The Department of Health and Human Services (HHS) has issued subregulatory guidance addressing the procedures that covered entities (CEs) and business associates (BAs) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) should implement to respond to cybersecurity incidents involving electronic protected health information (ePHI). In issuing this guidance, HHS cited the rising number of cybersecurity incidents during 2022.