Deven McGraw, Deputy Director for Health Information Privacy for the Office for Civil Rights, provided updates this week on the status of the Phase 2 HIPAA Audit Program. In April, McGraw forecasted that the agency would begin contacting covered entities selected for an audit by the end of this month. Now, OCR says that challenges in identifying and selecting a diverse pool of organizations to audit have delayed the start of the actual audit program to “sometime this summer”.
In addition, there are reports that on May 20th, OCR sent up to 10,000 emails to prospective covered entities in a single “e-mail blast” asking for recipients to confirm if the recipient was associated with an organization that was a HIPAA covered entity and to provide the contact information for the appropriate HIPAA privacy and security officials. This likely portends a new round of OCR Pre-Audit Questionnaires. In her recent comments, McGraw confirmed that the overall audit program design remains unchanged with the goal being approximately 200-250 desk audits of covered entities and business associates performed by the end of 2016.
Is a Ransomware Attack Considered a Breach?
OCR’s McGraw also called attention to the debate on whether a covered entity or business associate should respond to a ransomware attack as a reportable breach under the HIPAA/HITECH Breach Notification Rule. According to McGraw, OCR is concerned that organizations are underreporting breach incidents caused by ransomware attacks. McGraw explained that covered entities and business associates that experience cybersecurity incidents are overlooking that under the Privacy Rule, when a cybercriminal gains access to an information system that creates, transmits or maintains protected health information, this constitutes an unauthorized disclosure of PHI. The Privacy Rule does not require that the PHI be removed, exfiltrated or further disclosed. Mere ability to view or access the PHI is sufficient to trigger a disclosure under the HIPAA rule.
The Breach Notification Rule provides that an unauthorized disclosure of PHI triggers the requirements for notification unless the covered entity or business associate can show through a mandated breach assessment that there is a low risk of compromise to the data. The breach rule requires notification to the individuals whose PHI was affected, as well as notification to OCR, and in some cases the media. McGraw said that OCR will be examining media reports of ransomware incidents involving organizations handling PHI and possibly opening reviews to check on how covered entities and business associates are complying with the requirements of the Breach Notification Rule.
CynergisTek recommends that if your organization falls victim to an attempted or successful ransomware incident, there should be a careful forensic examination of the information system to determine if the attackers had the ability to access PHI, the extent of individual information affected, as well as an assessment for the probability of compromise to the data using the requirements of the Breach Notification Rule as a guide. We also recommend that you create awareness across your enterprise in the event of an attempted or successful ransomware attack against ransomware. If you would like to learn more about CynergisTek’s HIPAA Privacy programs or additional ways to perform a breach assessment, email us at firstname.lastname@example.org.