The HHS cybersecurity best practices serve as a guide healthcare organizations can adopt to improve their security posture. One of these best practices is security incident response. 

HIPAA Cyber Incident Response Requirements

HIPAA requires healthcare organizations to report security incidents to the Office for Civil Rights (OCR). HIPAA defines a security incident as “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”

The penalties for failing to comply with HIPAA cyber incident response requirements can be severe. 

Sentara Hospitals operates 12 acute care hospitals in Virginia and North Carolina. An investigation – following a 2017 complaint to OCR about an individual receiving another patient’s protected health information (PHI) in a bill – discovered Sentara had mailed 577 patients’ PHI to the wrong addresses.

Sentara had reported the breach as affecting only eight people due to the mistaken notion that only violations containing medical information like diagnosis or treatment details need to be reported. Even after being advised otherwise by OCR, Sentara refused to report the breach properly.

Following a complete investigation, Sentara accepted a settlement with OCR and agreed to pay a $2.175 million HIPAA fine for failing to report the breach properly and failing to have a business associate agreement with an entity that performed business associate services.

What are the HIPAA Cyber Incident Response Requirements?

As Sentara and other companies have discovered, HIPAA considers proper reporting of breaches critical to any HIPAA security incident response. Depending on the size of the incident, the requirements of the HIPAA Breach Notification Rule differ slightly.

  • Large-scale breaches: affect 500 or more individuals, and must be reported within 60 days of discovery. These breaches must also be reported to the OCR, affected individuals, and the media.
  • Smaller breaches: affect less than 500 individuals, and must be reported within 60 days of the end of the calendar year in which it was discovered. These incidents must be reported to the OCR and affected individuals.

In addition to HIPAA breach notification requirements, healthcare organizations must be aware of state reporting requirements, which are often more strict than federal law.

To prevent future incidents from occurring, organizations must develop corrective action plans. Corrective action plans must address the gaps in security measures that allowed the breach to occur. 

HIPAA and Cybersecurity

Security incident response is a key part of HIPAA compliance. We can help!