The HHS Office for Civil Rights (OCR) is offering guidance on when a cyberattack constitutes a HIPAA breach and must be reported. OCR makes clear that healthcare entities must cooperate with law enforcement when reporting breaches, even if they are obligated to report under HIPAA.
“OCR presumes all cyber-related security incidents where protected health information was accessed, acquired, used, or disclosed are reportable breaches unless the information was encrypted by the entity at the time of the incident or the entity determines, through a written risk assessment, that there was a low probability that the information was compromised during the breach,” the guidance notes.
Rule of Thumb: Do Not Delay Reporting
The advice includes information that can be useful when a ransomware or other cyberattack is detected. The guidance applies to both covered entities and their business associates. The OCR guidance includes the following:
- Healthcare organizations must implement mitigation procedures and contingency plans, and immediately fix security holes or other problems to stop the incident. Organizations also should mitigate any impermissible disclosure of protected health information (PHI), which may be performed by in-house IT staff or third-party organization (which would be a business associate if it has access to PHI for that purpose).
- Report the cyberattack to all applicable law enforcement, which may include state or local law enforcement, FBI, and/or the Secret Service. Reports should not include PHI, unless permitted by the HIPAA Privacy Rule. If law enforcement determines reporting the breach would impede a criminal investigation or harm national security, the entity must delay reporting for the amount of time requested in writing, or 30 days for oral requests.
- All cyberthreat indicators should be reported to federal and information-sharing and analysis organizations (ISAOs), including the Department of Homeland Security, the HHS assistant secretary for Preparedness and Response, and private sector cyberthreat ISAOs. The reports should not contain PHI.
- Report breaches affecting 500 or more individuals to OCR no later than 60 days after the discovery. Notify affected individuals and the media unless law enforcement officials request a delay in the reporting.