Cyber Security and HIPAA Compliance

Michelle Bilsky, VP of Risk Management // June 13, 2017

HHS and OCR have provided guidance on the topic of breaches and response to breaches and requires covered entities to have a breach notification and response policy and procedure in place.  This policy must include the following:

  1. Definitions
  2. Notifications in the event of a breach
  3. Discovery
  4. Content of Notifications
  5. Methods of Notification
  6. Arrangements with Business Associates in the event of a breach by BA
  7. Law Enforcement Delays
  8. Administrative Requirements

In the event of a suspected breach, it is imperative that the organization conduct an assessment to identify the exact nature of the breach.  Some organizations are capable of conducting the initial assessment themselves and others may need an outside consultant to assist.  OCR rule 45 CFR 164 includes specific guidance on what is required in order to investigate, mitigate, and remediate a breach. 

Organizations must develop clear privacy and security guidelines in order to avoid the risk of a true breach.  These policies must include how an organization secures its’ data.  Guidelines are provided in the rule for the specific methods that are acceptable for encryption of data and OCR relies on NIST as the expert to provide the standards for which an organization must meet.

A Covered Entity can purchase insurance to protect itself in the event of a breach.  This ‘risk transfer’ shifts the financial burden of a breach from the CE to the insurance carrier who also is then responsible, under most policies, for the investigation, notification, remediation, and fines or penalties. **see policy for exact details on coverages

Guidance on policy and procedure is available to insureds through MedMal Direct’s Risk Management Department and increased limits for cyber liability coverage can be purchased at the request of the insured.

Additional Resources:

Cyber- Attack Quick Response Infographic
Source: Department of Health & Human Services

Encryption Guidance

Breach Incident Report 

MedMal Direct HIPAA Toolkit