OCR Issues Reminder About the HIPAA Security Rule Security Incident Requirements

By | October 26, 2022

In its October 2022 cybersecurity newsletter, OCR has reminded HIPAA-regulated entities of their obligations with respect to security incidents, including clarifying the breach reporting timeframe and when the clock starts ticking.

The number of healthcare data breaches being reported continues to increase. There was an almost 8% increase in reported data breaches of 500 or more records between 2020 and 2021, and a recent Check Point report suggests healthcare data breaches have increased by 69% between 2021 and 2022 – the highest percentage observed in any sector.

Given the sharp rise in data breaches, OCR has chosen to raise awareness of the security incident requirements of the HIPAA Security Rule in its October Cybersecurity Newsletter. October is Cybersecurity Awareness Month – a month dedicated to raising awareness of the importance of cybersecurity and sharing best practices to help individuals and organizations ensure the privacy and security of confidential information. While the focus of this year’s Cybersecurity Awareness Month is the steps that everyone can take to improve cybersecurity, it is also a good time to remind HIPAA-regulated entities of their responsibilities under HIPAA.

A Security Incident Plan is Required for HIPAA Security Rule Compliance

OCR has confirmed that the HIPAA Security Rule requires HIPAA-regulated entities to “implement policies and procedures to address security incidents,” which must include a documented plan for responding to suspected or known security incidents. That plan must cover the identification of security incidents, responding to incidents, mitigating the harmful effects, documenting security incidents and their outcomes, reporting those incidents to OCR, and issuing notifications to affected individuals.

A documented incident response plan will ensure HIPAA-regulated entities can respond and recover quickly when incidents occur and minimize the harm caused. The security incident response plan should also be regularly tested and revised, as appropriate, to ensure that it is effective. OCR stressed the importance of forming a security incident response team and organizing and training the team on how to respond to incidents in an efficient and effective way. HIPAA-regulated entities should refer to the guidance issued by the National Institute of Standards and Technology (NIST) (SP 800-61), which suggests several considerations for establishing a security incident response team.

OCR also provides guidance on key elements of the security incident plan:

Identify – Ensure audit logs are created and regularly checked as logs contain information that can help HIPAA-regulated entities to identify security incidents and unauthorized network activity early and reduce the harm caused.

Respond – Plan the measures required to immediately contain and neutralize an attack, determine the nature and scope of a security breach, identify any malicious code and artifacts, mitigate the vulnerabilities that were exploited, and for preserving relevant data.

Recover (Mitigate) – Preparation is key to a rapid recovery. A contingency plan must be developed and implemented to ensure operations can continue while an attack is mitigated, and data backup and recovery practices should be implemented. OCR suggests the 3-2-1 approach for backing up – create at least 3 backup copies (1 primary and two copies), on at least two different media (e.g. local, cloud, removable media), with one backup copy stored securely off-site.

Document and Notify – Once an organization has recovered from a security incident and restored normal business operations, a record of the security incident should be created that contains information about the response and recovery. The record can be used to improve the response to future security incidents and the record may also be required to be provided to OCR and state attorneys general in the event of a breach investigation.

Notify – The Breach Notification Rule requires HIPAA-regulated entities to report breaches of protected health information to OCR and notify affected individuals within 60 days of the discovery of a data breach. Breaches of 500 or more records must be reported to OCR within 60 days of discovery, and smaller breaches can be reported to OCR within 60 days of the end of the year when the breach occurred.  

There has been a trend in breach reporting in recent years where HIPAA-regulated entities have taken the date of discovery of a data breach to be the date when it has been confirmed how many individuals have been affected or when the types of ePHI that have been breached have been confirmed. OCR has acknowledged this trend in the newsletter and stressed that this interpretation of the HIPAA Breach Notification Rule is incorrect, implying it could result in a HIPAA penalty.

“It is important for covered entities to note that the time period [for reporting] begins when the incident is first known, not when the investigation of the incident is complete, even if it is initially unclear whether the incident constitutes a breach as defined in the rule.” Explained OCR in the newsletter. “Further, 60 days is the outer limit for notification and, in some cases, it may be an ‘unreasonable delay’ to wait until the 60th day to provide notification.”

As a warning to HIPAA-regulated entities of the potential consequences of HIPAA Security and Breach Notification Rule non-compliance, OCR cited a recently resolved investigation of a data breach involving the ePHI of 279,865 of patients of the Oklahoma State University – Center for Health Sciences. The case, which included breach reporting and security incident response failures, was settled for $875,000, a corrective action plan was stipulated, and the covered entity was subject to 2 years of monitoring.

The post OCR Issues Reminder About the HIPAA Security Rule Security Incident Requirements appeared first on HIPAA Journal.