March 2018

Introduction

The modern privacy era in health care began with the passage of the Health Insurance Portability and Accountability Act (HIPAA) in 1996. During the past two decades, HIPAA has changed significantly through legislative and rule-making processes, with the bulk of those efforts focused on protection of patient’s personal information. Physicians, health centers and hospitals are often on the front lines of those efforts, spending significant time, resources and money to comply with procedures required by the Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR).

The latest change to HIPAA happened in July 2016. OCR announced that when a covered entity or business associate is hit by a software breach known as ransomware, the incident is presumed to be a reportable breach unless the entity can prove otherwise.1 This is a significant reversal of previous OCR policy in which no action was needed if the entity had determined there was no breach.

By definition, ransomware is a form of malicious software (also known as "malware") that encrypts or rewrites the code on a computer’s information to block the owner’s access to it unless a ransom is paid.1

OCR’s clarification means that physicians and practices hit by ransomware attacks risk damage not only from the attack itself, but also from HIPAA-related action if they cannot disprove a breach. Failure to take action can not only result in significant fines from HHS, but also a poor reputation for maintaining patient records. This Issue Brief will help explain OCR’s move and offer insight on what practices can do to better prepare for these types of attacks.

To view this Issue Brief in its entirety, click Get Resource.