HHS Publishes HIPAA Checklist Related to Cyberattacks

HHS recently published a quick-response checklist on cyberattacks, which outlines the steps for a HIPAA-covered entity or its business associate (BA) to take in response to a cyber-related security incident. In the event of a cyberattack or similar emergency, an entity:

  1. Must execute its response and mitigation procedures and contingency plans;
  2. Should report the crime to other law enforcement agencies;
  3. Should report all cyber threat indicators to federal and information-sharing and analysis organizations; and
  4. Must report the breach to OCR as soon as possible, but no later than 60 days after the discovery of a breach affecting 500 or more individuals.

As a reminder, HIPAA’s security rules require covered entities (and their BAs) to implement security measures with respect to protected health information (PHI) that is stored electronically. Covered entities (and BAs) must implement a security management process, which includes conducting a risk analysis to identify threats and vulnerabilities to electronically stored PHI, and implementing procedures to guard against and detect malicious software. The measures also require the covered entity to train users on malicious software protection so they’re able to assist in detecting malicious software (and report on any such detection).

The checklist contains no new employer obligations, but can serve as a great resource for employers and their BAs when it comes to HIPAA security rule compliance. Employers should work with outside counsel and their technology partners in developing HIPAA security practices and procedures, and should incorporate the checklist with respect to specific practices relating to cyberattacks.

Checklist »