The Office for Civil Rights (“OCR”) released guidance on July 11, 2016 regarding ransomware and HIPAA. This guidance outlines activities supported by HIPAA that will assist Covered Entities and Business Associated in either preventing or quickly responding to ransomware attacks. To illustrate, the guidance calls for:

  • Implementing a security management process, including conducting a risk analysis and mitigating identified risks;
  • Implementing processes and technology to guard against and detect malicious software;
  • Training users on malicious software protection and reporting of malicious software detections with specific emphasis on ransomware;
  • Implementing controls to limit access to ePHI; and
  • Maintaining an overall contingency plan.

The OCR advice identifies how ransomware attacks can be analyzed to assess breach notification requirements under HIPAA. It is critical to understand that OCR expects covered entities and business associates to report ransomware attacks as a breach.  The only condition for not reporting is if the organization can show, through a documented breach risk assessment, that there is a low probability that the protected health information was compromised.

Read the entire article at The Compliance and Ethics Blog.

Rich Curtiss

Rich Curtiss

Principal Consultant at Clearwater Compliance
Mr. Curtiss has over 35 years of diverse, executive IT experience across several verticals including Healthcare, Finance, Department of Defense, Intelligence Community and Consulting Services.Rich has served in executive information technology and cybersecurity positions as a CIO, CISO, Director and Program Manager. He's a member of the Clearwater consulting team.
Rich Curtiss