OCR Provides Guidance on Ransomware Attacks

On Monday, July 11, 2016 the Office of Civil Rights (OCR) released a guidance document designed to provide information on ransomware attack prevention and recovery from a health care system perspective.  The guidance release follows suggestions from a June letter to OCR from Rep. Will Hurd, (D-TX) Chairman of the House Oversight IT subcommittee, and Rep. Ted Lieu (D-CA).


The OCR guidance describes the role of the Health Insurance Portability and Accountability Act (HIPAA) in assisting HIPAA covered entities and business associates to prevent and recover from ransomware attacks. Per the guidance, unless the covered entity or business associate can demonstrate that there is a “low probability” that the Protected Health Information (PHI) is compromised, a breach of PHI is presumed to have occurred.  The guidance goes on to describe how covered entities or business associates can demonstrate that there is a “low probability that the PHI has been compromised” such that the breach notification would not be required.


Additionally, the OCR guidance provides information on how HIPAA breach notification processes should be managed in response to a ransomware attack. Steps for initial incident response activities and analysis are provided along with steps that an entity should take for subsequent security incident response activities.