HIPAA Cyber Attack Response Checklist
Under the Health Insurance Portability and Accountability Act (HIPAA), a covered entity that experiences a ransomware attack or other cyber-related security incident must take immediate steps to prevent or mitigate any impermissible release of protected health information (PHI).
The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued a checklist to help HIPAA-covered entities determine the specific steps they must take in the event of a data breach.
Entities subject to HIPAA should become familiar with the OCR’s checklist and other guidance for handling cyber security breaches involving PHI. These entities should also ensure they have plans for mitigating the effects of breaches.
OCR Quick-response Checklist
In the event of a cyber attack or similar emergency, a covered entity must do the following:
- Execute its response and mitigation procedures and contingency plans.
- Report the crime to appropriate law enforcement agencies.
- Report all cyber threat indicators to federal and information-sharing and analysis organizations.
- Report the breach to affected individuals and to the OCR as soon as possible.
Reportable Incidents
HIPAA regulations also require covered entities to report certain cyber-related security incidents to affected individuals, the OCR and other agencies. In general, a reportable breach occurs anytime PHI was accessed, acquired, used or disclosed.
For more information about this rule and its potential impact on your company, please contact TMC Employee Benefits Group.
New Fiduciary Rules
The Department of Labor (DOL) released a final rule that expands who is considered a “fiduciary” when providing investment advice to retirement plans and their participants. The rule also applies to individual retirement accounts (IRAs) and health savings accounts (HSAs).
After being delayed, the final rule became effective June 9, 2017.
Under the rule, a person is a fiduciary if the person receives compensation for providing investment advice with the understanding that it is based on the particular needs of the person being advised or that it is directed at a specific plan sponsor, plan participant or account owner. Fiduciaries may be held personally liable in the event of a fiduciary breach.
Individuals who provide advice on HSAs may be considered fiduciaries if their communications rise to the level of investment recommendations covered by the final rule.
Contact TMC Employee Benefits Group for more information and guidance on this new rule.
DID YOU KNOW?
The Department of Labor (DOL) has officially dropped its support for the new overtime rule. The rule, originally scheduled to take effect in December 2016, was halted by a federal court soon before its enactment.
The DOL plans to revisit the overtime rule and use a lower salary threshold. However, in the meantime, the DOL asked that the court validate its authority to determine salary thresholds to be used in future rules. It is uncertain what the new threshold might be.