HHS OCR Recommends Updating HIPAA Cybersecurity Policies and Procedures

October 13, 2022

By: Willard L. Boyd III, Eric N. Fischer, Seamus Taylor

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has reported receiving an increased number of breach reports for cyber-related security incidents, mainly related to hacking and IT incidents. While some of these breaches have been sophisticated, many have involved common types of attacks such as phishing emails, exploitation of known vulnerabilities, and weak authentication protocols, most of which can be prevented or substantially mitigated with proper implementation of the HIPAA Security Rule (the “Security Rule”) requirements.


In response, the HHS OCR has recommended that HIPAA covered entities and business associates update their cybersecurity policies and procedures to protect against cyber attacks and remain compliant with federal law.


Under the Security Rule, covered entities and business associates must regularly conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.


The Security Rule requires:

  • The adoption of administrative, physical, and technical safeguards and security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
  • The implementation of a security awareness and training program to educate workforce members on security measures, including how to respond to new and current cybersecurity threats such as ransomware and phishing.
  • The implementation of reasonable policies and procedures to ensure that these safeguards and security measures are followed.


If a covered entity or business associate experiences a cyber-related security incident, that entity must execute its response and mitigation procedures and contingency plans. If the breach involves protected health information, the breach must also be reported to OCR and affected individuals within certain timeframes. While reporting the crime to law enforcement agencies is not required under the Security Rule, OCR considers all mitigation efforts taken by the entity during any particular breach investigation, including voluntary sharing of breach-related information with law enforcement agencies and other federal and information sharing and analysis organizations.


In an April 6, 2022 proposed rule, HHS outlined a methodology for the imposition of civil monetary penalties for violations of the HIPAA rules. Public comments were due on June 6, 2022 and a final rule is expected in the coming months. 


Nyemaster Goode’s Health Care practice group is available to answer questions about the HIPAA Security Rule, cybersecurity best practices, and OCR investigations. We will continue to monitor developments in this area.