medcomply.ai
Intel
The HIPAA Security Rule — A Complete Guide for 2026 · Security RuleUnderstanding the HIPAA Breach Notification Rule · Data BreachHIPAA breach notification overview · Data BreachHow to respond to a HIPAA breach · Data BreachHIPAA compliance checklist for covered entities · AnalysisOCR audit preparation checklist and evidence map · OCR EnforcementPatient rights under HIPAA: practical guide · Rule UpdateHIPAA staff training requirements and cadence · AnalysisHIPAA for SaaS and technology vendors · SaaS & TechnologyHIPAA Security Rule overview for compliance teams · Security RuleWhat is a Business Associate Agreement (BAA)? · BAAWhat counts as PHI under HIPAA? · Privacy RuleThe HIPAA Security Rule — A Complete Guide for 2026 · Security RuleUnderstanding the HIPAA Breach Notification Rule · Data BreachHIPAA breach notification overview · Data BreachHow to respond to a HIPAA breach · Data BreachHIPAA compliance checklist for covered entities · AnalysisOCR audit preparation checklist and evidence map · OCR EnforcementPatient rights under HIPAA: practical guide · Rule UpdateHIPAA staff training requirements and cadence · AnalysisHIPAA for SaaS and technology vendors · SaaS & TechnologyHIPAA Security Rule overview for compliance teams · Security RuleWhat is a Business Associate Agreement (BAA)? · BAAWhat counts as PHI under HIPAA? · Privacy Rule
resolution agreement

Cyber Security GuidanceCorrective action / RA

Resolution

Penalty

Corrective action / RA

Action type

Resolution agreement

Entity profile

Case number

What went wrong

Cyber Security Guidance

  • Navigate to: HIPAA for Professionals Regulatory Initiatives Privacy Summary of the Privacy Rule Guidance Combined Text of All Rules HIPAA Related Links Security Security Rule NPRM Summary of the Security Rule Security Guidance Cyber Security Guidance Breach Notification Breach Reporting Guidance Reports to Congress Regulation History Compliance & Enforcement Enforcement Rule Enforcement Process En

Full description

Navigate to: HIPAA for Professionals Regulatory Initiatives Privacy Summary of the Privacy Rule Guidance Combined Text of All Rules HIPAA Related Links Security Security Rule NPRM Summary of the Security Rule Security Guidance Cyber Security Guidance Breach Notification Breach Reporting Guidance Reports to Congress Regulation History Compliance & Enforcement Enforcement Rule Enforcement Process Enforcement Data Resolution Agreements Case Examples Audit Reports to Congress State Attorneys General Special Topics Parental Access Mental and Behavioral Health Change Healthcare Cybersecurity Incident FAQs HIPAA and COVID-19 HIPAA and Reproductive Health HIPAA and Final Rule Notice HIPAA and Telehealth HIPAA and FERPA Research Public Health Emergency Response Health Information Technology Health Apps Patient Safety Covered Entities & Business Associates Business Associate Contracts Business Associates Training & Resources FAQs for Professionals Other Administrative Simplification Rules Substance Use Disorder Confidentiality Cyber Security Guidance Material In this section, you will find educational materials specifically designed to give HIPAA covered entities and business associates insight into how to respond to a cyber-related security incidents.How the HIPAA Security Rule Can Help Defend Against Cyber-AttacksThe HHS Office for Civil Rights (OCR) has produced a pre-recorded video presentation for HIPAA covered entities and business associates (regulated entities) on how the HIPAA Security Rule can help regulated entities defend against cyber-attacks. The video is available in English and Spanish.The presentation is intended to educate the health care industry on real world cyber-attack trends from OCR breach reports and investigations and explore how implementation of appropriate HIPAA Security Rule safeguards can help detect and mitigate common cyber-attacks. Topics include:OCR breach and investigation trend analysisCommon attack vectorsOCR investigations of weaknesses that led to or contributed to breachesHow Security Rule compliance can help regulated entities defend against cyber-attacksThe video presentation may be found on HHS’s YouTube channel at:https://www.youtube.com/watch?v=VnbBxxyZLc8 (Oct. 23, 2023)The video presentation in Spanish may be found on HHS’s YouTube channel at:https://www.youtube.com/watch?v=3oVarCxLcB8 (Oct. 23, 2023)Cyber Security Checklist and InfographicThis guide and graphic explains, in brief, the steps for a HIPAA covered entity or its business associate to take in response to a cyber-related security incident.Cyber Security ChecklistCyber Security Infographic [GIF 802 KB]Ransomware GuidanceHHS has developed guidance to help covered entities and business associates better understand and respond to the threat of ransomware.RansomwareNational Institute of Standards and Technology (NIST) Cybersecurity FrameworkThis crosswalk document identifies “mappings” between NIST’s Framework for Improving Critical Infrastructure Cybersecurity and the HIPAA Security Rule.NIST Cyber Security Framework to HIPAA Security Rule CrosswalkOCR Cyber Awareness NewslettersIn 2019, OCR moved to quarterly cybersecurity newsletters. The purpose of the newsletters remains unchanged: to help HIPAA covered entities and business associates remain in compliance with the HIPAA Security Rule by identifying emerging or prevalent issues, and highlighting best practices to safeguard PHI. Visit our Cybersecurity Newsletter Archive page to view previous newsletters from 2016.October 2024 OCR Cybersecurity Newsletter: Social Engineering: Searching for Your Weakest LinkAugust 2024 OCR Cybersecurity Newsletter: HIPAA Security Rule Facility Access Controls – What are they and how do you implement them?October 2023 OCR Cybersecurity Newsletter: How Sanction Policies Can Support HIPAA ComplianceJune 2023 OCR Cybersecurity Newsletter: HIPAA and Cybersecurity AuthenticationOctober 2022 OCR Cybersecurity Newsletter: HIPAA Security Rule Security Incident ProceduresQuarter 1 2022 OCR Cybersecurity Newsletter: Defending Against Common Cyber-AttacksFall 2021 OCR Cybersecurity Newsletter: Securing Your Legacy [System Security]Summer 2021 OCR Cybersecurity Newsletter: Controlling Access to ePHI: For Whose Eyes Only?Summer 2020 OCR Cybersecurity Newsletter: HIPAA and IT Asset InventoriesFall 2019 OCR Cybersecurity Newsletter: What Happened to My Data?: Update on Preventing, Mitigating and Responding to RansomwareSummer 2019 OCR Cybersecurity Newsletter: Managing Malicious Insider ThreatsSpring 2019 OCR Cybersecurity Newsletter: Advanced Persistent Threats and Zero Day VulnerabilitiesSign up for the OCR Security Listserv to receive the OCR Cyber Awareness Newsletters in your email inbox. Frequently Asked Questions for Professionals - Please see the HIPAA FAQs for additional guidance on health information privacy topics. Content last reviewed October 24, 2024

Timeline

  • Resolution
  • Incident and investigation milestones are not consistently published by OCR in machine-readable form.

Key takeaways for your organization

  • Treat internet-facing systems and vendor-hosted environments as in-scope for HIPAA risk analysis and technical safeguards testing.
  • Maintain an actionable risk analysis tied to remediation milestones; evidence should map to Security Rule implementation specifications.
  • Align policies, procedures, and evidence with the specific CFR provisions cited in OCR resolutions affecting your entity type.
  • Run tabletop exercises for breach response, OCR inquiry handling, and privilege-preserving communications with counsel.

Related actions

Security Rule NPRM

Summary of the Security Rule

Security Guidance

Source

U.S. Department of Health and Human Services release

Source: U.S. Department of Health and Human Services, Office for Civil Rights. medcomply.ai aggregates public materials for educational use — not legal advice.