HealthStream Brands

Events & Resources

Navigate To:

Ransomware and HIPAA: HIPAA Turns 20

David Rosenthal

Vice President, Business Development


HCCS, A HealthStream Company

The Health Insurance Portability and Accountability Act, known throughout the healthcare world as HIPAA, was signed into law by President Bill Clinton in August of 1996. In the 20 years since, HIPAA has become one of the most widely cited and discussed regulations. The actual law went into effect in 2002 and 2003.

One thing that has been consistent with the HIPAA regulations since the rule went into effect is a constant flow of rule changes, interpretations, and guidance. This year is no exception. The HHS recently released a new guidance titled “Ransomware and HIPAA.”

Ransomware is malware that locks up a computer or network to prevent access to data until a ransom, usually demanded in Bitcoin, is paid. Hospitals are the perfect mark for this kind of extortion because they provide critical care and rely on up-to-date information from patient records. Without access to medical histories, drug usage, surgery directives, and other information, patient care can get delayed or halted, which makes hospitals more likely to pay a ransom rather than risk delays that could result in death and lawsuits.

Ransomware has the potential to expose patients’ Protected Health Information (PHI). PHI is at the center of HIPAA regulation, and any potential release of PHI is a potential HIPAA violation, even when it occurs due to nefarious and illegal acts from outside 3rd parties. Ultimately the healthcare facility is responsible for safeguarding the health information of its patients.

Another Day, Another New HIPAA Guidance

In July, HHS released FACT SHEET: Ransomware and HIPAA, a guidance document on how covered entities can use HIPAA compliance to protect their organizations from ransomware and their HIPAA responsibilities if they are a victim of ransomware.

This document describes ransomware attack prevention and recovery from a healthcare sector perspective, including the role the Health Insurance Portability and Accountability Act (HIPAA) has in assisting HIPAA covered entities and business associates to prevent and recover from ransomware attacks, and how HIPAA breach notification processes should be managed in response to a ransomware attack.

The guidance goes on to discuss preventive measures already encouraged by the HIPAA security regulations and the steps to take to determine if a ransomware attack is a HIPAA breach. Regarding a HIPAA breach, the guidance states “Unless the covered entity or business associate can demonstrate that there is a ‘…low probability that the PHI has been compromised,’ based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred.”

You can read the full document at FACT SHEET: Ransomware and HIPAA .

Happy Birthday HIPAA – You are no longer an adolescent and like many 20 year olds, it looks like you aren’t likely to slow down any time in the near future. As compliance and training administrators, expect more rule changes and interpretation from the HIPAA regulations in the years ahead.