Latest Alerts
- Colorado Adopts Final Rules to Implement the State’s Privacy Act
(posted: 04/03/2023)The CPA Imposes Requirements On Organizations That Conduct Business In Colorado On March...
- Idaho Extends Unemployment Benefits to Military Spouses and Domestic Violence Victims
(posted: 03/30/2023)The Amendments Provide Some Flexibility To The General Eligibility Criteria On March 21, 2023,...
- Virginia Prohibits Using Social Security Numbers on Employee Badges
(posted: 03/30/2023)Employers Cannot Use Social Security Numbers As Employee Identification Numbers or Include Them...
HHS Releases HIPAA Cyber-Attack Checklist
posted: Wednesday, June 21st
Tips for Responding to Cyber-RelatedSecurity Incidents
The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) has released a quick-response checklist briefly describing the steps that HIPAA-covered entities (including medical and dental offices) and their business associates should take in response to a cyber-related security incident. Steps include:
- Executing the entity's response and mitigation procedures and contingency plans, such as immediately fixing any technical or other problems to stop the incident;
- Reporting the crime to other law enforcement agencies, which may include state or local law enforcement, the Federal Bureau of Investigation (FBI), and/or the Secret Service;
- Reporting all cyber-threat indicators to federal and information-sharing and analysis organizations (ISAOs), including the Department of Homeland Security and the HHS Assistant Secretary for Preparedness and Response (any reports should not include protected health information); and
- Reporting the breach to the OCR as soon as possible, but no later than 60 days after the discovery of a breach affecting 500 or more individuals, and notifying affected individuals and the media unless a law enforcement official has requested a delay in the reporting.
Note: OCR considers all mitigation efforts taken by the entity during any particular breach investigation. Such efforts include the voluntary sharing of breach-related information with law enforcement agencies and other federal and analysis organizations.
Click here to read the entire cyber-attack checklist.