Responding to the recent worldwide cyberattacks that affected healthcare systems, the Department of Health and Human Services’ Office for Civil Rights (OCR) has issued a reminder to covered entities about HIPAA rules on security breaches.

OCR explains in its reminder what constitutes a HIPAA security incident, preparing for such an incident, and how to respond when perimeters are breached. Cybersecurity defenses are unlikely to be 100% effective, so breaches still can occur even when covered entities have extensive, multilayered security, OCR cautions.

OCR notes that there has been some confusion about what constitutes a security incident and a reportable HIPAA breach. Some healthcare organizations experienced ransomware attacks recently but failed to report those incidents to OCR or notify patients that their electronic protected health information (ePHI) may have been accessed, OCR says.

The HIPAA Security Rule (45 CFR 164.304) describes a security incident as “an attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”

Covered entities need to prepare for those incidents with policies and procedures that can be activated immediately following the discovery of a security incident or data breach, OCR says.

“Policies, procedures, and plans should provide a roadmap for implementing the entity’s incident response capabilities,” according to OCR.

The HIPAA Breach Notification Rule requirements apply following a cyberattack that results in a breach of PHI, OCR says. The HIPAA Breach Notification Rule (45 CFR 164.402) requires OCR to be notified of a breach and notifications to be sent to patients in the event of “an impermissible acquisition, access, use, or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the protected health information.”

OCR’s clarification is available online at: