Ransomware
Malicious software that encrypts data or systems and demands payment for decryption; HHS guidance generally presumes a ransomware event on ePHI is a HIPAA breach.
1 min read · Last reviewed May 23, 2026
At a glance
- Category
- Security
- Primary sources
- 3
- Workspace handoff
- compliance binder →
Where this comes up
This sits inside the security risk analysis under 45 CFR 164.308(a)(1)(ii)(A) — workstation controls, EHR access roles, ePHI transmission encryption, audit logging, vendor risk, and incident response. Reviewers expect dated evidence of the control, not a policy PDF that says it exists.
Full definition
What it is in practice
The HHS Ransomware fact sheet explains that a ransomware encryption of ePHI is a security incident under 45 CFR 164.308(a)(6) and, absent a low-probability-of-compromise determination via the four-factor test, a reportable breach.
How it shows up in your practice
Backups (tested!), MFA, EDR, and segmented networks reduce both the likelihood and the regulatory consequence. Document the four-factor analysis even when ransomware does not exfiltrate data — the encryption alone is a compromise of the availability of ePHI.
Sources
- 45 CFR 164.308 — Administrative safeguardshttps://www.ecfr.gov/current/title-45/section-164.308
- 45 CFR 164.402 — Breach definitionshttps://www.ecfr.gov/current/title-45/section-164.402
- HHS — HIPAA Security Rulehttps://www.hhs.gov/hipaa/for-professionals/security/index.html
Run the ransomware playbook in the Compliance Binder
Open compliance binder →Related terms
- SecurityIncident Response PlanThe documented plan describing how a covered entity detects, contains, eradicates, and recovers from a security incident.
- HIPAA & PrivacyFour-Factor Breach Risk AssessmentThe four-factor analysis at 45 CFR 164.402 used to determine whether an impermissible use or disclosure of PHI is a reportable breach.
- SecurityContingency PlanThe HIPAA-required plan covering data backup, disaster recovery, and emergency-mode operation when normal operations are disrupted.
- SecurityPhishingSocial-engineering attack that uses deceptive email, text, or voice messages to trick recipients into revealing credentials or installing malware.
- SecurityBackup and RecoveryProcedures to create and maintain retrievable exact copies of ePHI and to restore data and systems after a disruption.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
Related across the archive
- GlossaryBackup and RecoveryProcedures to create and maintain retrievable exact copies of ePHI and to restore data and systems after a disruption.
- GlossaryContingency PlanThe HIPAA-required plan covering data backup, disaster recovery, and emergency-mode operation when normal operations are disrupted.
- GlossaryIncident Response PlanThe documented plan describing how a covered entity detects, contains, eradicates, and recovers from a security incident.
- GlossaryPhishingSocial-engineering attack that uses deceptive email, text, or voice messages to trick recipients into revealing credentials or installing malware.
- GlossaryFour-Factor Breach Risk AssessmentThe four-factor analysis at 45 CFR 164.402 used to determine whether an impermissible use or disclosure of PHI is a reportable breach.
- ComplianceHIPAA Breach Notification: The 60-Day Window Step-by-StepFrom discovery you have 60 calendar days to notify individuals, HHS, and possibly media. Here is the procedure that actually protects the practice.
- SRAHIPAA Contingency Plan for a Small PracticeWhat the Security Rule contingency plan standard at 45 CFR 164.308(a)(7) actually requires, including data backup, disaster recovery, emergency mode operation, and testing — for a small practice.
- RegulationHIPAA Security Access Control (45 CFR 164.312(a))Technical policies and procedures for systems containing ePHI to allow access only to those granted access rights, with required specifications for unique user identification and emergency access.
This glossary entry is a research aid for billing and compliance staff. It does not provide legal, medical, or financial advice and does not replace counsel. References cited link to primary sources at HHS, OCR, CMS, eCFR, NIST, and the relevant payer or industry body.