Covered entities should report cybersecurity threats, but no PHI disclosures

Cyber threats are becoming more and more common, both in general and specifically in the health sphere. The Department of Homeland Security operates the National Cybersecurity and Communications Integration Center (NCCIC), with four branches dedicated to protecting the right to privacy in the government, private sector, and international defense network communities. The US Computer Emergency Readiness Team (US-CERT) develops information on immediate threats and analyzes data gleaned from cybersecurity incidents.

As part of these efforts, health entities can report any suspicious activity or cybersecurity incidents to US-CERT. Disclosing cyber threat indicators, which includes information such as malicious reconnaissance, security vulnerabilities, methods of defeating controls or exploiting vulnerabilities, is intended to alert other entities of possible issues. This type of information sharing allows the federal government to better protect information systems, and maintain current alerts and reports on vulnerabilities on the US-CERT site.

HIPAA concerns

HHS recently clarified that entities subject to the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) may not disclose protected health information (PHI) for the purpose of sharing cyber threat indicators. This also applies to business associates. PHI may only be released under these circumstances if the disclosure is permitted under the Privacy Rule.

HHS noted that PHI is generally not included in cyber threat indicators, so prohibiting PHI disclosure in cyber threat reporting will typically not be an issue. Under the Privacy Rule, an entity could disclose PHI to law enforcement without the individual’s written authorization in order to comply with a court order or to alert and inform law enforcement as necessary regarding criminal activity. In some instances, an entity may report limited PHI. Entities may disclose to federal officials authorized to conduct national security activities or to protect the President. In all other circumstances that are not expressly included and permitted in the Privacy Rule, the entities must obtain authorization from the individual whose PHI is to be disclosed.