Are Smaller Healthcare Practices Required to Report a #Ransomware or Potential Data Breach?

Does the HIPAA Breach Notification Rule apply to all Covered Entities and Business Associates, Even Smaller Ones?

To many of you reading this post this question seems ridiculous. You know the answer. However, I get asked this question so frequently that I decided to answer it with a blog post to save time next time I get asked the same question. What is worse, however, is I often hear people say — out of complete ignorance — “no, it is not a big deal.”

Let me be clear: it is a big deal – a very big deal – and if it is considered a “breach” then you are required to report. See this Guide for more information.

Healthcare professionals must understand just how important cybersecurity and privacy of patient protected health information (PHI) is to their practices: You can spend your entire career building a fine medical practice and lose it all because you did not take this seriously. Don’t believe me? Then jump to this point of the post.

Are ransomware attacks a data breach?

Regarding ransomware attacks in particular, the Department of Health and Human Services (HHS) considers these kinds of attacks on Covered Entities and Business Associates to be a breach that requires notification, by default, unless you perform a risk assessment that considers four factors and determines there was no breach. See HHS FACT SHEET: Ransomware and HIPAA

The reason for this is because under what is called the CIA Triad of Cybersecurity. To maintain the security of data, you must ensure you maintain its confidentiality, integrity, and availability; when you have a ransomware attack encrypt your data, you no longer have availability unless you have appropriate backups of the data. Moreover, depending on the nature of the ransomware, some strains may exfiltrate data prior to the encryption, causing a failure to maintain confidentiality as well.

Is there a penalty for failing to notify?

 See also Professor Daniel Solove’s 2017 HIPAA Enforcement Update

Absolutely. When a Covered Entity or Business Associate fails to comply with the HIPAA Breach Notification Rule, HHS may launch an investigation and bring an enforcement action against the entity that failed to timely notify. Below are two notable cases where HHS has done this but it is important to note that the vast majority of the smaller ones are resolved with fines and compliance measures imposed at the investigation level:

Does HHS fine small healthcare practices?

Read these examples and decide for yourself:

If you would like more information about other HHS cases, read about these HHS Case Examples.


What are the 3 most important questions you should ask yourself now before you have an incident?

  1. Do you have privacy and cyber insurance coverage for your practice?
  2. Do you always have a backup of your critical business, customer, and PHI information that is completely disconnected from your network?
  3. Do you understand these 3 critical cybersecurity steps your organization must take?