Although National Cyber Security Month isn’t until October, September has brought plenty of privacy and security updates that health care companies need to be aware of. In this post, we review guidance from the Office for Civil Rights (OCR) on cyberattacks, describe new state breach notification laws, and highlight the upcoming NIST/OCR security conference.

Cyberattacks

OCR warned health care companies on September 7 of the recent increase in the frequency and harm of cyberattacks and encouraged Covered Entities and Business to use information-sharing as a tool to fight these attacks. OCR cited the Cybersecurity Information Security Act and Executive Order 13691 as recognizing the importance of information-sharing to help prevent attacks or vulnerabilities through exchanges both among health care companies and between the federal government and private sector.

However, OCR noted that while information-sharing has many benefits, sensitive information like Protected Health Information (PHI), detailed security information, trade secrets, or other proprietary information should remain private through de-identification or non-disclosure. OCR also dedicated a new FAQ to the topic last week, explaining that a Covered Entity or Business Associate may not disclose PHI for cybersecurity information-sharing purposes unless the disclosure is otherwise permitted under HIPAA. OCR stated that disclosure of PHI is often not necessary to alert other entities of threats to or vulnerabilities of particular systems. Therefore, OCR’s emphasis on information-sharing should not be viewed as giving Covered Entities and Business Associates more flexibility in disclosing PHI for information-sharing purposes. Covered Entities and Business Associates must continue to ensure that all disclosures comply with the requirements of the Privacy Rule, even when having the best intentions of trying to help other entities prevent cyberattacks.

State Breach Notification Laws

In state privacy news, our colleagues at Privacy & Security Matters recently updated the “Mintz Matrix,” which summarizes U.S. state breach notification laws. We update the Mintz Matrix on a quarterly basis, or more frequently if necessary. The Mintz Matrix is available here. This update includes significant changes to the laws in Nebraska, Nevada, Rhode Island, and Tennessee, as states have been pushing to protect a broader range of data and shorten the notification timing requirements. More information on the recent updates can be found on Privacy & Security Matters.

NIST/OCR Annual Security Conference

OCR has also announced the dates for its annual security conference held in connection with the National Institute of Standards and Technology (NIST). This year’s conference will be held on October 19 and 20 and participants can attend in-person or via webcast.