HRCAlerts072016_Ransomware

Unless a covered entity or business associate can demonstrate that there exists a "low probability that the PHI [protected health information] has been compromised," the entity must comply with applicable breach notification provisions of the Health Insurance Portability and Accountability Act (HIPAA), according to a fact sheet on ransomware prevention and response issued by the U.S. Department of Health and Human Services' (HHS) Office for Civil Rights (OCR). Notification must be made without unreasonable delay to affected individuals, the secretary of HHS, and, in the case of breaches affecting more than 500 individuals, the media. Providers can demonstrate a low probability that PHI was compromised by conducting a risk assessment to determine the nature and extent of the PHI involved; the unauthorized person who used the PHI; whether the PHI was acquired or viewed; and the extent to which the risk of PHI has been mitigated. The risk assessment must be "thorough, completed in good faith and reach conclusions that are reasonable given the circumstances," OCR said. If the PHI was already encrypted to comply with HIPAA, a breach notification is not required, OCR said, but additional analyses may still be needed to determine whether the encryption rendered the affected PHI "unreadable, unusable and indecipherable to anyone other than the authenticated user." HHS, along with the departments of Homeland Security and Justice, last month issued technical guidance summarizing best practices to implement in response to ransomware incidents. The guidance advised organizations to immediately contact their Federal Bureau of Investigation (FBI) or Secret Service field office for assistance, and to report incidents to the FBI Internet Crime Complaint Center (see the July 6, 2016, HRC Alerts).

HRC Recommends: Risk managers should review the OCR fact sheet on prevention of ransomware attacks and related information about response and technical guidance with the organization's HIPAA security officer. The organization's breach notification policies and procedures should reflect the current accepted standard for conducting a risk assessment, and policies and procedures should be in place to guide the appropriate response to and reporting of ransomware incidents.

Topics and Metadata

Topics

Health Information Technology; Incident Reporting and Management; Laws, Regulations, Standards

Caresetting

Clinical Specialty

Roles

Healthcare Executive; Legal Affairs; Regulator/Policy Maker; Risk Manager

Information Type

News

Phase of Diffusion

Technology Class

Clinical Category

UMDNS

SourceBase Supplier

Product Catalog

MeSH

ICD 9/ICD 10

FDA SPN

SNOMED

HCPCS

Disease/Condition

Publication History

Published July 20, 2016

Who Should Read This

Administration, Corporate compliance, HIPAA privacy officer, HIPAA security officer, Health information management, Information technology, Legal counsel, Risk manager

Areas of Focus

Featured Memberships & Services

Most Ransomware Attacks Are Reportable HIPAA Breaches, Says HHS