If your organization operates in the healthcare industry, particularly if it qualifies as a covered entity or business associate under the Health Insurance Portability and Accountability Act (HIPAA), you may have noticed the recent flurry of activity from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). First, HHS has recently launched phase two of its three-part audit of compliance with HIPAA privacy, security and breach notification rules. Second, HHS has provided guidance on ransomware which states that the presence of ransomware is a “security incident,” which triggers breach disclosure obligations. Organizations subject to HIPAA should review its security incident procedures in light of the upcoming audits and the ransomware guidance and even entities outside the healthcare industry may also benefit from reviewing these guidance documents since other agencies and governmental authorities may follow HHS’s lead in these interpretations.