Recently, the U.S. Department of Health and Human Services (HHS) issued new guidance on ransomware (Guidance).  According to HHS, ransomware is a type of malware that attempts to deny access to a user’s data by, for example, encrypting the data with a key code known only to the hacker who in turn typically seeks a ransom payment in exchange for the decryption key, among other nefarious purposes.  HHS has cited malicious cyberattacks on electronic health information systems, such as ransomware, as one of the biggest current threats to health information privacy.  The Guidance, in the form of an 8-page Fact Sheet, focuses on how effective compliance with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) can help a “Covered Entity” or “Business Associate”: detect, prevent or recover from malware infections, including ransomware; respond if its computer system is infected with ransomware; and determine if a ransomware infection constitutes a breach under the HIPAA Breach Notification Rule.

One of the key issues addressed by the Guidance is whether a ransomware attack constitutes a HIPAA “breach.”  According to HHS, when electronic protected health information (ePHI) is encrypted in a ransomware attack, a breach is presumed to have occurred because “the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information) and thus is a ‘disclosure’ not permitted under the HIPAA Privacy Rule.”  A breach is presumed to have occurred as a result of a ransomware attack unless, in accordance with the HIPAA Breach Notification Rule, the Covered Entity or Business Associate can demonstrate that there is a low probability that the protected health information (PHI) has been compromised based on a risk assessment of the following factors: (i) the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; (ii) the identity of the unauthorized person who used the PHI or to whom the disclosure was made; (iii) whether the PHI was actually viewed or acquired; and (iv) the extent to which the risk to the PHI has been mitigated.  In conducting the risk assessment, the Covered Entity or Business Associate will necessarily have to correctly identify the malware in order to assess the possible extent of the disclosure and to mitigate the risks, including taking corrective action.  HHS points out that the Covered Entity or Business Associate must maintain supporting documentation to meet its burden of proof regarding the determination of a breach and whether to send notifications, including documentation of the risk assessment and conclusions reached, any applicable exceptions to the impermissible use or disclosure, and the notifications made, if required.    

The Guidance emphasizes that Covered Entities and Business Associates must ensure that adequate security procedures are in place, including incident response procedures.  A Covered Entity or Business Associate may be subject to significant penalties under HIPAA for unauthorized disclosure of PHI, including unauthorized disclosures resulting from ransomware attacks by third parties.  It follows that Covered Entities and Business Associates must continue to develop and adapt effective security procedures to address evolving security threats to adequately protect PHI from attack.  HHS continues to engage in zealous enforcement activities to address HIPAA violations, including breaches, and penalties for violations of HIPAA and its implementing regulations can be significant