SlideShare a Scribd company logo

Hhs issues hipaa cyber attack response checklist

Download as DOC, PDF
T
Todd LaRue

The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has issued a checklist to help HIPAA-covered entities determine the specific steps they must take in the event of a cyber data breach. This document outlines those steps and provides general information regarding which entities are subject to HIPAA and the type of data that must be protected under the law.

Business
1 of 6
HHS Issues HIPAA Cyber Attack Response Checklist OVERVIEW Under the Health Insurance Portability and Accountability Act (HIPAA), a covered entity that experiences a ransomware attack or other cyber-related security incident must take immediate steps to prevent or mitigate any impermissible release of protected health information (PHI). The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has issued a checklist to help HIPAA- covered entities determine the specific steps they must take in the event of a data breach. This document outlines those steps and provides general information regarding which entities are subject to HIPAA and the type of data that must be protected under the law. ACTION STEPS Employers that are subject to HIPAA should become familiar with the OCR’s checklist and other guidance for preventing and responding to cyber security breaches involving PHI. These employers should also ensure that they have procedures and contingency plans in place for responding to and mitigating the effects of any potential breach. HIGHLIGHTS Group health plan sponsors must have procedures to prevent and mitigate the effects of cyber security breaches involving PHI. A cyber security incident must be reported to affected individuals and to the OCR if PHI is accessed, acquired, used or disclosed. Cyber security crimes should also be reported to law enforcement. IMPORTANT DATES 60 Days After Security Breach A breach must be reported to all affected individuals as soon as possible, but no later than 60 days after it is discovered. In some cases, a cyber security breach must also be reported to the OCR within 60 days after discovery. Provided By: Risk Strategies Company
OCR Quick-response Checklist Has your entity just experienced a ransomware attack or other cyber-related security incident, and you are wondering what to do now? The guide issued by OCR explains, in brief, the steps for a HIPAA covered entity or its business associate (the entity) to take in response to a cyber-related security incident. In the event of a cyber attack or similar emergency, a covered entity:  Must execute its response and mitigation procedures and contingency plans. For example, the entity should immediately fix any technical or other problems to stop the incident. The entity should also take steps to mitigate any impermissible PHI disclosure. These steps may be performed by the entity’s own information technology staff, or by an outside entity brought in to help (which would be a business associate, if it has access to PHI for that purpose).  Should report the crime to appropriate law enforcement agencies. These agencies may include state or local law enforcement, the FBI or the Secret Service. Reports to these agencies should not include PHI unless otherwise permitted under HIPAA. If a law enforcement official tells the entity that any potential breach report would impede a criminal investigation or harm national security, the entity must delay reporting a breach for the time the law enforcement official requests in writing or for 30 days if the request is made orally.  Should report all cyber threat indicators to federal and information-sharing and analysis organizations (ISAOs). These organizations may include the Department of Homeland Security, the HHS Assistant Secretary for Preparedness and Response, and private-sector cyber-threat ISAOs. Reports to
these organizations should not include PHI. The OCR does not receive these reports from its federal or HHS partners.  Must report the breach to affected individuals and to the OCR as soon as possible. o If a breach affects 500 or more individuals, the covered entity must notify the affected individuals, the OCR and the media no later than 60 days after discovering the breach, unless a law enforcement official has requested a delay in the reporting. o If a breach affects fewer than 500 individuals, the entity must notify the affected individuals without unreasonable delay, but no later than 60 days after discovery of the breach, and notify the OCR within 60 days after the end of the calendar year in which the breach was discovered. Continue reading for more information on various aspects of the HIPAA Security Rule, which was provided by OCR along with the checklist.
This Compliance Bulletin is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel for legal advice. © 2017 Zywave, Inc. All rights reserved. CMP 6/17 HIPAA Covered Entities HIPAA is a federal law designed in part to protect the privacy of certain health care information known as PHI. In general, the HIPAA privacy and security rules apply to all health plans that provide or pay for the cost of medical care. These include employer-sponsored group health plans, government and church-sponsored health plans, and multi-employer health plans. However, a group health plan with less than 50 participants is not a covered entity if it is administered solely by the employer that established and maintains the plan. The HIPAA privacy and security rules also apply to business associates of HIPAA-covered entities. A business associate is any vendor that creates, receives, maintains or transmits PHI for or on behalf of a covered entity. This includes vendors that have access to PHI in order to provide information technology-related services to a covered entity. Other activities a business associate may perform on behalf of a covered entity include claims processing, data analysis, utilization review and billing. Protected Health Information PHI includes all individually identifiable health information held by covered entities. Information is “individually identifiable” if it identifies, or if there is a reasonable basis to believe it can be used to identify, an individual. This information is PHI if it relates to: • The individual’s past, present, or future physical or mental health or condition; • The provision of health care to the individual; or • The past, present or future payment for the provision of health care to the individual. HIPAA Security Rule Under HIPAA’s Security Rule, a “security incident” is defined as the attempted or successful unauthorized access, use, disclosure, modification or destruction of information, or interference with system operations in an information system. The Security Rule requires covered entities to: Identify and respond to suspected or known security incidents; Mitigate, to the extent practicable, harmful effects of security incidents that are known to the entity; 4 For example, PHI includes: PHI does not include:  Employment records  Records covered by the Family Educational Rights and Privacy Act (FERPA)  Information about individuals who have been deceased for more than 50 years Treatment information Billing information Insurance information Contact information Social Security numbers
This Compliance Bulletin is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel for legal advice. © 2017 Zywave, Inc. All rights reserved. CMP 6/17 Document security incidents and their outcomes; and Establish and implement contingency plans, including data backup plans, disaster recovery plans and emergency mode operation plans. Reportable Incidents and Indicators HIPAA regulations also require covered entities to report certain cyber-related security incidents to affected individuals, the OCR and other agencies. In general, a reportable breach occurs anytime PHI was accessed, acquired, used or disclosed. Certain “cyber threat indicators” may be reportable under the Cybersecurity Information Sharing Act (CISA) as well. CISA describes cyber threat indicators as information that is necessary to describe or identify any of the following: Malicious reconnaissance; Methods of defeating a security control or exploitation of a security vulnerability; A security vulnerability; Methods of causing a user with legitimate access to defeat a security control or exploitation of a security vulnerability; Malicious cyber command and control; A description of actual or potential harm caused by an incident; or Any other attribute of a cyber security threat, if disclosure of such attribute is not prohibited by law. Enforcement and Liability Under HIPAA’s Enforcement Rule, the OCR may assess civil money penalties of up to $1,677,299 per violation, per year, against a covered entity that fails to properly protect PHI. In determining the amount of an applicable penalty, the OCR may consider all mitigation efforts taken by a covered entity during any particular cyber security breach investigation. A covered entity’s mitigation efforts may include voluntary sharing of breach-related information with law enforcement agencies and other federal and analysis organizations. In addition, the CISA provides liability protection to entities that monitor information systems or share or receive indicators or defensive measures in a manner consistent with the HHS sharing process. Therefore, covered entities should ensure that their procedures for protecting PHI meet HIPAA standards and should take the steps outlined in the above OCR checklist in the event of a cyber security incident involving PHI. 5 A security incident may not be reportable if the affected covered entity: • Encrypted the information at the time of the incident; or • Determines, through a written risk assessment, that there was a low probability that the information was compromised during the
This Compliance Bulletin is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel for legal advice. © 2017 Zywave, Inc. All rights reserved. CMP 6/17 Document security incidents and their outcomes; and Establish and implement contingency plans, including data backup plans, disaster recovery plans and emergency mode operation plans. Reportable Incidents and Indicators HIPAA regulations also require covered entities to report certain cyber-related security incidents to affected individuals, the OCR and other agencies. In general, a reportable breach occurs anytime PHI was accessed, acquired, used or disclosed. Certain “cyber threat indicators” may be reportable under the Cybersecurity Information Sharing Act (CISA) as well. CISA describes cyber threat indicators as information that is necessary to describe or identify any of the following: Malicious reconnaissance; Methods of defeating a security control or exploitation of a security vulnerability; A security vulnerability; Methods of causing a user with legitimate access to defeat a security control or exploitation of a security vulnerability; Malicious cyber command and control; A description of actual or potential harm caused by an incident; or Any other attribute of a cyber security threat, if disclosure of such attribute is not prohibited by law. Enforcement and Liability Under HIPAA’s Enforcement Rule, the OCR may assess civil money penalties of up to $1,677,299 per violation, per year, against a covered entity that fails to properly protect PHI. In determining the amount of an applicable penalty, the OCR may consider all mitigation efforts taken by a covered entity during any particular cyber security breach investigation. A covered entity’s mitigation efforts may include voluntary sharing of breach-related information with law enforcement agencies and other federal and analysis organizations. In addition, the CISA provides liability protection to entities that monitor information systems or share or receive indicators or defensive measures in a manner consistent with the HHS sharing process. Therefore, covered entities should ensure that their procedures for protecting PHI meet HIPAA standards and should take the steps outlined in the above OCR checklist in the event of a cyber security incident involving PHI. 5 A security incident may not be reportable if the affected covered entity: • Encrypted the information at the time of the incident; or • Determines, through a written risk assessment, that there was a low probability that the information was compromised during the

Recommended

HIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-WongHIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-WongLorianne Sainsbury-Wong
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Factsresourceone
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliancePrince George
 
Hhs issues hipaa cyber attack response checklist
Hhs issues hipaa cyber attack response checklistHhs issues hipaa cyber attack response checklist
Hhs issues hipaa cyber attack response checklistTodd LaRue
 
Cyberinsurance 111006
Cyberinsurance 111006Cyberinsurance 111006
Cyberinsurance 111006JNicholson
 
The HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your ProblemThe HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your ProblemSecurityMetrics
 
Do You Know How to Handle a HIPAA Breach?
Do You Know How to Handle a HIPAA Breach?Do You Know How to Handle a HIPAA Breach?
Do You Know How to Handle a HIPAA Breach?Compliancy Group
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceJim Anfield
 

Recommended

HIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-WongHIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-WongLorianne Sainsbury-Wong
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Factsresourceone
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliancePrince George
 
Hhs issues hipaa cyber attack response checklist
Hhs issues hipaa cyber attack response checklistHhs issues hipaa cyber attack response checklist
Hhs issues hipaa cyber attack response checklistTodd LaRue
 
Cyberinsurance 111006
Cyberinsurance 111006Cyberinsurance 111006
Cyberinsurance 111006JNicholson
 
The HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your ProblemThe HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your ProblemSecurityMetrics
 
Do You Know How to Handle a HIPAA Breach?
Do You Know How to Handle a HIPAA Breach?Do You Know How to Handle a HIPAA Breach?
Do You Know How to Handle a HIPAA Breach?Compliancy Group
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceJim Anfield
 
HIPAA Compliance for Developers
HIPAA Compliance for DevelopersHIPAA Compliance for Developers
HIPAA Compliance for DevelopersTrueVault
 
Hipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guideHipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guideFelipe Prado
 
HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...Compliancy Group
 
The Intersection of OCR Enforcement and Health Care Data Privacy & Security
The Intersection of OCR Enforcement and Health Care Data Privacy & SecurityThe Intersection of OCR Enforcement and Health Care Data Privacy & Security
The Intersection of OCR Enforcement and Health Care Data Privacy & SecurityPolsinelli PC
 
HIPAA Security 2019
HIPAA Security 2019HIPAA Security 2019
HIPAA Security 2019Jose Ivan Delgado, Ph.D.
 
Application Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA ComplianceApplication Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA ComplianceTrueVault
 
Health Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnHealth Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnKloudLearn
 
The Basics of HIPAA
The Basics of HIPAA The Basics of HIPAA
The Basics of HIPAA DamianKnowles1
 
Assessing Your Hosting Environment for HIPAA Compliance
Assessing Your Hosting Environment for HIPAA ComplianceAssessing Your Hosting Environment for HIPAA Compliance
Assessing Your Hosting Environment for HIPAA ComplianceHostway|HOSTING
 
How to Ensure HIPPA Compliance
How to Ensure HIPPA ComplianceHow to Ensure HIPPA Compliance
How to Ensure HIPPA ComplianceHanna Global
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin, Inc.
 
What Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeWhat Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeMedSafe
 
Hipaa omnibus
Hipaa omnibusHipaa omnibus
Hipaa omnibuswardell henley
 
HIPAA | HITECH
HIPAA | HITECHHIPAA | HITECH
HIPAA | HITECHrcabarloc
 
Hitech changes-to-hipaa
Hitech changes-to-hipaaHitech changes-to-hipaa
Hitech changes-to-hipaageeksikh
 
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?Redspin, Inc.
 
HIPAA and How it Applies to You
HIPAA and How it Applies to YouHIPAA and How it Applies to You
HIPAA and How it Applies to YouWinston & Strawn LLP
 
HIPPA Security Presentation
HIPPA Security PresentationHIPPA Security Presentation
HIPPA Security PresentationRebecca Norman
 
Dental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business AssociatesDental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business Associatesgppcpa
 
Simple Steps to HIPAA Compliance
Simple Steps to HIPAA ComplianceSimple Steps to HIPAA Compliance
Simple Steps to HIPAA ComplianceAtMyDeskTraining
 
What is HIPAA Compliance?
What is HIPAA Compliance?What is HIPAA Compliance?
What is HIPAA Compliance?Power Admin LLC
 
2017 HIPAA Clinical Research Training
2017 HIPAA Clinical Research Training2017 HIPAA Clinical Research Training
2017 HIPAA Clinical Research TrainingCynthia Holland
 

More Related Content

What's hot

HIPAA Compliance for Developers
HIPAA Compliance for DevelopersHIPAA Compliance for Developers
HIPAA Compliance for DevelopersTrueVault
 
Hipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guideHipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guideFelipe Prado
 
HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...Compliancy Group
 
The Intersection of OCR Enforcement and Health Care Data Privacy & Security
The Intersection of OCR Enforcement and Health Care Data Privacy & SecurityThe Intersection of OCR Enforcement and Health Care Data Privacy & Security
The Intersection of OCR Enforcement and Health Care Data Privacy & SecurityPolsinelli PC
 
Application Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA ComplianceApplication Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA ComplianceTrueVault
 
Health Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnHealth Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnKloudLearn
 
Assessing Your Hosting Environment for HIPAA Compliance
Assessing Your Hosting Environment for HIPAA ComplianceAssessing Your Hosting Environment for HIPAA Compliance
Assessing Your Hosting Environment for HIPAA ComplianceHostway|HOSTING
 
How to Ensure HIPPA Compliance
How to Ensure HIPPA ComplianceHow to Ensure HIPPA Compliance
How to Ensure HIPPA ComplianceHanna Global
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin, Inc.
 
What Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeWhat Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeMedSafe
 
HIPAA | HITECH
HIPAA | HITECHHIPAA | HITECH
HIPAA | HITECHrcabarloc
 
Hitech changes-to-hipaa
Hitech changes-to-hipaaHitech changes-to-hipaa
Hitech changes-to-hipaageeksikh
 
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?Redspin, Inc.
 
HIPPA Security Presentation
HIPPA Security PresentationHIPPA Security Presentation
HIPPA Security PresentationRebecca Norman
 
Dental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business AssociatesDental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business Associatesgppcpa
 

What's hot (19)

HIPAA Compliance for Developers
HIPAA Compliance for DevelopersHIPAA Compliance for Developers
HIPAA Compliance for Developers
 
Hipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guideHipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guide
 
HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...
 
The Intersection of OCR Enforcement and Health Care Data Privacy & Security
The Intersection of OCR Enforcement and Health Care Data Privacy & SecurityThe Intersection of OCR Enforcement and Health Care Data Privacy & Security
The Intersection of OCR Enforcement and Health Care Data Privacy & Security
 
HIPAA Security 2019
HIPAA Security 2019HIPAA Security 2019
HIPAA Security 2019
 
Application Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA ComplianceApplication Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA Compliance
 
Health Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnHealth Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
 
The Basics of HIPAA
The Basics of HIPAA The Basics of HIPAA
The Basics of HIPAA
 
Assessing Your Hosting Environment for HIPAA Compliance
Assessing Your Hosting Environment for HIPAA ComplianceAssessing Your Hosting Environment for HIPAA Compliance
Assessing Your Hosting Environment for HIPAA Compliance
 
How to Ensure HIPPA Compliance
How to Ensure HIPPA ComplianceHow to Ensure HIPPA Compliance
How to Ensure HIPPA Compliance
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
 
What Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeWhat Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafe
 
Hipaa omnibus
Hipaa omnibusHipaa omnibus
Hipaa omnibus
 
HIPAA | HITECH
HIPAA | HITECHHIPAA | HITECH
HIPAA | HITECH
 
Hitech changes-to-hipaa
Hitech changes-to-hipaaHitech changes-to-hipaa
Hitech changes-to-hipaa
 
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
 
HIPAA and How it Applies to You
HIPAA and How it Applies to YouHIPAA and How it Applies to You
HIPAA and How it Applies to You
 
HIPPA Security Presentation
HIPPA Security PresentationHIPPA Security Presentation
HIPPA Security Presentation
 
Dental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business AssociatesDental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business Associates
 

Similar to Hhs issues hipaa cyber attack response checklist

Simple Steps to HIPAA Compliance
Simple Steps to HIPAA ComplianceSimple Steps to HIPAA Compliance
Simple Steps to HIPAA ComplianceAtMyDeskTraining
 
What is HIPAA Compliance?
What is HIPAA Compliance?What is HIPAA Compliance?
What is HIPAA Compliance?Power Admin LLC
 
2017 HIPAA Clinical Research Training
2017 HIPAA Clinical Research Training2017 HIPAA Clinical Research Training
2017 HIPAA Clinical Research TrainingCynthia Holland
 
Does your Mobile App require HIPAA Compliance.pdf
Does your Mobile App require HIPAA Compliance.pdfDoes your Mobile App require HIPAA Compliance.pdf
Does your Mobile App require HIPAA Compliance.pdfShelly Megan
 
Describe one safeguard that should be in place to protect the confid.pdf
Describe one safeguard that should be in place to protect the confid.pdfDescribe one safeguard that should be in place to protect the confid.pdf
Describe one safeguard that should be in place to protect the confid.pdfmohammedfootwear
 
Chapter 5HIPAA and HITECHLearning ObjectivesUnde
Chapter 5HIPAA and HITECHLearning ObjectivesUndeChapter 5HIPAA and HITECHLearning ObjectivesUnde
Chapter 5HIPAA and HITECHLearning ObjectivesUndeWilheminaRossi174
 
Explaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docxExplaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docxVistaInfosec
 
HIPAA Breach NotificationRule - What you must do to comply - By Compliance Gl...
HIPAA Breach NotificationRule - What you must do to comply - By Compliance Gl...HIPAA Breach NotificationRule - What you must do to comply - By Compliance Gl...
HIPAA Breach NotificationRule - What you must do to comply - By Compliance Gl...Compliance Global Inc
 
Privacy and Security What types of health care data are protected u.pdf
Privacy and Security What types of health care data are protected u.pdfPrivacy and Security What types of health care data are protected u.pdf
Privacy and Security What types of health care data are protected u.pdfbadshetoms
 
Protecting patient privacy
Protecting patient privacyProtecting patient privacy
Protecting patient privacydlemin919
 
PSOW 2016 - HIPAA Compliance for EMS Community
PSOW 2016 - HIPAA Compliance for EMS CommunityPSOW 2016 - HIPAA Compliance for EMS Community
PSOW 2016 - HIPAA Compliance for EMS CommunityPSOW
 
HIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of ComplianceHIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of ComplianceJay Hodes
 
Lawyers: What You Don't Know About HIPAA Could Hurt You
Lawyers: What You Don't Know About HIPAA Could Hurt YouLawyers: What You Don't Know About HIPAA Could Hurt You
Lawyers: What You Don't Know About HIPAA Could Hurt YouOregon Law Practice Management
 
HIPAA Workforce Training by Wayne-Holmes Mental Health Recovery Board
HIPAA Workforce Training by Wayne-Holmes Mental Health Recovery BoardHIPAA Workforce Training by Wayne-Holmes Mental Health Recovery Board
HIPAA Workforce Training by Wayne-Holmes Mental Health Recovery BoardAtlantic Training, LLC.
 
Overview of hipaa & tools for hipaa compliance
Overview of hipaa & tools for hipaa complianceOverview of hipaa & tools for hipaa compliance
Overview of hipaa & tools for hipaa complianceSquare 9
 
HIPAA-Compliant App Development Guide for the Healthcare Industry.pdf
HIPAA-Compliant App Development Guide for the Healthcare Industry.pdfHIPAA-Compliant App Development Guide for the Healthcare Industry.pdf
HIPAA-Compliant App Development Guide for the Healthcare Industry.pdfSuccessiveDigital
 
Week 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy trainingWeek 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy trainingvrgill22
 

Similar to Hhs issues hipaa cyber attack response checklist (20)

Simple Steps to HIPAA Compliance
Simple Steps to HIPAA ComplianceSimple Steps to HIPAA Compliance
Simple Steps to HIPAA Compliance
 
What is HIPAA Compliance?
What is HIPAA Compliance?What is HIPAA Compliance?
What is HIPAA Compliance?
 
2017 HIPAA Clinical Research Training
2017 HIPAA Clinical Research Training2017 HIPAA Clinical Research Training
2017 HIPAA Clinical Research Training
 
Does your Mobile App require HIPAA Compliance.pdf
Does your Mobile App require HIPAA Compliance.pdfDoes your Mobile App require HIPAA Compliance.pdf
Does your Mobile App require HIPAA Compliance.pdf
 
Describe one safeguard that should be in place to protect the confid.pdf
Describe one safeguard that should be in place to protect the confid.pdfDescribe one safeguard that should be in place to protect the confid.pdf
Describe one safeguard that should be in place to protect the confid.pdf
 
Chapter 5HIPAA and HITECHLearning ObjectivesUnde
Chapter 5HIPAA and HITECHLearning ObjectivesUndeChapter 5HIPAA and HITECHLearning ObjectivesUnde
Chapter 5HIPAA and HITECHLearning ObjectivesUnde
 
Explaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docxExplaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docx
 
HIPAA Breach NotificationRule - What you must do to comply - By Compliance Gl...
HIPAA Breach NotificationRule - What you must do to comply - By Compliance Gl...HIPAA Breach NotificationRule - What you must do to comply - By Compliance Gl...
HIPAA Breach NotificationRule - What you must do to comply - By Compliance Gl...
 
Hipaa for business associates simple
Hipaa for business associates simpleHipaa for business associates simple
Hipaa for business associates simple
 
Annual HIPAA Training
Annual HIPAA TrainingAnnual HIPAA Training
Annual HIPAA Training
 
Privacy and Security What types of health care data are protected u.pdf
Privacy and Security What types of health care data are protected u.pdfPrivacy and Security What types of health care data are protected u.pdf
Privacy and Security What types of health care data are protected u.pdf
 
Protecting patient privacy
Protecting patient privacyProtecting patient privacy
Protecting patient privacy
 
PSOW 2016 - HIPAA Compliance for EMS Community
PSOW 2016 - HIPAA Compliance for EMS CommunityPSOW 2016 - HIPAA Compliance for EMS Community
PSOW 2016 - HIPAA Compliance for EMS Community
 
HIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of ComplianceHIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of Compliance
 
Lawyers: What You Don't Know About HIPAA Could Hurt You
Lawyers: What You Don't Know About HIPAA Could Hurt YouLawyers: What You Don't Know About HIPAA Could Hurt You
Lawyers: What You Don't Know About HIPAA Could Hurt You
 
HIPAA Workforce Training by Wayne-Holmes Mental Health Recovery Board
HIPAA Workforce Training by Wayne-Holmes Mental Health Recovery BoardHIPAA Workforce Training by Wayne-Holmes Mental Health Recovery Board
HIPAA Workforce Training by Wayne-Holmes Mental Health Recovery Board
 
Overview of hipaa & tools for hipaa compliance
Overview of hipaa & tools for hipaa complianceOverview of hipaa & tools for hipaa compliance
Overview of hipaa & tools for hipaa compliance
 
HIPAA-Compliant App Development Guide for the Healthcare Industry.pdf
HIPAA-Compliant App Development Guide for the Healthcare Industry.pdfHIPAA-Compliant App Development Guide for the Healthcare Industry.pdf
HIPAA-Compliant App Development Guide for the Healthcare Industry.pdf
 
Hippa training v2
Hippa training v2Hippa training v2
Hippa training v2
 
Week 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy trainingWeek 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy training
 

Recently uploaded

PHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation FinalPHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation FinalPanhandleOilandGas
 
Falcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investorsFalcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investorsFalcon Invoice Discounting
 
UJJAIN CALL GIRL ❤ 8272964427❤ CALL GIRLS IN UJJAIN ESCORTS SERVICE PROVIDE
UJJAIN CALL GIRL ❤ 8272964427❤ CALL GIRLS IN UJJAIN ESCORTS SERVICE PROVIDEUJJAIN CALL GIRL ❤ 8272964427❤ CALL GIRLS IN UJJAIN ESCORTS SERVICE PROVIDE
UJJAIN CALL GIRL ❤ 8272964427❤ CALL GIRLS IN UJJAIN ESCORTS SERVICE PROVIDEkajalroy875762
 
Progress Report - Oracle's OCI Analyst Summit 2024
Progress Report - Oracle's OCI Analyst Summit 2024Progress Report - Oracle's OCI Analyst Summit 2024
Progress Report - Oracle's OCI Analyst Summit 2024Holger Mueller
 
Pre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptxPre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptxRoofing Contractor
 
Managerial Accounting 5th Edition by Stacey Whitecotton test bank.docx
Managerial Accounting 5th Edition by Stacey Whitecotton test bank.docxManagerial Accounting 5th Edition by Stacey Whitecotton test bank.docx
Managerial Accounting 5th Edition by Stacey Whitecotton test bank.docxssuserf63bd7
 
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...Falcon Invoice Discounting
 
The Art of Decision-Making: Navigating Complexity and Uncertainty
The Art of Decision-Making: Navigating Complexity and UncertaintyThe Art of Decision-Making: Navigating Complexity and Uncertainty
The Art of Decision-Making: Navigating Complexity and Uncertaintycapivisgroup
 
QSM Chap 10 Service Culture in Tourism and Hospitality Industry.pptx
QSM Chap 10 Service Culture in Tourism and Hospitality Industry.pptxQSM Chap 10 Service Culture in Tourism and Hospitality Industry.pptx
QSM Chap 10 Service Culture in Tourism and Hospitality Industry.pptxDitasDelaCruz
 
Thompson_Taylor_MBBS_PB1_2024-03 (1)- Project & Portfolio 2.pptx
Thompson_Taylor_MBBS_PB1_2024-03 (1)- Project & Portfolio 2.pptxThompson_Taylor_MBBS_PB1_2024-03 (1)- Project & Portfolio 2.pptx
Thompson_Taylor_MBBS_PB1_2024-03 (1)- Project & Portfolio 2.pptxtmthompson1
 
Shots fired Budget Presentation.pdf12312
Shots fired Budget Presentation.pdf12312Shots fired Budget Presentation.pdf12312
Shots fired Budget Presentation.pdf12312LR1709MUSIC
 
Abortion pills in Jeddah ! +27737758557, cytotec pill riyadh. Saudi Arabia" A...
Abortion pills in Jeddah ! +27737758557, cytotec pill riyadh. Saudi Arabia" A...Abortion pills in Jeddah ! +27737758557, cytotec pill riyadh. Saudi Arabia" A...
Abortion pills in Jeddah ! +27737758557, cytotec pill riyadh. Saudi Arabia" A...bleessingsbender
 
The Vietnam Believer Newsletter_May 13th, 2024_ENVol. 007.pdf
The Vietnam Believer Newsletter_May 13th, 2024_ENVol. 007.pdfThe Vietnam Believer Newsletter_May 13th, 2024_ENVol. 007.pdf
The Vietnam Believer Newsletter_May 13th, 2024_ENVol. 007.pdfbelieveminhh
 
Ital Liptz - all about Itai Liptz. news.
Ital Liptz - all about Itai Liptz. news.Ital Liptz - all about Itai Liptz. news.
Ital Liptz - all about Itai Liptz. news.htj82vpw
 
Understanding Financial Accounting 3rd Canadian Edition by Christopher D. Bur...
Understanding Financial Accounting 3rd Canadian Edition by Christopher D. Bur...Understanding Financial Accounting 3rd Canadian Edition by Christopher D. Bur...
Understanding Financial Accounting 3rd Canadian Edition by Christopher D. Bur...ssuserf63bd7
 
Falcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business GrowthFalcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business GrowthFalcon investment
 
obat aborsi bandung wa 081336238223 jual obat aborsi cytotec asli di bandung9...
obat aborsi bandung wa 081336238223 jual obat aborsi cytotec asli di bandung9...obat aborsi bandung wa 081336238223 jual obat aborsi cytotec asli di bandung9...
obat aborsi bandung wa 081336238223 jual obat aborsi cytotec asli di bandung9...yulianti213969
 

Recently uploaded (20)

PHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation FinalPHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation Final
 
Falcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investorsFalcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investors
 
WheelTug Short Pitch Deck 2024 | Byond Insights
WheelTug Short Pitch Deck 2024 | Byond InsightsWheelTug Short Pitch Deck 2024 | Byond Insights
WheelTug Short Pitch Deck 2024 | Byond Insights
 
UJJAIN CALL GIRL ❤ 8272964427❤ CALL GIRLS IN UJJAIN ESCORTS SERVICE PROVIDE
UJJAIN CALL GIRL ❤ 8272964427❤ CALL GIRLS IN UJJAIN ESCORTS SERVICE PROVIDEUJJAIN CALL GIRL ❤ 8272964427❤ CALL GIRLS IN UJJAIN ESCORTS SERVICE PROVIDE
UJJAIN CALL GIRL ❤ 8272964427❤ CALL GIRLS IN UJJAIN ESCORTS SERVICE PROVIDE
 
Progress Report - Oracle's OCI Analyst Summit 2024
Progress Report - Oracle's OCI Analyst Summit 2024Progress Report - Oracle's OCI Analyst Summit 2024
Progress Report - Oracle's OCI Analyst Summit 2024
 
Pre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptxPre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptx
 
Managerial Accounting 5th Edition by Stacey Whitecotton test bank.docx
Managerial Accounting 5th Edition by Stacey Whitecotton test bank.docxManagerial Accounting 5th Edition by Stacey Whitecotton test bank.docx
Managerial Accounting 5th Edition by Stacey Whitecotton test bank.docx
 
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
 
The Art of Decision-Making: Navigating Complexity and Uncertainty
The Art of Decision-Making: Navigating Complexity and UncertaintyThe Art of Decision-Making: Navigating Complexity and Uncertainty
The Art of Decision-Making: Navigating Complexity and Uncertainty
 
QSM Chap 10 Service Culture in Tourism and Hospitality Industry.pptx
QSM Chap 10 Service Culture in Tourism and Hospitality Industry.pptxQSM Chap 10 Service Culture in Tourism and Hospitality Industry.pptx
QSM Chap 10 Service Culture in Tourism and Hospitality Industry.pptx
 
Thompson_Taylor_MBBS_PB1_2024-03 (1)- Project & Portfolio 2.pptx
Thompson_Taylor_MBBS_PB1_2024-03 (1)- Project & Portfolio 2.pptxThompson_Taylor_MBBS_PB1_2024-03 (1)- Project & Portfolio 2.pptx
Thompson_Taylor_MBBS_PB1_2024-03 (1)- Project & Portfolio 2.pptx
 
Shots fired Budget Presentation.pdf12312
Shots fired Budget Presentation.pdf12312Shots fired Budget Presentation.pdf12312
Shots fired Budget Presentation.pdf12312
 
Abortion pills in Jeddah ! +27737758557, cytotec pill riyadh. Saudi Arabia" A...
Abortion pills in Jeddah ! +27737758557, cytotec pill riyadh. Saudi Arabia" A...Abortion pills in Jeddah ! +27737758557, cytotec pill riyadh. Saudi Arabia" A...
Abortion pills in Jeddah ! +27737758557, cytotec pill riyadh. Saudi Arabia" A...
 
The Vietnam Believer Newsletter_May 13th, 2024_ENVol. 007.pdf
The Vietnam Believer Newsletter_May 13th, 2024_ENVol. 007.pdfThe Vietnam Believer Newsletter_May 13th, 2024_ENVol. 007.pdf
The Vietnam Believer Newsletter_May 13th, 2024_ENVol. 007.pdf
 
Ital Liptz - all about Itai Liptz. news.
Ital Liptz - all about Itai Liptz. news.Ital Liptz - all about Itai Liptz. news.
Ital Liptz - all about Itai Liptz. news.
 
Understanding Financial Accounting 3rd Canadian Edition by Christopher D. Bur...
Understanding Financial Accounting 3rd Canadian Edition by Christopher D. Bur...Understanding Financial Accounting 3rd Canadian Edition by Christopher D. Bur...
Understanding Financial Accounting 3rd Canadian Edition by Christopher D. Bur...
 
Falcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business GrowthFalcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business Growth
 
Buy gmail accounts.pdf buy Old Gmail Accounts
Buy gmail accounts.pdf buy Old Gmail AccountsBuy gmail accounts.pdf buy Old Gmail Accounts
Buy gmail accounts.pdf buy Old Gmail Accounts
 
HomeRoots Pitch Deck | Investor Insights | April 2024
HomeRoots Pitch Deck | Investor Insights | April 2024HomeRoots Pitch Deck | Investor Insights | April 2024
HomeRoots Pitch Deck | Investor Insights | April 2024
 
obat aborsi bandung wa 081336238223 jual obat aborsi cytotec asli di bandung9...
obat aborsi bandung wa 081336238223 jual obat aborsi cytotec asli di bandung9...obat aborsi bandung wa 081336238223 jual obat aborsi cytotec asli di bandung9...
obat aborsi bandung wa 081336238223 jual obat aborsi cytotec asli di bandung9...
 

Hhs issues hipaa cyber attack response checklist

  • 1. HHS Issues HIPAA Cyber Attack Response Checklist OVERVIEW Under the Health Insurance Portability and Accountability Act (HIPAA), a covered entity that experiences a ransomware attack or other cyber-related security incident must take immediate steps to prevent or mitigate any impermissible release of protected health information (PHI). The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has issued a checklist to help HIPAA- covered entities determine the specific steps they must take in the event of a data breach. This document outlines those steps and provides general information regarding which entities are subject to HIPAA and the type of data that must be protected under the law. ACTION STEPS Employers that are subject to HIPAA should become familiar with the OCR’s checklist and other guidance for preventing and responding to cyber security breaches involving PHI. These employers should also ensure that they have procedures and contingency plans in place for responding to and mitigating the effects of any potential breach. HIGHLIGHTS Group health plan sponsors must have procedures to prevent and mitigate the effects of cyber security breaches involving PHI. A cyber security incident must be reported to affected individuals and to the OCR if PHI is accessed, acquired, used or disclosed. Cyber security crimes should also be reported to law enforcement. IMPORTANT DATES 60 Days After Security Breach A breach must be reported to all affected individuals as soon as possible, but no later than 60 days after it is discovered. In some cases, a cyber security breach must also be reported to the OCR within 60 days after discovery. Provided By: Risk Strategies Company
  • 2. OCR Quick-response Checklist Has your entity just experienced a ransomware attack or other cyber-related security incident, and you are wondering what to do now? The guide issued by OCR explains, in brief, the steps for a HIPAA covered entity or its business associate (the entity) to take in response to a cyber-related security incident. In the event of a cyber attack or similar emergency, a covered entity:  Must execute its response and mitigation procedures and contingency plans. For example, the entity should immediately fix any technical or other problems to stop the incident. The entity should also take steps to mitigate any impermissible PHI disclosure. These steps may be performed by the entity’s own information technology staff, or by an outside entity brought in to help (which would be a business associate, if it has access to PHI for that purpose).  Should report the crime to appropriate law enforcement agencies. These agencies may include state or local law enforcement, the FBI or the Secret Service. Reports to these agencies should not include PHI unless otherwise permitted under HIPAA. If a law enforcement official tells the entity that any potential breach report would impede a criminal investigation or harm national security, the entity must delay reporting a breach for the time the law enforcement official requests in writing or for 30 days if the request is made orally.  Should report all cyber threat indicators to federal and information-sharing and analysis organizations (ISAOs). These organizations may include the Department of Homeland Security, the HHS Assistant Secretary for Preparedness and Response, and private-sector cyber-threat ISAOs. Reports to
  • 3. these organizations should not include PHI. The OCR does not receive these reports from its federal or HHS partners.  Must report the breach to affected individuals and to the OCR as soon as possible. o If a breach affects 500 or more individuals, the covered entity must notify the affected individuals, the OCR and the media no later than 60 days after discovering the breach, unless a law enforcement official has requested a delay in the reporting. o If a breach affects fewer than 500 individuals, the entity must notify the affected individuals without unreasonable delay, but no later than 60 days after discovery of the breach, and notify the OCR within 60 days after the end of the calendar year in which the breach was discovered. Continue reading for more information on various aspects of the HIPAA Security Rule, which was provided by OCR along with the checklist.
  • 4. This Compliance Bulletin is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel for legal advice. © 2017 Zywave, Inc. All rights reserved. CMP 6/17 HIPAA Covered Entities HIPAA is a federal law designed in part to protect the privacy of certain health care information known as PHI. In general, the HIPAA privacy and security rules apply to all health plans that provide or pay for the cost of medical care. These include employer-sponsored group health plans, government and church-sponsored health plans, and multi-employer health plans. However, a group health plan with less than 50 participants is not a covered entity if it is administered solely by the employer that established and maintains the plan. The HIPAA privacy and security rules also apply to business associates of HIPAA-covered entities. A business associate is any vendor that creates, receives, maintains or transmits PHI for or on behalf of a covered entity. This includes vendors that have access to PHI in order to provide information technology-related services to a covered entity. Other activities a business associate may perform on behalf of a covered entity include claims processing, data analysis, utilization review and billing. Protected Health Information PHI includes all individually identifiable health information held by covered entities. Information is “individually identifiable” if it identifies, or if there is a reasonable basis to believe it can be used to identify, an individual. This information is PHI if it relates to: • The individual’s past, present, or future physical or mental health or condition; • The provision of health care to the individual; or • The past, present or future payment for the provision of health care to the individual. HIPAA Security Rule Under HIPAA’s Security Rule, a “security incident” is defined as the attempted or successful unauthorized access, use, disclosure, modification or destruction of information, or interference with system operations in an information system. The Security Rule requires covered entities to: Identify and respond to suspected or known security incidents; Mitigate, to the extent practicable, harmful effects of security incidents that are known to the entity; 4 For example, PHI includes: PHI does not include:  Employment records  Records covered by the Family Educational Rights and Privacy Act (FERPA)  Information about individuals who have been deceased for more than 50 years Treatment information Billing information Insurance information Contact information Social Security numbers
  • 5. This Compliance Bulletin is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel for legal advice. © 2017 Zywave, Inc. All rights reserved. CMP 6/17 Document security incidents and their outcomes; and Establish and implement contingency plans, including data backup plans, disaster recovery plans and emergency mode operation plans. Reportable Incidents and Indicators HIPAA regulations also require covered entities to report certain cyber-related security incidents to affected individuals, the OCR and other agencies. In general, a reportable breach occurs anytime PHI was accessed, acquired, used or disclosed. Certain “cyber threat indicators” may be reportable under the Cybersecurity Information Sharing Act (CISA) as well. CISA describes cyber threat indicators as information that is necessary to describe or identify any of the following: Malicious reconnaissance; Methods of defeating a security control or exploitation of a security vulnerability; A security vulnerability; Methods of causing a user with legitimate access to defeat a security control or exploitation of a security vulnerability; Malicious cyber command and control; A description of actual or potential harm caused by an incident; or Any other attribute of a cyber security threat, if disclosure of such attribute is not prohibited by law. Enforcement and Liability Under HIPAA’s Enforcement Rule, the OCR may assess civil money penalties of up to $1,677,299 per violation, per year, against a covered entity that fails to properly protect PHI. In determining the amount of an applicable penalty, the OCR may consider all mitigation efforts taken by a covered entity during any particular cyber security breach investigation. A covered entity’s mitigation efforts may include voluntary sharing of breach-related information with law enforcement agencies and other federal and analysis organizations. In addition, the CISA provides liability protection to entities that monitor information systems or share or receive indicators or defensive measures in a manner consistent with the HHS sharing process. Therefore, covered entities should ensure that their procedures for protecting PHI meet HIPAA standards and should take the steps outlined in the above OCR checklist in the event of a cyber security incident involving PHI. 5 A security incident may not be reportable if the affected covered entity: • Encrypted the information at the time of the incident; or • Determines, through a written risk assessment, that there was a low probability that the information was compromised during the
  • 6. This Compliance Bulletin is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel for legal advice. © 2017 Zywave, Inc. All rights reserved. CMP 6/17 Document security incidents and their outcomes; and Establish and implement contingency plans, including data backup plans, disaster recovery plans and emergency mode operation plans. Reportable Incidents and Indicators HIPAA regulations also require covered entities to report certain cyber-related security incidents to affected individuals, the OCR and other agencies. In general, a reportable breach occurs anytime PHI was accessed, acquired, used or disclosed. Certain “cyber threat indicators” may be reportable under the Cybersecurity Information Sharing Act (CISA) as well. CISA describes cyber threat indicators as information that is necessary to describe or identify any of the following: Malicious reconnaissance; Methods of defeating a security control or exploitation of a security vulnerability; A security vulnerability; Methods of causing a user with legitimate access to defeat a security control or exploitation of a security vulnerability; Malicious cyber command and control; A description of actual or potential harm caused by an incident; or Any other attribute of a cyber security threat, if disclosure of such attribute is not prohibited by law. Enforcement and Liability Under HIPAA’s Enforcement Rule, the OCR may assess civil money penalties of up to $1,677,299 per violation, per year, against a covered entity that fails to properly protect PHI. In determining the amount of an applicable penalty, the OCR may consider all mitigation efforts taken by a covered entity during any particular cyber security breach investigation. A covered entity’s mitigation efforts may include voluntary sharing of breach-related information with law enforcement agencies and other federal and analysis organizations. In addition, the CISA provides liability protection to entities that monitor information systems or share or receive indicators or defensive measures in a manner consistent with the HHS sharing process. Therefore, covered entities should ensure that their procedures for protecting PHI meet HIPAA standards and should take the steps outlined in the above OCR checklist in the event of a cyber security incident involving PHI. 5 A security incident may not be reportable if the affected covered entity: • Encrypted the information at the time of the incident; or • Determines, through a written risk assessment, that there was a low probability that the information was compromised during the