Since the WannaCry ransomware virus spread rapidly across the globe, businesses, both large and small, are again focusing on cyber-security. In a previous bulletin, we detailed five things that a business can do to help prevent a cyber-attack. However, in the unfortunate event that your business experiences a cyber-attack affecting protected health information, this bulletin provides guidance from the Department of Health and Human Services Office for Civil Rights ("OCR") regarding what you must do.

On June 8, 2017, OCR released a checklist for covered entities and business associates (together referred to as "entities" herein) to use when responding to a cyber-attack. While some might find the checklist to be very simple, it does two important things:

  • Serves as a reminder that OCR is taking cyber-attacks on protected health information very seriously; and
  • Serves as a further reminder to entity leadership that taking certain steps following a cyber-attack is essential to minimizing the entity’s exposure.

If ever investigated, OCR will consider all of an entity’s mitigation efforts and will certainly begin by making sure an entity "checked all boxes" on the checklist, as appropriate. In short, this checklist provides that entities:

  • Must execute their response and mitigation procedures and contingency plans;
  • Should report the crime to appropriate law enforcement agencies;
  • Should report all cyber threat indicators to federal and information-sharing and analysis organizations; and
  • Must report the breach to affected individuals, OCR and the media, if appropriate, within the prescribed time frames.