Ransomware and HIPAA have been a topic on the podcast multiple times. They are some of our most popular episodes, in fact. Recently, we realized we haven’t discussed the OCR guidance on Ransomware and HIPAA. On July 11, 2016, HHS.gov featured a new post from Jocelyn Samuels the Director of the Office for Civil Rights (OCR). The title is catchy: Your Money or Your PHI: New Guidance on Ransomware.
This episode is a review of points in the fact sheet with OCR guidance on ransomware and HIPAA that the Samuels post announced.
Ransomware and HIPAA
Below are the points in the fact sheet. We discuss each of them so listen in!
- What is ransomware?
- Can HIPAA compliance help covered entities and business associates prevent infections of malware, including ransomware?
- Can HIPAA compliance help covered entities and business associates recover from infections of malware, including ransomware?
- How can covered entities or business associates detect if their computer systems are infected with ransomware?
- What should covered entities or business associates do if their computer systems are infected with ransomware?
- Is it a HIPAA breach if ransomware infects a covered entity’s or business associate’s computer system?
- How can covered entities or business associates demonstrate “…that there is a low probability that the PHI has been compromised” such that breach notification would not be required?
- Is it a reportable breach if the ePHI encrypted by the ransomware was already encrypted to comply with HIPAA?