You’ve probably seen the recent headlines about businesses falling victim to crippling ransomware attacks.
Ransomware attacks – data kidnapping where attackers encrypt victims’ data and demand payment for the decryption key – can affect everything from customer data to your employees’ protected health information (PHI).
If PHI is involved, employers have certain responsibilities under HIPAA.
Here’s how ransomware can affect PHI and the HIPAA-compliant steps you should take if that happens, courtesy of the Employee Benefits Institute of America (EBIA): Say an employer that’s the administrator of a self-insured plan is the target of a ransomware attack affecting the availability of certain health plan files.
Does the employer have HIPAA responsibilities here? Probably.
According to HHS’ Office for Civil Rights (OCR), when electronic PHI is encrypted in a ransomware attack, a HIPAA privacy breach has occurred. That means the plan is required to provide notification of the breach unless it can show a “low probability” of the PHI being compromised.
How does a plan prove low probability? Through a risk assessment that evaluates at least four risk factors:
- the nature and extent of the PHI involved in the breach
- the identity of the authorized person who used the PHI or to whom the disclosure was made
- whether PHI was actually acquired or viewed (instead of just being accessible), and
- the extent to which risk to the PHI has been mitigated (data backup, disaster recovery, etc.).
OCR has ransomware guidance that spells out other factors to look into during the evaluation (type of ransomware, attempts to remove PHI and whether the ransomware has spread to other systems).
When PHI is breached
If the assessment finds a breach, you must notify individuals whose PHI was “impermissibly disclosed” ASAP and no later than 60 days after the discovery of the breach. The notification must be in plain English and comply with specific OCR content and delivery rules.
And if the breach involves PHI of 500 or more individuals, HHS must be notified in the same time frame as affected individuals (500 or more individuals residing in the same state requires media notification).
For breaches of fewer than 500 individuals, a notification in the year-end annual report is fine.