Skip to main menu Skip to content
HIPAA Guidance Issued to Address Responses to Cyber-related Security Incidents

Technology is increasingly prevalent in behavioral health settings. It is common for the workforce to communicate with patients and colleagues using an array of technological tools, including smartphones, tablets and laptops. Mobile devices are particularly vulnerable to cyberattack because software downloads may include malicious applications, malicious websites may automatically download malware, direct attacks may be launched through the communication network, and lost or stolen devices may be physically manipulated to allow access and use of health information.

In the article, From Emoji’s to Tablets: Taking Advantage of E-Communication Technology in Compliance with HIPAA, we discuss best practices community behavioral health organizations (CBHOs) should implement regarding electronic communication in order to maintain compliance with HIPAA. In addition to protecting organizations from risk of disclosures of protected health information (PHI) and other confidential information, organizations must also be prepared to protect themselves and respond to cyberattacks and other cyber-related incidents.

Recently, the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) released a checklist that provides steps for HIPAA covered entities to respond to cyber-attacks and other cyber-related security incidents.

The HIPAA Security Rule requires covered entities to:

  1. Identify and respond to suspect or known security incidents.
  2. Mitigate the harmful effects, to the extent possible.
  3. Document each security incident and the outcome.

The checklist outlines what covered entities must do to be compliant with HIPAA and includes actions suggested by OCR.

For example, covered entities:

1. Must execute their response and mitigation procedures and contingency plans:

  • Organizations should immediately take the steps needed to fix the problem and minimize the incident’s impact.
  • Organizations should also take steps to protect against an impermissible disclosure of PHI.
  • If an organization hires an outside vendor or consultant to help with their response and mitigation efforts, the outside vendor or consultant is considered a business associate if they have access to PHI for such duties. The organization is required to enter a written contract or business associate agreement (BAA). If an organization has identified an outside vendor or consultant to help respond in case of a cyberattack, already having an executed BAA in place allows the organization and the business associate to respond to the incident quickly.

2. Must assess the incident to determine whether or not there has been a breach of PHI:

  • If the covered entity determines there has been a breach, it must:
    • Report the breach to the affected individuals without unreasonable delay and within 60 days of discovering the breach. If a law enforcement official requests that the breach report be delayed, the organization must delay the report as described in the HIPAA Privacy Rule.
    • Report the breach to OCR following the reporting requirements related to the number of individuals affected:
      • If the breach affects 500 individuals or more, the organization must report it as soon as possible and no later than 60 days from the date of discovery. Breaches affecting 500 individuals or more may also require an organization to notify media outlets.
      • If the breach affects fewer than 500 individuals, the organization must notify OCR within 60 days after the calendar year in which the breach was identified.
    • If the covered entity determines there was not a breach, the entity must document and retain all information considered during the risk assessment of the cyberattack, including documentation of how it determined that a breach did not occur.

3. Should report the crime and the threat:

  • OCR recommends that organizations report the crime to local police, state police and the FBI. Organizations should ensure that any disclosure of PHI to law enforcement as permitted by the HIPAA Privacy Rule, by 42 Code of Federal Regulations (CFR) Part 2 and by state law.
  • OCR also recommends that covered entities report all cyberthreat indicators to federal and information-sharing and analysis organizations, such as the Department of Homeland Security.

The checklist reiterates that OCR will take into account all mitigation efforts taken by a covered entity during any particular investigation when determining the amount of any applicable civil money penalty.

Regarding cyberattacks and HIPAA compliance in general, CBHOs should maintain up-to-date policies and procedures and take measures to adequately train staff. Privacy violations, whether overt, inadvertent or caused by third-party cyberattacks can result in harm to patients, state and federal regulatory violations, and hefty penalties. Taking proactive measures now to prevent disclosures and mitigate the impact of third-party breaches are recommended steps to reduce risk to behavioral health organizations.

Subscribe to the digest

Get the latest MHFA blogs delivered directly to your inbox so you never miss a post.