Ransomware attacks increase, OCR updates HIPAA

“All the dude ever wanted was his rug back, man. It really tied the room together.”

Recently, I was conversing with a colleague in Dallas, Texas, and the aforementioned quote from The Big Lebowski arose. As a nod to him, I’m “tying” the recent developments to the notions of ransomware attacks, data privacy, and giving patients their medical records in a timely manner.

Not surprisingly, healthcare remains a major target for ransomware attacks. Since March 2020, when the COVID-19 pandemic was declared,

Some items of note from the Crowdstrike Report include the following:

• Data extorsion is the most lucrative ransomware method for cybercriminals worldwide;
• Healthcare is in the top 5 industries that are targeted;
• An increasing number of hospitals and health systems have reported being targets; and
• More patient data that is extracted is being placed on the dark web (i.e., Leon Medical Centers (Miami, FL) and Nocona General Hospital (Texas).

Earlier this month, the Department of Health and Human Services Office for Civil Rights (OCR) announced a 45-day extension for the public comment period to modify the HIPAA Privacy Rule. Comments are due no later than May 6, 2021. The impetus behind the extension, as the OCR Acting Director stated, “OCR anticipates a high degree of public interest in providing input on the proposals because the HIPAA Privacy Rule affects nearly anyone who interacts with the health care system.” Two of the key aspects being considered are strengthening an individual’s right to access his/her own health information, including electronic information and improved coordination of care.

Finally, OCR released an announcement indicating that it had settled its sixteenth action related to its HIPAA Right of Access Initiative. Sharp HealthCare, dba Sharp Rees-Stealy Medical Centers entered into a monetary settlement of $70,000 and a corrective action plan. In June 2019, a complaint was filed with OCR indicating that Sharp HealthCare failed to provide the requested medical records to a third party. Subsequently, in August 2019, a second complaint was filed because the data still had not been received.

In sum, “[a]ll the dude ever wanted was his [data] back.” The increase in ransomware attacks serve as a reminder that the technical, administrative, and physical safeguards need to be implemented in accordance with the Security Rule and NIST standards are preferrable. OCR’s focus on the Privacy Rule and its continued enforcement actions for failing to provide patients with requested medical records underscores the importance of providing the records within 30 days (unless notice is given indicating that an additional 30 days is needed) under HIPAA and potentially within a shorter timeframe under individual state laws.

_{About the Author}

_{Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.}