The Office for Civil Rights (OCR), which is responsible for HIPAA enforcement, issued a reminder regarding security incidents in its May 2017 Cyber Newsletter. In this newsletter, OCR reminded covered entities of the definition of a security incident, how to prepare for an incident and the requirements for breach notifications. This reminder was prompted by healthcare IT security incidents over the course of this spring—including the high-profile WannaCry ransomware attacks—and how they pertain to HIPAA compliance concerns. In case you missed it, here’s a recap of what covered entities should take away from OCR’s reminder:
1. Make sure your staff is trained on the HIPAA definition of a security incident
It’s not enough for compliance officers and senior IT staff to know the full HIPAA definition of a security incident; all employees need to be able to recognize and react to a security incident when they spot one. In their newsletter, OCR reminds us that a security incident is defined under the HIPAA Security Rule as,
“…an attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”
It’s important to note that by this definition, even an attempted breach qualifies as an incident that needs to be prepared for and reacted to. Even for well-equipped, well-trained organizations, there is still information that can slip through the cracks or simply be misunderstood. For example, many organizations expressed confusion specifically around ransomware attacks, until OCR published guidance on the subject last year. Prior to that publication, several healthcare organizations experienced ransomware attacks that went unreported due to lack of knowledge on the subject. Make use of OCR guides and training materials so all members of your organization understand what constitutes as a security incident.
2. Have a comprehensive response plan in place that your staff is trained on
Similarly to the first point, having a HIPAA security incident response plan in place won’t do any good if only compliance offers or IT staff are trained on it. Your whole organization should be briefed on how to identify a security incident, and how to appropriately respond so that the incident is addressed in a timely manner.
One of the most important elements to these procedures, as OCR notes, is to be sure that your response plan kicks into effect immediately. A quick reaction to an incident heightens the possibility that the breach can be mitigated, reducing the impact of legal ramifications or potential damage to your organization’s reputation.
3. Never delay notifying OCR of a security incident
OCR’s final reminder from the newsletter was that any HIPAA breach or security incident needs to be reported immediately. The HIPAA Breach Notification Rule (45 CFR 164.402) states that both OCR and impacted patients must be notified in the event of,
“…an impermissible acquisition, access, use, or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the protected health information.”
OCR reminds entities that the deadline for sending breach notifications to patients and health plan providers, as well as reporting to OCR itself, is 60 days from when the breach was discovered. However, under the HIPAA Breach Notification Rule, it’s stated that notifications ought to be issued, “without reasonable delay.” The sooner a breach is reported and documented, the sooner it can be resolved.
Remember: Business Associates need to be audited for HIPAA compliance, too
Remember also that compliance goes beyond your internal organization. Service providers that handle any of your HIPAA-governed data are also subject to these guidelines, and whether they’ve signed a BAA or not, your organization will assume responsibility in the event of a security incident. Take time to regularly review your organization’s HIPAA security best practices and policies with your Business Associates. Not sure if your Business Associate is really HIPAA compliant? Take some time to read through our Compliance White Paper for a full understanding of the documentation and information that a HIPAA compliant service provider should be able to provide. Or, if you’re currently seeking a new HIPAA compliant cloud fax provider, get a free copy of our cloud fax reference guide by following the link below. You’ll get a detailed look at compliance concerns and more to help you find a cloud fax service that is fully HIPAA compliant.