On July 11, the director of the Office for Civil Rights issued new guidance on ransomware.

Since the beginning of 2016, reports of ransomware on health care networks have increased. Many people have been asking for guidance as to if ransomware should be reported or not. Understandably, no one wants to report a HIPAA compliance breach, so some entities have been claiming that ransomware does not constitute a breach, because information was not gathered. Other entities have been claiming that it should be a reportable breach because it still affects the access of protected health information (PHI).

Jocelyn Samuels, the director of the Office for Civil Rights (OCR), cleared up the issue in a recent statement outlining new guidance on ransomware . In this new guidance, the OCR classifies ransomware as a security incident. A security incident is defined as “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”

From there, the OCR states that ransomware should be handled as not only a security incident, but also a breach. A breach is “the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information.” Subpart E of the HIPAA standards specifies the privacy of PHI and how it may be used, accessed or disclosed.

In the guidance provided by the OCR, encryption by the ransomware program means the security incident is a breach because it involves the unauthorized acquisition and disclosure of PHI as outlined in the HIPAA Privacy Rule. Consequently, an entity affected by ransomware must report the incident to the OCR and to the media if it affects more than 500 patients.

Use HIPAAgps to stay up to date on changes and guidance with HIPAA compliance.