HIPAA and Ransomware: OCR Guidance

MattFisher-whiteBy Matt Fisher, Esq
Twitter: @matt_r_fisher
Host of Healthcare de Jure#HCdeJure

After promising to provide guidance and insight for a breaking issue, the Office for Civil Rights (OCR) came out with ransomware guidance under HIPAA. One major issue for debate was whether a ransomware attack constitutes a HIPAA breach. This issue among others is addressed by OCR. Overall, the guidance provides insight into where OCR is coming from and what it expects the industry to do in response to a ransomware attack.

As indicated, the primary question up for debate was whether a ransomware attack constitutes a breach under HIPAA. As expected, the answer is it depends. As with most instances potentially resulting in a breach, examining the specific facts of each scenario is necessary. That being said, OCR suggests that the act of a ransomware attack encrypting protected health information by itself constitutes an unauthorized disclosure. As such, the impacted entity will then need to demonstrate a low probability that the impacted protected health information was compromised. As such, the entity needs to run through the breach risk assessment and disprove the assumption of a breach. As such, a ransomware attack is not really different from any number of other types of potential or actual breaches.

Leading to the breach question, OCR goes to great lengths to imply that the HIPAA Security Rule aids entities in preventing and/or responding to ransomware attacks. This perspective is not necessarily overstating the potential benefit from HIPAA. HIPAA requires entities to conduct a comprehensive risk analysis that examines all angles of protected health information and the vulnerabilities or weaknesses of that protected health information. Once the risk analysis is conducted, an entity then needs to implement the full panoply of technical, administrative and physical safeguards. When taken as a whole, this establishes a good baseline for security, whether paper of electronic.

However, as has been said many times and in many places, “the Security Rule simply establishes a floor, or minimum requirements, for the security of ePHI.” This statement is very accurate and should be followed. While the HIPAA Security Rule does have flexibility, the bare requirements of the rule do not constitute current or comprehensive security policies. The world of threats is changing too quickly for a static rule to fully set forth everything that an organization should do.

The ransomware guidance, on the whole, is helpful. It provides insight into OCR’s thought process when it comes to the intersection of HIPAA and ransomware. Healthcare entities can no longer use a lack of guidance as an excuse or “defense” for their response to an attack. There is too much at risk and it is important to have a baseline set of rules. Now, it is necessary for organizations to take cybersecurity seriously and proactively put protective measures into place.

About the author: Matthew Fisher is the chair of the Health Law Group at Mirick, O’Connell, DeMallie & Lougee, LLP, in Worcester, MA. Matt advises his clients in all aspects of healthcare regulatory compliance, including HIPAA, the Stark Law and the Anti-Kickback Statute. This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.