HIPAA compliance and cybersecurity are very closely related. Although the HIPAA rules do not explicitly state anything about cybersecurity, the safeguards under the HIPAA Security somewhat make up for the deficiencies in cyber defense.
The Department of Health and Human Services (HHS) also recommends following the NIST’s guidelines for cybersecurity framework. If a patient’s data gets breached, whether as a result of an employee’s action or due to a cyberattack, there will be HIPAA repercussions.
That is why cybersecurity and HIPAA compliance are very closely related, and under the HIPAA Act, a covered entity that experiences cybersecurity-related incidents or a ransomware attack must take immediate action to mitigate any impermissible release of Protected Health Information (PHI).
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued a checklist to help HIPAA-covered entities determine the specific steps they must take in the event of a data breach.
The document provides guidance and general information regarding the types of information protected under the law and entities subject to HIPAA.
What to do when you experience a cyber attack?
Organizations that are subject to HIPAA should become familiar with the guidelines and OCR’s checklist for preventing and responding to cybersecurity-related incidents involving PHI. Employers must make sure that they have appropriate procedures and contingency plans in place for responding to and mitigating the effects of any potential breach.
Quick Response Checklist by OCR
Have you just experienced a ransomware attack or any cybersecurity-related provided by OCR and incident, and now wondering what you should do? You’re in the right place. Take a look at these guidelines provided by the OCR that a HIPAA-covered entity or business associate should follow in response to a cybersecurity-related incident.
In the event of a cyber-attack or similar emergency, a covered entity:
- Must execute its response and mitigation procedures and contingency plans.
For instance, the organization should fix any technical or other problems to mitigate the incident. The entity should also take steps to mitigate any impermissible PHI disclosure. These steps may be performed by the entity’s information technology staff, or by an outside entity brought in to help (which would be a business associate, if it has access to PHI for that purpose).
- Should report the crime to appropriate law enforcement agencies.
These agencies may include state or local law enforcement, the FBI, or the Secret Service. Reports to these agencies should not include PHI unless otherwise permitted under HIPAA. If a law enforcement official tells the entity that any potential breach report would impede a criminal investigation or harm national security, the entity must delay reporting a breach for the time the law enforcement official requests in writing or 30 days if the request is made orally.
- Should report all cyber threat indicators to federal, information-sharing, and analysis organizations (ISAOs).
These organizations may include the Department of Homeland Security, the HHS Assistant Secretary for Preparedness and Response, and private-sector cyber-threat ISAOs. Reports to these organizations should not include PHI. The OCR does not receive these reports from its federal or HHS partners.
- Must report the breach to affected individuals and the OCR as soon as possible.
If a breach affects 500 or more individuals, the covered entity must notify the affected individuals, the OCR, and the media no later than 60 days after discovering the breach, unless a law enforcement official has requested a delay in the reporting.
If a breach affects fewer than 500 individuals, the entity must notify the affected individuals without unreasonable delay, but no later than 60 days after discovery of the breach, and notify the OCR within 60 days after the end of the calendar year in which the breach was discovered.
Continue reading for more information on various aspects of the HIPAA Security Rule, provided by OCR and the checklist.
HIPAA Security Rule
Under HIPAA’s Security Rule, a “security incident” is defined as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information, or interference with system operations in an information system. The Security Rule requires covered entities to:
- Identify and respond to suspected or known security incidents.
- Mitigate, to the extent practicable, harmful effects of security incidents that are known to the entity.
- Document security incidents and their outcomes.
- Establish and implement contingency plans, including data backup plans, disaster recovery plans, and emergency mode operation plans.
HIPAA regulations also require covered entities to report certain cyber-related security incidents to affected individuals, the OCR, and other agencies. A reportable breach generally occurs anytime when PHI was accessed, acquired, used, or disclose without authorization.
One thing the world can say the Covid-19 pandemic did for us is that it pushed us to integrate more effective and efficient measures to help sectors function better in this post-covid era. And the healthcare sector was not left out. Today, HIPAA helps the healthcare sector make decisions smoothly and keep data on patients’ health safe. They can also modify or correct whatever information they share with these medical parties, and restrict the disclosure of their personal information when necessary.
Unlike before, patients can now make contributions to their medical data thanks to the legislation passed which allows them to not only view their medical files but also make duplicate copies of their data on demand. One primary advantage of this development is that it helped patients with preexisting conditions switch jobs without having to worry about how medical records affect their health insurance.
With total patient privacy being one of the core objectives of HIPAA, another thing it fostered is stronger passwords by medical professionals to prevent breaches in patients’ medical records. Medical errors in busy systems have also been eliminated to a great extent as a result of patients and medical professionals having to cooperate to generate medical files.
In workplaces, the integration of HIPAA into the system has enhanced physical security. And by this, we mean the locations and manner of storage of things such as PHI, servers, computers, etc. This sensitivity extends to surveillance cameras, alarm systems, and so on. Finally, HIPAA has introduced regular audits and cybersecurity into the healthcare system, strengthening its position on patient security and confidentiality.
For the healthcare system in these times, things can only get better.
Manage Training, Safeguards, Contingency Plans, and More With HIPAA Ready
HIPAA Ready compliance management software is the best app to simplify compliance. The app includes modules where you can develop contingency plans, make documentation, report incidents, and provide security training to employees.
HIPAA Ready will also ensure that you have applied all the reasonable and appropriate security safeguards to strengthen your data protection. What’s more, you will receive free training materials once you start using HIPAA Ready!