On June 12, 2016, the HHS Office of Civil Rights (OCR) released guidance, entitled “FACT SHEET: Ransomware and HIPAA,” in response to the rising number of ransomware attacks perpetrated against healthcare entities. The guidance addresses Health Insurance Portability and Accountability Act (HIPAA) issues that may arise when medical records containing Protected Health Information (PHI) are compromised or stolen during a ransomware attack. OCR’s view is that compliance with HIPAA’s information security requirements assists healthcare entities in preventing and recovering from ransomware attacks.

Ransomware is a type of malware that hackers use to encrypt data on an unsuspecting user’s device. Hackers then withhold the decryption key until the user pays a ransom to obtain it.  To maintain anonymity, hackers demand bitcoins or some other cryptocurrency.

OCR’s guidance explains that many of the information security measures organizations should already be taking under HIPAA will help prevent a cyber or ransomware attacks. These measures include regular risk assessments, training users on how to detect unauthorized access, and limiting access to PHI. OCR also adds that Covered Entities’ and Business Associates’ breach response plans should include measures to address ransomware attacks. OCR describes the HIPAA Security Rule “as a floor, or minimum requirements, for the security of ePHI” and encourages organizations to implement additional security measures that the Security Rule does not require.

The guidance further suggests that in conducting a risk assessment to determine whether a ransomware attack results in a low probability of harm (and, therefore, does not mandate notification of affected individuals or HHS), Covered Entities and Business Associates rely not only on the four factors outlined in the Security Rule, but “consider additional factors, as needed, to appropriately evaluate the risk that the PHI has been compromised.”

In announcing the guidance, however, OCR’s Director took the position that a ransomware attack would “usually result in a ‘breach’ of healthcare information.”  The Director’s view suggests that OCR would likely view ransomware attacks as triggering the Security Rule’s breach notice obligations and scrutinize risk assessments that conclude that a ransomware attack results in low probably of harm and does not require notification.

Thus Covered Entities and Business Associates are well advised to have procedures in place to notify affected individuals, HHS, and other stakeholders in the even they experience a ransomware attack. Covered Entities and Business Associates may take comfort in the possibility that properly encrypted PHI is not necessarily unsecured PHI. In other words, if an organization can confirm the PHI was encrypted and, therefore, not compromised, it may avoid a conclusion that a breach occurred. Nonetheless, this determination remains fact-specific and must be considered on a case-by-case basis.

Our Take

OCR’s characterization of the Security Rule as a “floor” suggests that Covered Entities and Business Associates that are complying with the Rule’s already-detailed security requirements are doing only the “minimum” to protect and secure PHI. This position may surprise HIPAA Privacy and Security officers who may have believed that compliance with HIPAA Security protocols was sufficient. Further, in light of the OCR Director’s broad view that the effects of ransomware trigger breach notice obligations, Covered Entities and Business Associates are well advised to exercise caution and adopt a conservative approach in conducting post-incident risk assessments.