BreachExchange mailing list archives
New Federal HIPAA Guidance Targets Data Security Incidents
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Thu, 19 May 2016 17:17:21 -0600
http://www.information-management.com/news/security/new-federal-hipaa-guidance-targets-data-security-incidents-10028872-1.html The HHS Office for Civil Rights has released new guidance that specifies what business associates and subcontractors need to tell healthcare organizations about data security incidents. The office is providing the guidance to ensure that providers get proper notification about data security incidents. The OCR has jurisdiction over enforcing privacy and security rules containing in the Healthcare Insurance Portability and Accountability Act (HIPAA). The new guidance defines how business associate agreements should specify the terms of how and for what purposes protected health information will be used, and create reporting mechanisms that cover instances in which protected information is disclosed in a way not authorized under contracts. The new rules put the onus on BAs to report incidents to covered entities. OCR is drawing its guidance from the United States Computer Emergency Readiness Team, OCR reminds covered entities of the different types of cyber attacks: Attempts, either successful or failed, to gain unauthorized access to ePHI or a system that contains ePH Unwanted disruption or denial of service to systems containing ePHI Unauthorized use of a system for the processing or storage of ePHI data Changes to system hardware, firmware or software characteristics without the owner’s knowledge, instruction or consent Covered entities, according to OCR, also should indicate within the business associate agreement indicate the timeframe in which business associate or subcontractor breaches should be reported. The covered entity faces legal liability for failing to notify OCR and affected patients of a breach in a timely manner. OCR recommends that business associate agreements contain requirements that BAs and subcontractors report a breach or a security incident even if it did not cause a breach. The information should include BA or subcontractor name and contact information, a description of the incident, date of the incident and date of discovery, types of unsecured PHI involved in the incident, and steps being taken to further investigate the incident and avoid future incidents. OCR also urges covered entities and their contractors to train employees on incident reporting and conduct security audits and risk assessments. The complete guidance is available here: http://www.hhs.gov/sites/default/files/HIPAA%20Cyber-Awareness%20Monthly%20-%20Issue%204%20%28508%29.pdf .
_______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- New Federal HIPAA Guidance Targets Data Security Incidents Audrey McNeil (May 20)