Breach Notification , HIPAA/HITECH , Incident & Breach Response

When Do Ransomware Attacks Require Breach Notification?

OCR's Deven McGraw Explains the Requirements Under HIPAA

Most - but not all - ransomware attacks against healthcare organizations are reportable breaches requiring notification to affected individuals and federal regulators, explains Deven McGraw, deputy director of health information privacy at the Department of Health and Human Services' Office for Civil Rights.

See Also: Reducing Complexity in Healthcare IT

Although OCR - the agency that enforces HIPAA - issued guidance on the ransomware issue in July, confusion still exists among many covered entities and business associates about whether they need to provide breach notification to affected individuals and federal regulators about these attacks, which have been surging in the healthcare sector in recent months.

"The devil is always in the details with respect to whether or not there is a need to notify because the low probability of compromise test is not met," McGraw says in a video interview at Information Security Media Group's recent Healthcare Security Summit in New York. "But the presumption is notification is required. The low probability of compromise is just a determination of whether you don't have to notify. In most circumstances, if the breach definition is met, which in many times in a ransomware attack it would be, then the presumption is to notify."

In the interview, McGraw also discusses:

  • OCR's launch of remote "desk" HIPAA compliance audits of business associates this month and its plans to begin selected onsite audits for covered entities and BAs in the first quarter of 2017;
  • The surge of cyberattacks in the healthcare sector;
  • OCR's plans for guidance on texting and social media.

Before joining OCR, McGraw was a partner at the law firm Manatt, Phelps & Phillips LLP, where she co-chaired its privacy and data security practice. Earlier, she was director of the health privacy project at the Center for Democracy & Technology, a consumer advocacy group. For six years, McGraw served as an adviser to HHS on health data privacy and security issues. She served on the Health IT Policy Committee, which advises HHS' Office of the National Coordinator for Health IT, and co-led the committee's Privacy and Security Workgroup - previously called the Privacy and Security Tiger Team - as well as its Information Exchange Workgroup.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.