Cyber attack guidance was released by U.S. Department of Health & Human Services (DHHS), Office for Civil Rights (OCR) on June 8, 2017, including a cyber security checklist and infographic outlining the steps for a HIPAA covered entity, or its business associate, to take in the event of a cyber attack. A covered entity or business associate must immediately fix any technical or other problem so as to stop the cyber attack and to mitigate against an impermissible disclosure of protected health information. This may be undertaken by the entity’s internal information technology staff or by an outside contractor, which would necessitate the execution of a current Business Associate Agreement. There is also an obligation to report the incident as a crime to appropriate law enforcement agencies which may include local law enforcement, the Federal Bureau of Investigation (FBI), Department of Homeland Security, or the Secret Service. It should be noted that if law enforcement advises that reporting the cyber attack may impede a criminal investigation or damage national security, then the entity must delay submitting a breach report for the time requested by law enforcement or, if the request is made orally, for thirty (30) days.
Unless law enforcement has requested a delay in reporting, the entity is required to report the breach and/or cyber attack to OCR as soon as possible, no more than 60 days, if 500 or more individuals have been affected. There is a presumption that all cyber attacks in which protected health information was accessed, acquired, used, or disclosed are reportable breaches unless the information was encrypted by the entity or the entity determines, through a written risk assessment, that there was a low probability that the information was compromised during the breach. If the entity discovers the cyber attack affected fewer than 500 individuals, it has an obligation to notify the individuals without unreasonable delay, but no later than 60 days after discovery, and OCR within 60 days after the end of the calendar year in which the breach was discovered.
Compliant Legal Solutions, LLC, provides a secure cloud-based service that can assist you in tracking and meeting your compliance obligations before a cyber attack occurs, and then assist in guiding you through the response and reporting phase. Your compliance efforts will be documented and available should you be subject to an audit and find the need to demonstrate your compliance efforts over time. Learn more about our services here, or feel free to call us as we would very much like to speak with you.