The U.S. Department of Health & Human Services (“HHS”) Office for Civil Rights (“OCR”) recently issued a Quick-Response Checklist, explaining the steps for a HIPAA-covered entity or its business associate to take in response to a cyber-related security incident. The Checklist includes:

  • Executing a response, mitigation procedures and contingency plans;
  • Reporting the incident to the appropriate law enforcement agencies and information-sharing and analysis organizations (“ISAO”); and
  • Reporting any breach to the OCR and affected individuals.

The Quick-Response Checklist available here, reminds covered entities and business associates that the OCR considers all mitigation efforts during a breach investigation. Although the response to a cyber-related security incident will depend on the event at hand, all covered entities and business associates should develop a cyber-security response team and plan to immediately address potential security incidents.