Office for Civil Rights Reiterates HIPAA Requirements and Responses to Cybersecurity Incidents - Bim Group

Office for Civil Rights Reiterates HIPAA Requirements and Responses to Cybersecurity Incidents


The HHS Office for Civil Rights (OCR) recently reported that a national cybersecurity firm observed a 42% increase in cyber-attacks for 2022 compared to 2021, and a 69% increase in cyberattacks specifically targeting the healthcare sector. Further, breaches of unsecured protected health information (PHI), including ePHI, affecting 500 or more individuals and reported to OCR increased from 663 in 2020 to 714 in 2021, with 74% of reported breaches involving hacking or information technology (IT) incidents. OCR noted that hacking is now the greatest threat to the privacy and security of PHI in the healthcare sector and that timely response to a cybersecurity incident is one of the best ways to prevent, mitigate, and recover from cyberattacks.

As we have recently completed National Cybersecurity Awareness Month, now is a great time for group health plans subject to the HIPAA Security Rule to review their policies and procedures that address security incidents to make sure they follow the guidelines OCR recently reiterated.

Regulated entities must implement and document their plan for responding to security incidents (suspected or known) to include:

  • Identifying security incidents
  • Responding to security incidents
  • Mitigating harmful effects of security incidents
  • Documenting security incidents and their outcomes

In preparing their security incident response process, regulated entities like group health plans should consider forming a security incident response team that is organized and trained to effectively respond to security incidents. Among the items to consider in forming a team are:

  • Selecting a team structure and staffing
  • Establishing relationships and lines of communication between the security incident response team and other internal and external resources
  • Identifying internal groups that may need to participate in incident handling (management, IT support, legal, public affairs and communications, human resources, business continuity/disaster recovery, physical security, facilities management)
  • Identifying points of contact at external groups that may be helpful to include in the event of an incident (network service providers, software and hardware vendors, local and federal law enforcement, incident handling teams of business partners and customers)
  • Determining what services the security incident response team should provide (such as intrusion detection, advisory distribution, education and awareness, information sharing)

The security incident response team should regularly test its security incident procedures. This could involve conducting tests involving different types of potential security incident scenarios like a cyber-criminal’s infiltration and deployment of ransomware, for example. Updating security incident procedures based on this testing will help protect against, and improve efficiency in responding to, actual security incidents.

The HIPAA Security Rule regulations also require a regulated entity to:

  • Identify the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
  • Maintain and regularly review audit
  • Implement hardware, software, and procedural mechanisms to record and examine access and other activity in information systems that contain or use electronic protected health information.
  • Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

When responding to a security incident, a regulated entity should contain the security incident and any threat it may pose to ePHI and take appropriate action to ensure the confidentiality, integrity, and availability of its ePHI by:

  • Determining the nature and extent of the damage caused by the security
  • Identifying and removing any malicious code and components that the security incident may have left
  • Mitigating any vulnerabilities that may have permitted the security incident to
  • Collecting and preserving data relevant to investigating the security incident, such as log files, registry keys, and other artifacts.

After the security incident has been neutralized and any malware removed, the next steps should include mitigating the harmful effects of the security incident including recovery and restoration of systems and data to return to normal operations. The HIPAA Security Rule requires that regulated entities establish a contingency plan to include data backup and recovery processes.

Frequent backups and verification of the integrity of the backed-up data are crucial to being able to recover data that may have been deleted or had its integrity compromised as a result of a security incident. Backup logs should be reviewed regularly, and test restorations of backups conducted periodically to ensure the integrity of backups and provide confidence in the regulated entity’s ability to restore its data. Because some malware, including some ransomware variants, are known to delete or otherwise disrupt online backups, regulated entities should consider maintaining at least some of their backups offline and unavailable from their networks.

Once a security incident has ended, systems and data have been restored, and operations have returned to normal, regulated entities should document their response and analysis into a record of the security incident. A regulated entity’s security incident procedures should include a section on documenting security incidents and what information to include in the documentation (e.g., discovery of the security incident, systems and data affected, response and mitigation activities, recovery outcomes, root cause analysis, forensic data collected).

Finally, when considering their security incident procedures and how to respond to security incidents, regulated entities must understand their duty to report breaches of unsecured PHI. The Breach Notification Rule requires covered entities to report breaches affecting 500 or more individuals to the affected individuals, to OCR, and (in certain cases) to the media without unreasonable delay and no later than 60 calendar days from the discovery of the breach. Covered entities are required to report breaches affecting fewer than 500 individuals to the affected individuals without unreasonable delay and no later than 60 calendar days from the discovery of the breach, and to OCR no later than 60 days after the end of the calendar year in which the breach was discovered.


The policies and procedures regulated entities create to prepare for and respond to security incidents can pay dividends in the long run with faster recovery times and reduced compromises of ePHI. A well-reasoned, well- tested security incident response plan is integral to ensuring the confidentiality, integrity, and availability of a regulated entity’s ePHI.


This information has been prepared for UBA by Fisher & Phillips LLP. It is general information and provided for educational purposes only. It is not intended to provide legal advice. You should not act on this information without consulting legal counsel or other knowledgeable advisors.

Recent Insights

January 30, 2023
HR Elements

HR Elements: Workplace Culture | Why Best Friends Have Benefits at Work

READ TIME: 3 MINUTES You likely remember your first work friend. They showed you the ropes and helped you navigate office politics. Today, research shows that work best friends are not just nice to have, but also play an essential role in employee engagement and retention. Fostering a buddy-friendly environment can reap benefits in many […]
Read more
January 26, 2023
Compliance Alert, DOL

DOL Announces 2023 Penalties for Health & Welfare Plan Compliance Errors

READ TIME: 4 MINUTES Since 2015, federal agencies have been required to annually review the laws and regulations they enforce to adjust applicable penalties for inflation. These adjustments, or so the theory goes, provide higher incentives for plan sponsors to ensure their benefit plans and programs remain compliant. Specifically, the U.S. Department of Labor (DOL) […]
Read more
January 18, 2023

Webinar: Shedding Light on Qualifying Events and Special Enrollment Periods

Tuesday, February 14, 2023 1 – 2PM CST Register Now Attend this month’s webinar to learn how, when, and why the Internal Revenue Service allows an employee to make midyear election changes. Gain insights into: Section 125 irrevocable plan elections Which family members are impacted by permitted changes, and the “family glitch” Common HR errors […]
Read more
January 18, 2023

IRS Grants Permanent 30-Day Extension to Providing Individual ACA Statements

READ TIME: 4 MINUTES ‘Tis the season for applicable large employers (ALEs) to scramble to meet their Affordable Care Act (ACA) obligation to provide full-time employees with individual statements that provide group health coverage information required to be filed with the IRS on Form 1095-C. Although the ACA generally requires ALEs to furnish individual statements […]
Read more