OCR Releases Guidance On Data Security Incident Preparedness—On May 3, 2016, the Office for Civil Rights (“OCR”) within the U.S. Department of Health & Human Services released its cyber-awareness monthly update on the topic of data security incident preparedness by covered entities and business associates regulated under the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”).  OCR, which enforces the HIPAA rules, notes in the update that “[d]espite the requirements of HIPAA, not only do a large percentage of covered entities believe they will not be notified of security breaches or cyberattacks by their business associates, they also think it is difficult to manage security incidents involving business associates, and impossible to determine if data safeguards and security policies and procedures at their business associates are adequate to respond effectively to a data breach.”  Accordingly, OCR provides guidance relating to managing data breaches at business associates and subcontractors, including defining timeframes for business associates and subcontractors to report data breaches and identifying the type of information that must be provided in data breach reports.  OCR further encourages covered entities and business associates to conduct training on breach incident reporting.