ARTICLE
28 October 2022

HHS Office For Civil Rights Posts HIPAA Security Rule Security Incident Procedures

FH
Foley Hoag LLP

Contributor

Foley Hoag LLP logo
Foley Hoag provides innovative, strategic legal services to public, private and government clients. We have premier capabilities in the life sciences, healthcare, technology, energy, professional services and private funds fields, and in cross-border disputes. The diverse experiences of our lawyers contribute to the exceptional senior-level service we deliver to clients.
Explore
Every October, in recognition of National Cybersecurity Awareness Month, the federal government and its partners work to educate stakeholders on cybersecurity awareness...
United States Technology
Photo of Colin J. Zick
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

Every October, in recognition of National Cybersecurity Awareness Month, the federal government and its partners work to educate stakeholders on cybersecurity awareness and how best to protect the privacy and security of confidential data. Within the health care industry, the HIPAA Security Rule applies to covered entities and their business associates (“regulated entities”) and electronic protected health information (ePHI).  Because ePHI identifies individuals and includes information relating to an individual's health, treatment, or payment information, it is a valuable target for cyber-criminals.

Because of the recent flurry of security incidents impacting health care providers, HHS OCR has published its  “HIPAA Security Rule Security Incident Procedures.”  A 2022 report noted a 42% increase in cyber-attacks for the first half of 2022 compared to 2021, and a 69% increase in cyber-attacks targeting the health care sector. Breaches of unsecured PHI, including ePHI, reported to HHS OCR affecting 500 or more individuals increased from 663 in 2020 to 714 in 2021.

The HIPAA Security Rule requires regulated entities to “implement policies and procedures to address security incidents.”  This means regulated entities need to have a plan in place and documented for responding to security incidents (suspected or known) that includes:

  • identifying security incidents;
  • responding to security incidents;
  • mitigating harmful effects of security incidents; and
  • documenting security incidents and their outcomes.

Given the focus on security incidents from HHS OCR, this would be a good time to revisit your own institution's incident response procedures and conduct a tabletop exercise to improve your team's ability to respond effectively.

To view Foley Hoag's Security, Privacy and The Law Blog please click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

We operate a free-to-view policy, asking only that you register in order to read all of our content. Please login or register to view the rest of this article.

Authors
Photo of Colin J. Zick
Colin J. Zick
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More