publications full of ideas
Five Takeaways from the OCR Reminder on HIPAA Obligations In Ransomware Incidents

7.10.2017

Apparently prompted by the recent high-profile wave of ransomware attacks, the Department of Health and Human Services’ Office of Civil Rights (OCR) has reminded hospitals, healthcare systems, and other covered entities and business associates of their cybersecurity obligations. The reminder follows a previous warning that unless the affected covered entity or business associate can establish that there is a low probability that personal health information (PHI) has been compromised, a breach is presumed to have occurred.

OCR’s reminder reiterated that the HIPAA Breach Notification Rule defines a breach as the impermissible acquisition of, access to, use of, or disclosure of PHI. Under these criteria, most ransomware incidents would be considered breaches absent an affirmative showing, under a high evidentiary standard, that specific safe harbors apply.

Second, if the ransomware incident implicates the Breach Notification Role, OCR emphasized that patients, regulators, and in certain instances, the media must be notified within the regulatory guidelines. The guidelines provide for notice “without unreasonable delay.” 60 days is considered the outer limit. Timely reporting helps mitigate damage at the individual level (by preventing identity theft) and at the aggregate level (by enabling detection and suppression of threats).

Third, OCR underscored the necessity of having an incident response policy and different types of contingency plans in place. These policies and plans provide the affected entity with a mechanism to continue services even while the security incident is in progress.

Fourth, these policies and plans should be regularly vetted and tested, under the sponsorship of management. In addition to addressing disaster recovery and emergency contingencies, they should encompass maintenance (such as containment testing and regular updates including data backups). They should also factor in post-incident reviews and investigations.

Finally, OCR stressed the desirability of information sharing: pooling threat and vulnerability information to enable greater robustness of the healthcare sector as a whole. The Federal Government has encouraged the process via measures such as the Cybersecurity Information Security Act (CISA) and Executive Order 13691.

The healthcare sector has been particularly vulnerable to ransomware. Both operational needs and the stored PHI are extremely sensitive, while technology infrastructure may be dated, resources are limited, and IT departments and budgets are stretched thin. Nevertheless, HIPAA’s stringent penalty regime and OCR’s stated intention to expand enforcement mean that HIPAA-compliant plans and processes are more important than ever. In short, pay a little for compliance now, rather than a lot – in ransom payments, remediation costs and OCR-imposed penalties – later.

Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill LLP. They advise clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or sgul@poynerspruill.com. Mike may be reached at 919.783.2851 or mslipsky@poynerspruill.com.

Physical Address: 301 Fayetteville Street, Suite 1900, Raleigh, NC 27601

related information

what's new at the firm

McIntyre Leadership Challenge Excites, Ignites, and Inspires Youth

7/12/2017

Mike McIntyre recently announced at the NC Bar Association Annual Meeting, his new Youth Leadership Challenge. The Youth Leadership program will provide opportunities for civic engagement to High School students and community leadership.

Webinar: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks: HIPAA, HITECH, and ERISA Preemption of State Data Breach Laws

6/20/2017

This CLE webinar will provide guidance to employee benefits counsel on trends in data breaches for ERISA healthcare and retirement plans, lessons from recent BCBS/Anthem litigation, ERISA fiduciary obligations, ERISA preemption of state data breach laws, and contractual risk mitigation with third-party administrators (TPAs).

Poyner Spruill Attorneys Honored by Chambers USA in Seven Practice Areas

6/2/2017

RALEIGH - Chambers USA: America's Leading Lawyers for Business has ranked seven practice areas and sixteen Poyner Spruill LLP attorneys as leaders in their respective fields. Poyner Spruill received rankings, which identify the firm as a leader in North Carolina, for outstanding work in the following practice areas:

Charlie Davis Joins Poyner Spruill

6/1/2017

Charles E. “Charlie” Davis III has joined Poyner Spruill as an associate attorney practicing in the areas of estate and trust planning and administration, taxation, and business law.

Brett A. Carpenter joins Poyner Spruill

6/1/2017

Raleigh, NC – Brett A. Carpenter has joined Poyner Spruill’s Raleigh office as an associate, with a focus on helping clients with labor and employment law matters.