Ransomware and HIPAA – Determining If a Breach Is Reportable

Ransomware has become a hot topic of conversation in the healthcare world as the industry awaits guidance from the Department of Health and Human Services’ Office for Civil Rights to determine if a ransomware attack is a reportable breach under HIPAA. While the final decision still lingers, in this interview, Betsy Hodge, an attorney at Akerman LLP, discusses several ways organizations can take the ransomware matter into their own hands.

Hodge emphasizes the importance of investigating the type of ransomware involved in an attack and its impact on data. She points to access of the data versus encryption as reasonable criteria for a reportable breach. This is consistent with the definition of a reportable breach provided by HHS and demonstrates the importance of whether protected health information was actually acquired or viewed in making the ultimate determination. 

Organizations can also take extra steps to protect their data by ensuring that it is backed up and stored offline and by educating employees about how to recognize potential ransomware attacks.  

If you need help protecting your organization’s data, please contact our IT Advisory Services team.