The Office of Civil Rights of the U.S. Department of Health and Human Services ("OCR") has released a checklist of actions to be taken by covered entities in the event of a ransomware attack or other cyber-related security incident. OCR noted that in investigating breaches of protected health information ("PHI"), it will consider all mitigation efforts taken by the entity.

Specifically, covered entities, i.e. most healthcare providers, must take the following steps in response to a cyber-attack:

  • Execute response/mitigation procedures and contingency plans: the covered entity, or an outside security entity operating under a valid Business Associate Agreement, should immediately fix the issue in question and halt the attack, as well as take steps to mitigate any impermissible breach of PHI;
  • Report the crime: to relevant Federal, state or local law enforcement agencies, while making sure that such reporting does not further reveal PHI.Covered entities may have to comply with law enforcement's request not to notify affected individuals of the breach, if doing so would impede a criminal investigation or harm national security;
  • Report all cyber threat indicators: i.e. certain indicators or signs of possible or actual threats or vulnerabilities to information systems, to federal and information-sharing and analysis organizations ("ISAOs"), including the Department of Homeland Security, the HHS Assistant Secretary for Preparedness and Response, and private-sector cyber-threat ISAOs (PHI should be withheld from these reports);
  • Report the breach to OCR: in most cases, OCR presumes that cyber-related security incidents where PHI was accessed are reportable breaches.For breaches affecting 500 or more individuals, the covered entity must report to OCR as soon as possible, but no later than 60 days after the discovery, and notify affected individuals and the media unless law enforcement has requested otherwise. For breaches affecting fewer than 500 individuals, the entity must notify affected individuals without unreasonable delay, but no later than 60 days after discovery, and OCR within 60 days of the end of the calendar year.

If you have questions pertaining to a HIPAA audit or PHI security or privacy compliance, feel free to contact our expert healthcare attorneys by phone at 212-668-0200 or by email at