OCR guidance clarifies when breach notice obligations apply to ransomware attacks

A new factsheet on ransomware prevention and response from the Department of Health and Human Services’ Office for Civil Rights reminds health care providers and others covered by the Health Insurance Portability and Accountability Act that breach notification obligations may be triggered when a ransomware attack occurs. “Whether or not the presence of ransomware would be a breach under the HIPAA Rules is a fact-specific determination,” the factsheet notes. Unless the covered entity or business associate can demonstrate “a low probability” that protected health information has been compromised, a breach of PHI is presumed and the entity must comply with the applicable breach notification provisions, the guidance states. The factsheet also addresses how to demonstrate a low probability that PHI has been compromised; how to detect and respond to a ransomware infection; and whether the infection of information encrypted to comply with HIPAA could create a reportable breach. The departments of Homeland Security, Justice, and Health and Human Services last month issued technical guidance summarizing “best practices” to prevent and respond to ransomware incidents, which advises organizations experiencing an incident to immediately contact their Federal Bureau of Investigation Field Office Cyber Task Force or Secret Service field office for assistance and report the incident to the FBI Internet Crime Complaint Center. For additional cybersecurity resources, visit www.aha.org/cybersecurity.