publications full of ideas

Five Takeaways from the OCR Reminder on HIPAA Obligations In Ransomware Incidents

7.10.2017

Apparently prompted by the recent high-profile wave of ransomware attacks, the Department of Health and Human Services’ Office of Civil Rights (OCR) has reminded hospitals, healthcare systems, and other covered entities and business associates of their cybersecurity obligations. The reminder follows a previous warning that unless the affected covered entity or business associate can establish that there is a low probability that personal health information (PHI) has been compromised, a breach is presumed to have occurred.

OCR’s reminder reiterated that the HIPAA Breach Notification Rule defines a breach as the impermissible acquisition of, access to, use of, or disclosure of PHI. Under these criteria, most ransomware incidents would be considered breaches absent an affirmative showing, under a high evidentiary standard, that specific safe harbors apply.

Second, if the ransomware incident implicates the Breach Notification Role, OCR emphasized that patients, regulators, and in certain instances, the media must be notified within the regulatory guidelines. The guidelines provide for notice “without unreasonable delay.” 60 days is considered the outer limit. Timely reporting helps mitigate damage at the individual level (by preventing identity theft) and at the aggregate level (by enabling detection and suppression of threats).

Third, OCR underscored the necessity of having an incident response policy and different types of contingency plans in place. These policies and plans provide the affected entity with a mechanism to continue services even while the security incident is in progress.

Fourth, these policies and plans should be regularly vetted and tested, under the sponsorship of management. In addition to addressing disaster recovery and emergency contingencies, they should encompass maintenance (such as containment testing and regular updates including data backups). They should also factor in post-incident reviews and investigations.

Finally, OCR stressed the desirability of information sharing: pooling threat and vulnerability information to enable greater robustness of the healthcare sector as a whole. The Federal Government has encouraged the process via measures such as the Cybersecurity Information Security Act (CISA) and Executive Order 13691.

The healthcare sector has been particularly vulnerable to ransomware. Both operational needs and the stored PHI are extremely sensitive, while technology infrastructure may be dated, resources are limited, and IT departments and budgets are stretched thin. Nevertheless, HIPAA’s stringent penalty regime and OCR’s stated intention to expand enforcement mean that HIPAA-compliant plans and processes are more important than ever. In short, pay a little for compliance now, rather than a lot – in ransom payments, remediation costs and OCR-imposed penalties – later.

Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill LLP. They advise clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or sgul@poynerspruill.com. Mike may be reached at 919.783.2851 or mslipsky@poynerspruill.com.

Physical Address: 301 Fayetteville Street, Suite 1900, Raleigh, NC 27601 | © Poyner Spruill LLP. All rights reserved.

related information

what's new at the firm

Mayo named Client Choice Award winner in North Carolina

2/19/2019

RALEIGH, N.C. — Poyner Spruill partner Kelsey Mayo has been named the 2019 Client Choice Award winner in the Employment & Benefits category for North Carolina.

Terminating Employment: Best Practices to Navigate the Termination Minefield

2/13/2019

How an employer manages an employment termination is often the determinative factor in whether an employee sues for wrongful termination. This webinar discussion focuses upon best practices that should be used to minimize frequency of post-termination lawsuits, severance and release considerations, and essential planning and documentation for termination of an employee.

WEBINAR: The Regulators’ Update

2/7/2019

Leadership of the N.C. Adult Care Licensure Section, along with members of the p.s. Health Law Team, will present an update on adult care home survey and regulatory issues, including new developments in regulatory interpretation and application during surveys by the Adult Care Licensure Section.

Poyner Spruill's Hobbs leading client relations presentation at UNC School of Law's Festival of Legal Learning

2/4/2019

RALEIGH, N.C. — Poyner Spruill’s Brandi Hobbs will again be a featured speaker in the UNC School of Law’s Festival of Legal Learning. The two-day event offers attendees the chance to earn up to 12 CLE credits and will take place Friday and Saturday, Feb. 8-9, at The William & Ida Friday Continuing Education Center in Chapel Hill.

Twenty attorneys at Poyner Spruill honored in 2019 Super Lawyers list

1/24/2019

RALEIGH, N.C. — Poyner Spruill LLP is pleased to announce 16 attorneys at the firm have been selected to the 2019 North Carolina Super Lawyers list. No more than 5 percent of the lawyers in North Carolina are selected.