HIPAA and Ransomware: OCR Guidance

After promising to provide guidance and insight for a breaking issue, the Office for Civil Rights (“OCR”) came out with ransomware guidance under HIPAA. One major issue for debate was whether a ransomware attack constitutes a HIPAA breach. This issue among others is addressed by OCR. Overall, the guidance provides insight into where OCR is coming from and what it expects the industry to do in response to a ransomware attack.

As indicated, the primary question up for debate was whether a ransomware attack constitutes a breach under HIPAA. As expected, the answer is it depends. As with most instances potentially resulting in a breach, examining the specific facts of each scenario is necessary. That being said, OCR suggests that the act of a ransomware attack encrypting protected health information by itself constitutes an unauthorized disclosure. As such, the impacted entity will then need to demonstrate a low probability that the impacted protected health information was compromised. As such, the entity needs to run through the breach risk assessment and disprove the assumption of a breach. As such, a ransomware attack is not really different from any number of other types of potential or actual breaches.

Leading to the breach question, OCR goes to great lengths to imply that the HIPAA Security Rule aids entities in preventing and/or responding to ransomware attacks. This perspective is not necessarily overstating the potential benefit from HIPAA. HIPAA requires entities to conduct a comprehensive risk analysis that examines all angles of protected health information and the vulnerabilities or weaknesses of that protected health information. Once the risk analysis is conducted, an entity then needs to implement the full panoply of technical, administrative and physical safeguards. When taken as a whole, this establishes a good baseline for security, whether paper of electronic.

However, as has been said many times and in many places, “the Security Rule simply establishes a floor, or minimum requirements, for the security of ePHI.” This statement is very accurate and should be followed. While the HIPAA Security Rule does have flexibility, the bare requirements of the rule do not constitute current or comprehensive security policies. The world of threats is changing too quickly for a static rule to fully set forth everything that an organization should do.

The ransomware guidance, on the whole, is helpful. It provides insight into OCR’s thought process when it comes to the intersection of HIPAA and ransomware. Healthcare entities can no longer use a lack of guidance as an excuse or “defense” for their response to an attack. There is too much at risk and it is important to have a baseline set of rules. Now, it is necessary for organizations to take cybersecurity seriously and proactively put protective measures into place.


About Matt Fisher

Matt is the chair of Mirick O'Connell's Health Law Group and a partner in the firm's Business Group. Matt focuses his practice on health law and all areas of corporate transactions. Matt's health law practice includes advising clients with regulatory, fraud, abuse, and compliance issues. With regard to regulatory matters, Matt advises clients to ensure that contracts, agreements and other business arrangements meet both federal and state statutory and regulatory requirements. Matt's regulatory advice focuses on complying with requirements of the Stark Law, Anti-Kickback Statute, fraud and abuse regulations, licensing requirements and HIPAA. Matt also advises clients on compliance policies to develop appropriate monitoring and oversight of operations.
This entry was posted in Health IT, HIPAA, Regulations and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s