[BreachExchange] New Federal HIPAA Guidance Targets Data Security Incidents

[Audrey McNeil]

http://www.information-management.com/news/security/new-federal-hipaa-guidance-targets-data-security-incidents-10028872-1.html


The HHS Office for Civil Rights has released new guidance that specifies
what business associates and subcontractors need to tell healthcare
organizations about data security incidents.

The office is providing the guidance to ensure that providers get proper
notification about data security incidents. The OCR has jurisdiction over
enforcing privacy and security rules containing in the Healthcare Insurance
Portability and Accountability Act (HIPAA).

The new guidance defines how business associate agreements should specify
the terms of how and for what purposes protected health information will be
used, and create reporting mechanisms that cover instances in which
protected information is disclosed in a way not authorized under contracts.
The new rules put the onus on BAs to report incidents to covered entities.

OCR is drawing its guidance from the United States Computer Emergency
Readiness Team, OCR reminds covered entities of the different types of
cyber attacks:

Attempts, either successful or failed, to gain unauthorized access to ePHI
or a system that contains ePH
Unwanted disruption or denial of service to systems containing ePHI
Unauthorized use of a system for the processing or storage of ePHI data
Changes to system hardware, firmware or software characteristics without
the owner’s knowledge, instruction or consent

Covered entities, according to OCR, also should indicate within the
business associate agreement indicate the timeframe in which business
associate or subcontractor breaches should be reported. The covered entity
faces legal liability for failing to notify OCR and affected patients of a
breach in a timely manner.

OCR recommends that business associate agreements contain requirements that
BAs and subcontractors report a breach or a security incident even if it
did not cause a breach. The information should include BA or subcontractor
name and contact information, a description of the incident, date of the
incident and date of discovery, types of unsecured PHI involved in the
incident, and steps being taken to further investigate the incident and
avoid future incidents.

OCR also urges covered entities and their contractors to train employees on
incident reporting and conduct security audits and risk assessments. The
complete guidance is available here:
http://www.hhs.gov/sites/default/files/HIPAA%20Cyber-Awareness%20Monthly%20-%20Issue%204%20%28508%29.pdf
.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160519/aa1de215/attachment.html>