Backing up electronic health record data may become an important aspect of complying with and mitigating risk under the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) if the U.S. Health and Human Services Office of Civil Rights (OCR) heeds legislators’ recommendations.

Specifically, on June 28, 2016, Ted W. Lieu and Will Hurd, members of the U.S. House of Representatives, published a letter to OCR suggesting that HIPAA and HITECH regulations should require, in the event of a ransomware attack (a situation where a third party prevents a healthcare entity from accessing its own records or computer systems) notification :

  1. to patients when an attack prevents a provider from providing care or information critical to care; and
  2. to government agencies.

In addition, the legislators suggest that requiring a provider to offer credit counseling services in the event of a malware attack may be unnecessary and that deletion or destruction of files in such an attack comprises a breach under HIPAA.

Rules implementing these suggestions potentially make data backup an even more important aspect of electronic health record systems because a backup that allows continued operation and data access could potentially avoid a requirement to notify patients or regulatory penalties. In addition to clinical and operational benefits of maintaining continued access to information, the financial savings realized by minimizing patient notification, penalties and other mitigation costs like paying the ransomware attacker (ransoms have ranged from hundreds of dollars to tens of thousands of dollars) justify a review of backup practices and implementation of backup systems that would not be compromised by a ransomware attack on a provider’s computers.

Of course, even if a provider has a backup that avoids operational or record access disruption, under the legislators’ recommendation, it appears that a provider could be required to rapidly report to government agencies. However, we will not know whether or how such reporting is required until OCR publishes proposed rules on this issue.