Q&A: Reporting cybersecurity incidents

Q. Are we required to report cybersecurity incidents to federal agencies other than OCR, such as the Department of Homeland Security?

A. There is no federal requirement to report cybersecurity incidents to any federal agency other than OCR. OCR only needs to be notified if the cybersecurity incident results in a breach of unsecure PHI. The Cybersecurity Act of 2015 called for establishing a voluntary network where cybersecurity incidents and any forensic evidence discovered are shared with private entities and the federal government. Per the Information Systems Audit and Control Association, “The goal of the legislation is to promote and encourage the private sector and the US government to exchange cyber threat information rapidly and responsibly. Under the Act, information about a threat found on one system can be quickly shared in order to prevent a similar attack or mitigate a similar threat to other companies, agencies and consumers.”

Editor's note: This question was answered by Chris Apgar, CISSP, for Briefings on HIPAA. Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are that of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Associate Editor Nicole Votta at nvotta@hcpro.com.