HHS Office for Civil Rights Posts HIPAA Security Rule Security Incident Procedures

Every October, in recognition of National Cybersecurity Awareness Month, the federal government and its partners work to educate stakeholders on cybersecurity awareness and how best to protect the privacy and security of confidential data. Within the health care industry, the HIPAA Security Rule applies to covered entities and their business associates (“regulated entities”) and electronic protected health information (ePHI).  Because ePHI identifies individuals and includes information relating to an individual’s health, treatment, or payment information, it is a valuable target for cyber-criminals.

Because of the recent flurry of security incidents impacting health care providers, HHS OCR has published its “HIPAA Security Rule Security Incident Procedures.”  A 2022 report noted a 42% increase in cyber-attacks for the first half of 2022 compared to 2021, and a 69% increase in cyber-attacks targeting the health care sector. Breaches of unsecured PHI, including ePHI, reported to HHS OCR affecting 500 or more individuals increased from 663 in 2020 to 714 in 2021.

The HIPAA Security Rule requires regulated entities to “implement policies and procedures to address security incidents.”  This means regulated entities need to have a plan in place and documented for responding to security incidents (suspected or known) that includes:

  • identifying security incidents;
  • responding to security incidents;
  • mitigating harmful effects of security incidents; and
  • documenting security incidents and their outcomes.

Given the focus on security incidents from HHS OCR, this would be a good time to revisit your own institution’s incident response procedures and conduct a tabletop exercise to improve your team’s ability to respond effectively.

Leave a Reply

Your email address will not be published. Required fields are marked *