The United States Office of Civil Rights (OCR) released a checklist of steps to take under HIPAA after a cyber attack. Upon a cyber security incident, a HIPAA covered entity should
- Execute its response and mitigation procedures and contingency plans.
- Report the crime to law enforcement agencies.
- Report all cyber threat indicators to federal and information sharing and analysis organizations, such as the FBI.
- Follow breach notification requirements by reporting to OCR as soon as possible, but no later than 60 days after the discovery of a breach impacting 500 or more individuals.
A full copy of the OCR’s report can be accessed by clicking here.