Under the Health Insurance Portability and Accountability Act (HIPAA), a covered entity that experiences a ransomware attack or other cyber-related security incident must take immediate steps to prevent or mitigate any impermissible release of protected health information (PHI).
The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has provided a checklist to help HIPAA-covered entities determine the specific steps they must take in the event of a cyber-related security incident. This Compliance Overview outlines those steps and provides general information regarding which entities are subject to HIPAA and the type of data that must be protected under the law.
Employers with group health plans that are subject to HIPAA should become familiar with OCR’s checklist and other guidance for preventing and responding to cyber security breaches involving PHI. These employers should also ensure that they have procedures and contingency plans in place for responding to and mitigating the effects of any potential breach.
- Group health plan sponsors must have procedures to prevent and mitigate the effects of cyber security breaches involving PHI.
- A cyber security incident must be reported to affected individuals and to OCR if PHI is accessed, acquired, used or disclosed.
- Cyber security crimes should also be reported to law enforcement.
- A breach must be reported to all affected individuals as soon as possible, but no later than 60 days after it is discovered.
- In some cases, a cyber security breach must also be reported to OCR within 60 days after discovery.
CYBER ATTACK QUICK RESPONSE CHECKLIST
Has your entity just experienced a ransomware attack or other cyber-related security incident, and you are wondering what to do now? The following guide explains, in brief, the steps for a HIPAA covered entity or its business associate (the entity) to take in response to a cyber-related security incident.
In the event of a cyber attack or similar emergency, a covered entity:
- Must execute its response and mitigation procedures and contingency plans.
For example, the entity should immediately fix any technical or other problems to stop the incident. The entity should also take steps to mitigate any impermissible PHI disclosure. These steps may be performed by the entity’s own information technology staff, or by an outside entity brought in to help (which would be a business associate, if it has access to PHI for that purpose).
- Should report the crime to appropriate law enforcement agencies.
These agencies may include state or local law enforcement, the FBI or the Secret Service. Reports to these agencies should not include PHI unless otherwise permitted under HIPAA. If a law enforcement official tells the entity that any potential breach report would impede a criminal investigation or harm national security, the entity must delay reporting a breach for the time the law enforcement official requests in writing or for 30 days if the request is made orally.
- Should report all cyber threat indicators to federal and information-sharing and analysis organizations (ISAOs).
These organizations may include the Department of Homeland Security, the HHS Assistant Secretary for Preparedness and Response, and private-sector cyber-threat ISAOs. Reports to these organizations should not include PHI. OCR does not receive these reports from its federal or HHS partners.
- Must report the breach to affected individuals and to OCR as soon as possible.
- If a breach affects 500 or more individuals, the covered entity must notify the affected individuals, OCR and the media no later than 60 days after discovering the breach, unless a law enforcement official has requested a delay in the reporting.
- If a breach affects fewer than 500 individuals, the entity must notify the affected individuals without unreasonable delay, but no later than 60 days after discovery of the breach, and notify OCR within 60 days after the end of the calendar year in which the breach was discovered.
HIPPA Covered Entities
HIPAA is a federal law designed in part to protect the privacy of certain health care information known as PHI. In general, the HIPAA privacy and security rules apply to all health plans that provide or pay for the cost of medical care. These include employer-sponsored group health plans, government and church-sponsored health plans, and multi-employer health plans. However, a self-insured group health plan with fewer than 50 eligible employees is not a covered entity if it is administered solely by the employer that established and maintains the plan.
The HIPAA privacy and security rules also apply to business associates of HIPAA-covered entities. A business associate is any vendor that creates, receives, maintains or transmits PHI for or on behalf of a covered entity. This includes vendors that have access to PHI in order to provide information technology-related services to a covered entity. Other activities a business associate may perform on behalf of a covered entity include claims processing, data analysis, utilization review and billing.
Protected Health Information
PHI includes all individually identifiable health information held by covered entities. Information is “individually identifiable” if it identifies, or if there is a reasonable basis to believe it can be used to identify, an individual. This information is PHI if it relates to:
- The individual’s past, present, or future physical or mental health or condition;
- The provision of health care to the individual; or
- The past, present or future payment for the provision of health care to the individual.
HIPPA Security Rule
Under HIPAA’s Security Rule, a “security incident” is defined as the attempted or successful unauthorized access, use, disclosure, modification or destruction of information, or interference with system operations in an information system. The Security Rule requires covered entities to:
- Identify and respond to suspected or known security incidents;
- Mitigate, to the extent practicable, harmful effects of security incidents that are known to the entity;
- Document security incidents and their outcomes; and
- Establish and implement contingency plans, including data backup plans, disaster recovery plans and emergency mode operation plans.
Reportable Incidents and Indicators
HIPAA’s Breach Notification Rule requires covered entities to report certain cyber-related security incidents to affected individuals, OCR and other agencies. In general, a reportable breach is an impermissible use or disclosure of PHI that compromises the security or privacy of the information.
A security incident may not be reportable if the affected covered entity encrypted the information at the time of the incident or determines, through a written risk assessment, that there was a low probability that the information was compromised during the breach. The risk assessment must, at a minimum, take into account these factors:
- The nature and extent of PHI involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the PHI or to whom the disclosure was made;
- Whether the PHI was actually acquired or viewed; and
- The extent to which the risk to the PHI has been mitigated.
If an evaluation of the factors fails to demonstrate that there is a low probability that PHI has been compromised, the security incident is reportable.
Enforcement and Liability
Under HIPAA’s Enforcement Rule, OCR may assess civil money penalties of up to $57,051 per violation, per year, against a covered entity that fails to properly protect PHI. In determining the amount of an applicable penalty, OCR may consider all mitigation efforts taken by a covered entity during any particular cyber security breach investigation. A covered entity’s mitigation efforts may include voluntary sharing of breach-related information with law enforcement agencies and other federal and analysis organizations.
Therefore, covered entities should ensure that their procedures for protecting PHI meet HIPAA standards and should take the steps outlined in the above OCR checklist in the event of a cyber security incident involving PHI.
Links and Resources