What is a HIPAA Security Incident and What are the Notification Requirements?

In May, the global WannaCry ransomware attacks resulted in more than 230,000 computers being infected and encrypted. There were also a high number of other IT security incidents reported to the Department of Health and Human Services’ Office for Civil Rights (OCR).

The increase in attacks and data breaches prompted OCR to confirm the HIPAA definition of a security incident, which types of attacks are reportable, how covered entities should prepare for such an incident, and the correct response to a security breach.

The HIPAA Security Rule requires covered entities to take steps to prevent cyberattacks and other security incidents. Covered entities must implement technical, physical, and administrative safeguards to preserve the confidentiality, integrity and availability PHI.

However, even covered entities that have met those requirements can experience security incidents involving PHI. Robust, multi-layered cybersecurity defenses will not make covered entities immune to attack. It is therefore essential to have a tested, breach response plan that can be implemented as soon as a security incident is discovered, otherwise valuable time will be lost.

Organizations must also be aware of the HIPAA definition of a security breach. It has come to OCR’s attention that many covered entities are confused about the definition of a HIPAA security incident and when the HIPAA Breach Notification Rule applies. Recent ransomware attacks on healthcare organizations have been reported by the media, yet OCR has received no breach notice and patients have not been informed that their ePHI has been accessed.

In its May Cybersecurity Newsletter, OCR explains that the HIPAA Security Rule classes a security incident as “an attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”

OCR reminded covered entities that a ransomware attack that results in unsecured ePHI being encrypted counts as an unauthorized access and disclosure. The HIPAA Breach Notification Rule requires OCR and affected individuals to be notified.

The deadline for reporting security incidents is 60 days from the discovery of the incident, although that is the absolute deadline. Covered entities must not unnecessary delay the issuing of notices and should not wait until a couple of days before the deadline to send notifications. That would be a HIPAA violation.

About Ryan Coyne 218 Articles
Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan’s professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn https://www.linkedin.com/in/ryancoyne/ and follow on Twitter https://twitter.com/ryancoyne