Five Takeaways from the OCR Reminder on HIPAA Obligations In Ransomware Incidents
By Saad Gul and Michael E. Slipsky
Apparently prompted by the recent high-profile wave of ransomware attacks, the Department of Health and Human Services’ Office of Civil Rights (OCR) has reminded hospitals, healthcare systems, and other covered entities and business associates of their cybersecurity obligations. The reminder follows a previous warning that unless the affected covered entity or business associate can establish that there is a low probability that personal health information (PHI) has been compromised, a breach is presumed to have occurred.
OCR’s reminder reiterated that the HIPAA Breach Notification Rule defines a breach as the impermissible acquisition of, access to, use of, or disclosure of PHI. Under these criteria, most ransomware incidents would be considered breaches absent an affirmative showing, under a high evidentiary standard, that specific safe harbors apply.
Second, if the ransomware incident implicates the Breach Notification Role, OCR emphasized that patients, regulators, and in certain instances, the media must be notified within the regulatory guidelines. The guidelines provide for notice “without unreasonable delay.” 60 days is considered the outer limit. Timely reporting helps mitigate damage at the individual level (by preventing identity theft) and at the aggregate level (by enabling detection and suppression of threats).
Third, OCR underscored the necessity of having an incident response policy and different types of contingency plans in place. These policies and plans provide the affected entity with a mechanism to continue services even while the security incident is in progress.
Fourth, these policies and plans should be regularly vetted and tested, under the sponsorship of management. In addition to addressing disaster recovery and emergency contingencies, they should encompass maintenance (such as containment testing and regular updates including data backups). They should also factor in post-incident reviews and investigations.
Finally, OCR stressed the desirability of information sharing: pooling threat and vulnerability information to enable greater robustness of the healthcare sector as a whole. The Federal Government has encouraged the process via measures such as the Cybersecurity Information Security Act (CISA) and Executive Order 13691.
The healthcare sector has been particularly vulnerable to ransomware. Both operational needs and the stored PHI are extremely sensitive, while technology infrastructure may be dated, resources are limited, and IT departments and budgets are stretched thin. Nevertheless, HIPAA’s stringent penalty regime and OCR’s stated intention to expand enforcement mean that HIPAA-compliant plans and processes are more important than ever. In short, pay a little for compliance now, rather than a lot – in ransom payments, remediation costs and OCR-imposed penalties – later.
Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill LLP. They advise clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or firstname.lastname@example.org. Mike may be reached at 919.783.2851 or email@example.com.