HHS Issues Guidance On Ransomware And HIPAA

Contributor

Jones Day is a global law firm with more than 2,500 lawyers across five continents. The Firm is distinguished by a singular tradition of client service; the mutual commitment to, and the seamless collaboration of, a true partnership; formidable legal talent across multiple disciplines and jurisdictions; and shared professional values that focus on client needs.

Explore Firm Details

A breach is presumed to have occurred in such a situation unless the covered entity or individual can demonstrate that there is a low probability that the protected health information has been compromised.

United States Privacy

In July, the U.S. Department of Health & Human Services ("HHS") issued guidance concluding that a ransomware attack constitutes a "breach" under the Health Insurance Portability and Accountability Act ("HIPAA"). The guidance states that when electronic protected health information is encrypted as the result of a ransomware attack, a breach has occurred because the information encrypted by the ransomware was "acquired" by unauthorized individuals and is thus a "disclosure" not permitted under the HIPAA Privacy Rule. A breach is presumed to have occurred in such a situation unless the covered entity or individual can demonstrate that there is a low probability that the protected health information has been compromised.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.