May a HIPAA covered entity or its business associate disclose protected health information (PHI) for purposes of cybersecurity information-sharing of cyber threat indicators?

No, unless the disclosure is otherwise permitted under the HIPAA Privacy Rule, particularly given that cyber threat indicators do not generally include PHI.

The Cybersecurity Information Sharing Act of 2015 (CISA) describes cyber threat indicators as information that is necessary to describe or identify: malicious reconnaissance; methods of defeating a security control or exploitation of a security vulnerability; a security vulnerability; methods of causing a user with legitimate access to defeat of a security control or exploitation of a security vulnerability; malicious cyber command and control; a description of actual or potential harm caused by an incident; any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law; or any combination thereof.

The disclosure of cyber threat indicators for cyber information sharing is meant to alert other entities and the federal government to possible or actual threats or vulnerabilities to information systems, and to generally describe possible harms from such threats or vulnerabilities. Such information may include, as described above, technical, physical, or administrative specifications regarding threats to such systems, or vulnerabilities in such systems, and a general description of the harm caused by exploitation of these specifications.

The disclosure of PHI generally is not needed to describe such threats or vulnerabilities. Further, HIPAA would not permit such disclosures unless specific conditions provided in the HIPAA Privacy Rule were met, specifically, an authorization from the individual or the requirements of an applicable permission for disclosure under the Rule.

For example, the HIPAA Privacy Rule in 45 CFR § 164.512 permits covered entities and business associates to disclose PHI to law enforcement officials, without the individual’s written authorization, if specific conditions and limitations are met, including:

• To comply with a court order or court-ordered warrant, a subpoena or summons issued by a judicial officer, or a grand jury subpoena (45 CFR 164.512(f)(1)(ii)(A)-(B)).
• To respond to an administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law, provided that: the information sought is relevant and material to a legitimate law enforcement inquiry; the request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought, and de-identified information could not reasonably be used (45 CFR 164.512(f)(1)(ii)(C)).
• To respond to a request for limited PHI for purposes of identifying or locating a suspect, fugitive, material witness or missing person (45 CFR 164.512(f)(2)).
• To respond to a request for PHI about a victim of a crime, and the victim agrees (45 CFR 164.512(f)(3)).
• To report PHI to law enforcement when required by law to do so (45 CFR 164.512(f)(1)(i)).
• To alert law enforcement to the death of the individual, when there is a suspicion that death resulted from criminal conduct (45 CFR 164.512(f)(4)).
• To report PHI that the covered entity in good faith believes to be evidence of a crime that occurred on the covered entity’s premises (45 CFR 164.512(f)(5)).
• When responding to an off-site medical emergency, as necessary to alert law enforcement about criminal activity, specifically, the commission and nature of the crime, the location of the crime or any victims, and the identity, description, and location of the perpetrator of the crime (45 CFR 164.512(f)(6)).
• To federal officials authorized to conduct intelligence, counter-intelligence, and other national security activities under the National Security Act (45 CFR 164.512(k)(2)) or to provide protective services to the President and others and conduct related investigations (45 CFR 164.512(k)(3)).

Absent a provision in the Rule expressly permitting disclosure of PHI, such as outlined above, an individual’s authorization would be required for the disclosure of the individual’s PHI.

Created 09/07/16