June 27, 2017
HHS recently published a quick-response checklist on cyberattacks, which outlines the steps for a HIPAA-covered entity or its business associate (BA) to take in response to a cyber-related security incident. In the event of a cyberattack or similar emergency, an entity:
As a reminder, HIPAA’s security rules require covered entities (and their BAs) to implement security measures with respect to protected health information (PHI) that is stored electronically. Covered entities (and BAs) must implement a security management process, which includes conducting a risk analysis to identify threats and vulnerabilities to electronically stored PHI, and implementing procedures to guard against and detect malicious software. The measures also require the covered entity to train users on malicious software protection so they’re able to assist in detecting malicious software (and report on any such detection).
The checklist contains no new employer obligations, but can serve as a great resource for employers and their BAs when it comes to HIPAA security rule compliance. Employers should work with outside counsel and their technology partners in developing HIPAA security practices and procedures, and should incorporate the checklist with respect to specific practices relating to cyberattacks.