A Decision-Tree for Evaluating Your HIPAA Reporting Obligations

Please see Podcast here.

The healthcare industry remains a popular target for ransomware attacks. If you haven’t been impacted by a ransomware attack, it’s likely only a matter of time before someone you do business with or buy services from is impacted.

Ransomware attacks present some unique issues when it comes to HIPAA breach reporting, including whether a breach has occurred and whether it’s reportable to regulators and patients. When the ransomware attack affects your business associate, it may be months before you’re provided with information relating to the attack, and the information you are provided with may be limited. Yet, as the covered entity, HIPAA makes it your responsibility to assess whether a breach has occurred and if so, whether it’s required to be reported to regulators, patients, and in some cases, the media.

We frequently receive inquiries from providers who have received communications from their business associates notifying them that a ransomware attack has occurred but take the position the attack did not result in a reportable breach. Providers receiving this type of communication may be tempted to rely on their business associate’s assessment and conclude no further action is needed. However, doing so poses a risk to the provider as the covered entity who is ultimately responsible for ensuring reportable breaches are appropriately reported.

What should a provider do in this circumstance? The one thing it should NOT do is do nothing. When a provider receives this type of communication, it should conduct its own analysis and risk assessment, making sure to document its rationale and decision-making. Check out this week’s podcast, and our free decision-tree resource below, for how to evaluate whether a ransomware attack suffered by a business associate is a reportable breach under HIPAA.

Ransomware-Breach-Decision-Tree