May a HIPAA covered entity or its business associate disclose protected health information (PHI) for purposes of cybersecurity information-sharing of cyber threat indicators?
According to HHS.gov, "The disclosure of PHI generally is not needed to describe such threats or vulnerabilities. Further, HIPAA would not permit such disclosures unless specific conditions provided in the HIPAA Privacy Rule were met, specifically, an authorization from the individual or the requirements of an applicable permission for disclosure under the Rule."
Intelligence sharing is a good thing and there seems to be some confusion/concern about what this is suggesting for Healthcare. Share what the criminals did, or what vulnerabilities were exploited, not necessarily details on PHI exfiltrated.
To read the full answer from the US Department of Health and Human Services Department, click here.