The U.S. Department of Health and Human Services has a graphic and guide explaining the steps a HIPAA covered entity must take in response to a cyber-related security incident.
When investigating a breach, HHS considers all steps an organization takes to mitigate harm.
In the event of a cyber attack, an organization
- Must execute its response and mitigation procedures and contingency plans
- Should report the crime to other law enforcement agencies
- Should report all cyber threat indicators to federal and information-sharing and analysis organizations
- Must report the breach to HHS as soon as possible, but no later than 60 days after the discovery of a breach affecting 500 or more individuals
A copy of the graphic may be accessed here and a copy of the checklist may be accessed here.