The ransomware campaigns and healthcare IT security incidents last month have lead to the Department of Health and Human Services’ Office for Civil Rights to issue a warning to covered entities about HIPAA Rules on security breaches.
In its May 2017 Cyber Newsletter, OCR explains what makes up a HIPAA security incident, preparing for such an incident and how to respond when perimeters are violated.
HIPAA requires all covered groups to put in place technical controls to safeguard the confidentiality, integrity and availability of electronic protected health information (ePHI). However, even when covered groups have complex, layered cybersecurity defenses and are fully compliant with HIPAA Security Rule requirements, cyber-incidents may still take place. Cybersecurity defenses are unlikely to be 100% effective, 100% of the time.
Before the publication of OCR guidance on ransomware attacks in 2016, there was some misunderstanding about what constituted a security incident and reportable HIPAA breach. Many healthcare groups had suffered ransomware attacks, yet failed to report those incidents to OCR or notify patients that their ePHI may have been viewed.
OCR has warned covered entities in its newsletter of the HIPAA definition of a security incident. The HIPAA Security Rule (45 CFR 164.304) refers to a security incident as “an attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”
OCR has taken the chance to remind covered entities that they need to get ready for those incidents. Policies and procedures should be developed that kick into action straight after the discovery of a security incident or data breach.
If covered groups react quickly to security incidents and data breaches it is possible to lessen the impact and reduce legal liability and operational and reputational damage. Contingency plans should be in place for a range of security incidents and emergency situations. OCR states “policies, procedures, and plans should provide a roadmap for implementing the entity’s incident response capabilities.”
When a breach takes place, the HIPAA Breach Notification Rule requirements must be adhered to. The HIPAA Breach Notification Rule (45 CFR 164.402) requires OCR to be alerted regarding a breach and alerts to be sent to patients in the event of “an impermissible acquisition, access, use, or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the protected health information.”
Every month, Databreaches.net tracks healthcare data breach incidents, with the Protenus Breach Barometer report showing the time taken for covered entities to report their breaches to OCR. The past few reports show some improvement, with covered entities reporting their breaches more promptly. That said, there have been several cases where data breach notifications have been submitted after the deadline and patients have had their notification letters delayed.
OCR reminds covered groups that the HIPAA deadline for reporting security incidents and sending alerts to patients/health plan members is 60 days* from the discovery of the HIPAA violation.
This is a deadline, not a guideline. Many covered groups delay issuing alerts until day 59. OCR points out that the HIPAA Breach Notification Rule requires notifications to be sent “without reasonable delay.”