5 steps the feds suggest if a breach occurs
Whether it’s a ransomware attack or a cyber security incident, organizations have specific obligations to manage the incursion and file appropriate reports with the federal government. For example, the Office for Civil Rights of the Department of Health and Human Services recently outlined the basic steps for healthcare organizations to take in response to a cyber-related security incident. The steps are the same for either a healthcare provider, as a HIPAA-covered entity, or business associate.
1. OCR Breach Show AdobeStock_144984740.jpeg
1. Begin response and mitigation procedures and contingency plans
The organization should immediately fix any technical or other problems to stop the incident. Additionally, it should take steps to mitigate any impermissible disclosure of protected information—that can be done by its own IT staff or by an outside entity brought in to help.
2. OCR Breach Show AdobeStock_88736839.jpeg
2. Report the crime to law enforcement agencies
Organizations need to contact state or local law enforcement, the FBI or the Secret Service. In the case of healthcare providers, OCR’s advice notes that any such reports should not include protected health information, unless it’s otherwise permitted by the HIPAA Privacy Rule. Here’s the caveat, though—if a law enforcement agency tells the organization that any potential breach report would impede a criminal investigation or harm national security, it must delay reporting a breach for the time period that the law enforcement agency requests in writing, or for 30 days, if the request is made orally.
3. OCR Breach Show AdobeStock_128070709.jpeg
3. Report the breach to OCR
The organization must tell OCR as soon as possible, but no later than 60 days after the discovery of a breach affecting 500 or more individuals.
4. OCR Breach Show AdobeStock_104377482.jpeg
4. Notify affected individuals and the media
The organization also has a responsibility to promptly notify affected individuals and the media, unless a law enforcement official has requested a delay in the release of information. OCR defines a cyber-related security incident as any in which protected health information is accessed, acquired, used or disclosed, and those must be reported as breaches unless the information was encrypted by the entity, either at the time of the incident or if the entity determines that there was a low probability that the information was compromised during the breach.

Even with breaches of fewer than 500 individuals, the organization has an obligation to notify individuals as quickly as possible, but no more than 60 days after discovery, and OCR within 60 days after the end of the calendar year in which the breach was discovered.
5. OCR Breach Show AdobeStock_80211405.jpeg
5. Await penalties and fines
Regarding healthcare organizations, the HIPAA Enforcement Rule includes provisions for penalizing healthcare organizations for breaches. It states that, in determining the amount of any applicable civil money penalty, OCR may consider mitigating factors, including matters that justice may require.