On October 25, 2022, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) published its latest cybersecurity newsletter, reminding HIPAA covered entities and business associates of their obligation under the HIPAA Security Rule to implement policies and procedures addressing security incidents. While much attention in the industry is focused on whether an event is a reportable data breach, it is important that HIPAA-regulated entities do not bypass their obligations regarding security incidents.
A security incident is defined within the HIPAA Security Rule as “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.” OCR stated that seventy-four percent of breaches reported to OCR in 2021 involved hacking or information technology incidents.
Viewing security incidents as “inevitable,” OCR’s guidance reminds covered entities and business associates of their obligation to maintain a documented plan to identify, respond to, mitigate the harmful effects of, and document security incidents. OCR also encourages organizations to develop a security incident response team in order to have a process and personnel in place who are trained to effectively and efficiently respond to security incidents. Developing, or updating, an incident response plan is critical to best-position an organization to address a security incident or any other type of data incident.
Within an organization’s incident response plan, OCR suggests that organizations have “sub-plans” in place to address specific types of security incidents, particularly if the organization deals with such incidents repeatedly, such as a plan to address a ransomware attack, a plan specific to phishing attacks, and a plan to respond to malicious actions of organization insiders.
The guidance outlines the requirements for covered entities to report breaches of unsecured protected health information (PHI). Although not stated in the guidance, business associates also should take care to understand not only their obligations to report breaches of unsecured PHI to their covered entity clients, but also their obligations to report security incidents, as well as potential breaches of unsecured PHI. These obligations, including the timing, the content, and any carve-outs (many covered entities do not require reporting of “unsuccessful” security incidents, or require such reporting on a periodic basis, rather than following each event) should be detailed in the business associate agreement between the parties.
With respect to security incidents, an “ounce of prevention,” in the form of a robust incident response plan, comprehensive, documented policies and procedures, and workforce training, can go a long way to mitigate the impact of these events.
