The U.S. Department of Health & Human Services (“HHS”) Office for Civil Rights (“OCR”) recently issued a Quick-Response Checklist, explaining the steps for a HIPAA-covered entity or its business associate to take in response to a cyber-related security incident. The Checklist includes:

• Executing a response, mitigation procedures and contingency plans;

• Reporting the incident to the appropriate law enforcement agencies and information-sharing and analysis organizations (“ISAO”); and

• Reporting any breach to the OCR and affected individuals.

The Quick-Response Checklist reminds covered entities and business associates that the OCR considers all mitigation efforts during a breach investigation. Although the response to a cyber-related security incident will depend on the event at hand, all covered entities and business associates should develop a cyber-security response team and plan to immediately address potential security incidents.