publications full of ideas
Five Takeaways from the OCR Reminder on HIPAA Obligations In Ransomware Incidents

7.10.2017

Apparently prompted by the recent high-profile wave of ransomware attacks, the Department of Health and Human Services’ Office of Civil Rights (OCR) has reminded hospitals, healthcare systems, and other covered entities and business associates of their cybersecurity obligations. The reminder follows a previous warning that unless the affected covered entity or business associate can establish that there is a low probability that personal health information (PHI) has been compromised, a breach is presumed to have occurred.

OCR’s reminder reiterated that the HIPAA Breach Notification Rule defines a breach as the impermissible acquisition of, access to, use of, or disclosure of PHI. Under these criteria, most ransomware incidents would be considered breaches absent an affirmative showing, under a high evidentiary standard, that specific safe harbors apply.

Second, if the ransomware incident implicates the Breach Notification Role, OCR emphasized that patients, regulators, and in certain instances, the media must be notified within the regulatory guidelines. The guidelines provide for notice “without unreasonable delay.” 60 days is considered the outer limit. Timely reporting helps mitigate damage at the individual level (by preventing identity theft) and at the aggregate level (by enabling detection and suppression of threats).

Third, OCR underscored the necessity of having an incident response policy and different types of contingency plans in place. These policies and plans provide the affected entity with a mechanism to continue services even while the security incident is in progress.

Fourth, these policies and plans should be regularly vetted and tested, under the sponsorship of management. In addition to addressing disaster recovery and emergency contingencies, they should encompass maintenance (such as containment testing and regular updates including data backups). They should also factor in post-incident reviews and investigations.

Finally, OCR stressed the desirability of information sharing: pooling threat and vulnerability information to enable greater robustness of the healthcare sector as a whole. The Federal Government has encouraged the process via measures such as the Cybersecurity Information Security Act (CISA) and Executive Order 13691.

The healthcare sector has been particularly vulnerable to ransomware. Both operational needs and the stored PHI are extremely sensitive, while technology infrastructure may be dated, resources are limited, and IT departments and budgets are stretched thin. Nevertheless, HIPAA’s stringent penalty regime and OCR’s stated intention to expand enforcement mean that HIPAA-compliant plans and processes are more important than ever. In short, pay a little for compliance now, rather than a lot – in ransom payments, remediation costs and OCR-imposed penalties – later.

Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill LLP. They advise clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or sgul@poynerspruill.com. Mike may be reached at 919.783.2851 or mslipsky@poynerspruill.com.

Physical Address: 301 Fayetteville Street, Suite 1900, Raleigh, NC 27601

related information

what's new at the firm

Justice Fund Dedication Ceremony for Mike McIntyre

11/9/2017

RALEIGH, NOVEMBER 9, 2017 – Last Thursday, on November 2nd, the North Carolina Bar Foundation (NCBF) held a ceremony to present the Douglas Carmichael “Mike” McIntyre II Justice Fund, which is a restricted endowment fund that establishes the McIntyre Youth Leadership Challenge.

Jesse St.Cyr Joins Poyner Spruill LLP

11/3/2017

RALEIGH, NOVEMBER 3, 2017 – Poyner Spruill is pleased to announce that Jesse St.Cyr has joined the firm as a partner on our Employee Benefits and Executive Compensation team.

Poyner Spruill LLP ranked in 2018 "Best Law Firms"

11/1/2017

Raleigh, NC, United States, NOVEMBER 1, 2017-- U.S. News & World Report and Best Lawyers, for the eighth consecutive year, announce the "Best Law Firms" rankings.

Poyner Spruill Profiled by Benchmark Litigation; Three Poyner Spruill Attorneys Named State Litigation Stars

10/27/2017

RALEIGH, NC, OCTOBER 27, 2017 – Benchmark Litigation has listed Poyner Spruill as a Recommended Law Firm and named three Poyner Spruill attorneys as State Litigation Stars in their 2018 edition.

UNC School of Law Career Trek 2017 Hosted by Poyner Spruill LLP

10/27/2017

RALEIGH, NC, OCTOBER 27, 2017 – Last Thursday, Poyner Spruill welcomed sixteen students from the University of North Carolina School of Law’s Center for Banking and Finance for their annual Career Trek. UNC’s Career Trek program seeks to give law students firsthand experience of what it is like to work in the legal realm of the banking and finance industry.