Whether it’s a ransomware attack or a cyber security incident, healthcare organizations have specific obligations to manage the incursion and file appropriate reports with the federal government. Recently, the Office for Civil Rights of the Department of Health and Human Services outlined the basic steps for healthcare organizations to take in response to a cyber-related security incident. The steps are the same for either a healthcare provider, as a HIPAA-covered entity, or business associate.
1. Begin response and mitigation procedures and contingency plans
The organization should immediately fix any technical or other problems to stop the incident. Additionally, it should take steps to mitigate any impermissible disclosure of protected health information—that can be done by its own IT staff or by an outside entity brought in to help.
Content Continues Below
2. Report the crime to law enforcement agencies
Organizations need to contact state or local law enforcement, the FBI or the Secret Service. OCR’s advice notes that any such reports should not include protected health information, unless it’s otherwise permitted by the HIPAA Privacy Rule. Here’s the caveat, though—if a law enforcement agency tells the organization that any potential breach report would impede a criminal investigation or harm national security, it must delay reporting a breach for the time period that the law enforcement agency requests in writing, or for 30 days, if the request is made orally.
3. Report the breach to OCR
The organization must tell OCR as soon as possible, but no later than 60 days after the discovery of a breach affecting 500 or more individuals.
4. Notify affected individuals and the media
The organization also has a responsibility to promptly notify affected individuals and the media, unless a law enforcement official has requested a delay in the release of information. OCR defines a cyber-related security incident as any in which protected health information is accessed, acquired, used or disclosed, and those must be reported as breaches unless the information was encrypted by the entity, either at the time of the incident or if the entity determines that there was a low probability that the information was compromised during the breach.
Even with breaches of fewer than 500 individuals, the organization has an obligation to notify individuals as quickly as possible, but no more than 60 days after discovery, and OCR within 60 days after the end of the calendar year in which the breach was discovered.
Content Continues Below
5. Await penalties and fines
The HIPAA Enforcement Rule includes provisions for penalizing healthcare organizations for breaches. It states that, in determining the amount of any applicable civil money penalty, OCR may consider mitigating factors, including matters that justice may require.