© 2019 SourceMedia. All rights reserved.

New Federal HIPAA Guidance Targets Data Security Incidents

The HHS Office for Civil Rights has released new guidance that specifies what business associates and subcontractors need to tell healthcare organizations about data security incidents.

The office is providing the guidance to ensure that providers get proper notification about data security incidents. The OCR has jurisdiction over enforcing privacy and security rules containing in the Healthcare Insurance Portability and Accountability Act (HIPAA).


The new guidance defines how business associate agreements should specify the terms of how and for what purposes protected health information will be used, and create reporting mechanisms that cover instances in which protected information is disclosed in a way not authorized under contracts. The new rules put the onus on BAs to report incidents to covered entities.

OCR is drawing its guidance from the United States Computer Emergency Readiness Team, OCR reminds covered entities of the different types of cyber attacks:

  • Attempts, either successful or failed, to gain unauthorized access to ePHI or a system that contains ePH
  • Unwanted disruption or denial of service to systems containing ePHI
  • Unauthorized use of a system for the processing or storage of ePHI data
  • Changes to system hardware, firmware or software characteristics without the owner’s knowledge, instruction or consent

Covered entities, according to OCR, also should indicate within the business associate agreement indicate the timeframe in which business associate or subcontractor breaches should be reported. The covered entity faces legal liability for failing to notify OCR and affected patients of a breach in a timely manner.
OCR recommends that business associate agreements contain requirements that BAs and subcontractors report a breach or a security incident even if it did not cause a breach. The information should include BA or subcontractor name and contact information, a description of the incident, date of the incident and date of discovery, types of unsecured PHI involved in the incident, and steps being taken to further investigate the incident and avoid future incidents.

OCR also urges covered entities and their contractors to train employees on incident reporting and conduct security audits and risk assessments. The complete guidance is available here.


For reprint and licensing requests for this article, click here.