On July 11, 2016, the HHS Office for Civil Rights (OCR) released new HIPAA guidance regarding ransomware. The Fact Sheet, issued by OCR on July 11, covers various issues relating to ransomware, including reporting requirements and helpful security protocols.  The OCR Fact Sheet is available here. A press release regarding the Fact Sheet is available here.

Ransomware is a malicious form of cyberattack that has become increasingly prevalent in recent years. A ransomware attack typically involves a hacker seizing control of and encrypting an organization’s data. The hacker then demands that the organization pay a ransom in order to receive a decryption key.

OCR warns that ransomware attacks may trigger HIPAA’s reporting requirements. OCR considers the encryption of electronic protected health information (ePHI) during a ransomware attack to be a “breach” under HIPAA. OCR advises that the compromised entity must comply with applicable breach notification requirements—including notification to affected individuals, the Secretary of HHS, and the media (if more than 500 individuals are affected)—unless the entity can demonstrate that there is a low probability that the ePHI has been compromised. The entity can do so by conducting a thorough risk assessment, which should include identification of the specific malware and a determination as to whether any ePHI could have been extracted outside of the entity.

OCR also advises that certain measures required by the HIPAA Security Rule can help organizations prepare for ransomware attacks. The Fact Sheet specifically highlights the Security Rule’s requirements for organizations to implement plans for data backup, contingency and business continuity, as well as procedures to respond to and report security incidents.