The privacy rule under the Health Insurance Portability and Accountability Act (HIPAA) does not exempt the sharing of information on cyber threat indicators, so HIPAA-covered entities and their business associates may not share protected health information (PHI) for this purpose unless HIPAA otherwise allows it, the U.S. Department of Health and Human Services (HHS) warned recently.
Cyber threat indicators usually do not include PHI anyway, so “the disclosure of PHI generally is not needed to describe such threats or vulnerabilities,” according to the frequently-asked-question (FAQ) document from HHS’ Office for Civil Rights (OCR). “Further, HIPAA would not permit such disclosures unless specific conditions provided in the HIPAA Privacy Rule were met, specifically, an authorization from the individual or the requirements of an applicable permission for disclosure under the Rule.”
The Cybersecurity Information Sharing Act (CISA), passed last year as part of the 2016 appropriations bill (Pub. L. 114-113), was meant to encourage businesses to share data on possible threats or vulnerabilities to information systems, and the harm that could result. The law defines “cyber threat indicators” as information needed to describe or identify:
- Malicious reconnaissance;
- A security vulnerability;
- Methods of defeating a security control or exploiting a security vulnerability;
- Methods of causing a user with legitimate access to defeat a security control or exploit a security vulnerability;
- Malicious cyber command and control;
- Actual or potential harm caused by an incident;
- Any other attribute of a cybersecurity threat, if disclosing it is not otherwise prohibited by law; or
- Any combination of these.
Reporting on these indicators is likely to consist of “technical, physical, or administrative specifications regarding threats to such systems, or vulnerabilities in such systems, and a general description of the harm caused by exploitation of these specifications,” rather than individuals’ health information, OCR stated in the FAQ released September 7. If PHI is to be disclosed without the individual’s written authorization, it must fit into one of HIPAA’s existing exceptions:
- To comply with a court order or court-ordered warrant, a subpoena or summons issued by a judicial officer, or a grand jury subpoena (45 C.F.R. §164.512(f)(1)(ii)(A)-(B)).
- To respond to an administrative request, such as an administrative subpoena or investigative demand or other written request from a law enforcement official (45 C.F.R. §164.512(f)(1)(ii)(C)).
- To respond to a request for limited PHI to identify or locate a suspect, fugitive, material witness, or missing person (45 C.F.R. §164.512(f)(2)).
- To respond to a request for PHI about a victim of a crime, if the victim agrees (45 C.F.R. §164.512(f)(3)).
- To report PHI to law enforcement when required by law to do so (45 C.F.R. §164.512(f)(1)(i)).
- To alert law enforcement to the death of the individual, when there is a suspicion that death resulted from criminal conduct (45 C.F.R. §164.512(f)(4)).
- To report PHI that the covered entity in good faith believes to be evidence of a crime that occurred on the entity’s premises (45 C.F.R. §164.512(f)(5)).
- When responding to an off-site medical emergency, as necessary to alert law enforcement (45 C.F.R. §164.512(f)(6)).
- To certain federal intelligence, national security, and protective agencies (45 C.F.R. §164.512(k)).