Ransomware Attack is a HIPAA Breach

May 16, 2017

We are all vulnerable to hacking, but the consequences for a HIPAA covered entity or business associate are exceptionally bad. Most are not aware that HHS considers a ransomware attack a breach and that if it involves more than 500 patient files it must be reported to HHS and will be posted on the Wall of Shame. This is already a bad outcome but it accelerates it’s downhill slide if they get audited for HIPAA compliance.

The three critical areas for proof of HIPAA compliance are an up to date risk assessment. Up to date generally means at least in the past twelve months although it could be shorter if there have been major changes in the organization. Next are up to date policies which means documentation that you have reviewed and edited them if necessary to reflect your current business model and any regulatory changes. Finally, documentation of training your staff on security and privacy.

The start of this process may be what is called a desk audit. This consists of a letter requesting documentation of these three critical areas. Generally you get a very short time to respond but if you can supply the documents you are probably off the hook. If you can’t the hook will sink in deeper.

An on-site audit might reveal that you have not done an official risk assessment. A risk assessment done to the NIST model is the gold standard, anything short of that may not be accepted by the auditor. Lack of an acceptable risk assessment has been the key factor in the major penalties handed down by OCR.

An up to date risk assessment will include a gap analysis which will show you areas that need to be addressed and risks that need to be mitigated. Go to our site at www.compliancehelper.com to learn more or contact me at Jack@compliancehelper.com


Back to News