to learn more.