What You Need to Know About Ransomware and HIPAA Compliance

There is no more hedging on whether ransomware incidents should be identified and treated the same way as other data breaches under the Health Insurance Portability and Accountability Act (HIPAA). The United States Department of Health and Human Services Office for Civil Rights (OCR) has stated that ransomware attacks constitute a breach unless there is substantial evidence to the contrary.

Ransomware doesn’t exactly fit the traditional HIPAA definition of a breach, which states a breach should involve “…the acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted under the [HIPAA Privacy Rule] which compromises the privacy of PHI.” (45 CFR §§ 164.402)

However, the OCR has taken steps to characterize the act of encryption (typical of most ransomware incidents) as a form of malicious acquisition and disclosure of protected data: “A breach has occurred because the Electronic Protected Health Information (ePHI) encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a disclosure not permitted under the Classifies Ransomware HIPAA Privacy Rule.”


To download this White Paper, fill out the form and we will email your copy.