OCR’s HIPAA Guidance on Ransomware Expands Traditional Interpretation of ‘Breach’

On Monday, July 11, 2016, the Office for Civil Rights (OCR) released a fact sheet with guidance for covered entities and business associates on HIPAA and ransomware.

Released in response to the escalating prevalence of ransomware attacks (a type of computer attack in which a computer virus encrypts computer files and thus prevents users from accessing the files until a ransom is paid, previously discussed on the blog here and here), the fact sheet emphasizes how compliance with the HIPAA Security Rule (Subpart C of Part 164 of Title 45 of the Code of Federal Regulations, §§ 164.302 et seq.) can help covered entities and business associates prevent, detect, and recover from infections of malware, including ransomware.

Notably, the fact sheet puts forward OCR’s belief that the unwanted encryption of electronic protected health information (ePHI) as the result of a ransomware attack is presumptively a breach unless a risk assessment determines that there is a low probability that the attacker’s access to ePHI opened the door to an impermissible disclosure of that ePHI.

Before this guidance was released, many in the health care industry did not consider a ransomware attack as a breach because this type of attack often does not appear to involve the use or disclosure of ePHI to an unauthorized user. However, noting that a breach is defined as the impermissible “acquisition, access, use, or disclosure of PHI,” OCR states that a breach occurs when ePHI is encrypted as the result of a ransomware attack because “the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus [there] is a ‘disclosure’ not permitted under the HIPAA Privacy Rule.” Even if the covered entity or business associate utilizes some form of full disk encryption of their data, OCR believes that any ePHI may nevertheless be “unsecured” as to the ransomware attacker with access.

While OCR’s interpretation of what it means for ePHI to be “acquired” may be subject to debate, covered entities and business associates should strongly consider OCR’s position on this matter and conduct a risk assessment pursuant to HIPAA regulations to determine whether a ransomware attack on their systems would constitute a reportable breach. Even if there is a lower risk that the privacy of the affected data with ePHI was compromised, OCR states that the incident may still be reportable if there is a high risk the data was unavailable or the integrity of the data was compromised.