Following the frequent and varied ransomware attacks on health care entities over the past few years, the Office for Civil Rights (OCR) published guidance last summer to the health care industry reminding it that a ransomware attack could be a reportable breach under the HIPAA Breach Notification Rule. Despite the fact that many health care organizations were victims of ransomware attacks, the OCR commented that many of them did not report the incident or notify patients of the incident.

Recently, the OCR in a monthly newsletter entitled “Cybersecurity Incidents will happen…Remember to Plan, Respond, and Report!” reminded health care entities that the HIPAA Security Rule defines a security incident as “an attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.” The OCR states that health care entities should be prepared for these incidents, implement policies and procedures outlining the response to the incident, including a contingency plan. “Policies, procedures and plans should provide a roadmap for implementing the entity’s incident response capabilities.”

The OCR further explains that if the security incident falls within the definition of a breach under the Breach Notification Rule, then patients are to be notified without unreasonable delay and no later than 60 days following discovery of the breach, and OCR and the media must be notified within certain time frames set forth in the Rule, depending on the number of individuals affected by the breach.

Fines and penalties can be assessed against organizations that do not follow HIPAA, and therefore, any guidance by OCR is important to pay attention to and follow. The OCR has a webpage devoted to breach notification, which can be accessed here.