It’s been awhile since last we published for our firm blog Media & Privacy Risk Report, and one thing is largely to blame: ransomware attacks on our clients have been keeping us very busy. We’ve learned many lessons from these attacks that we plan to share over the coming months with our readers. But the focus of this post is recent guidance from the Office of Civil Rights of the Department of Health and Human Services (OCR) indicating that any ransomware attack involving protected health information PHI) could be a data breach with Health Insurance Portability and Accountability Act (HIPAA) reporting obligations.

Often in ransomware matters, a hacker encrypts data and demands that a ransom be paid (usually in Bitcoin) before the hacker will decrypt the data and make it once again accessible to the data owner (or covered entity) or maintainer (or business associate). But just because a hacker has frozen your data, does that mean that the hacker has accessed, acquired or exfiltrated your data? Isn’t it possible that a hacker could freeze your data without accessing, acquiring or exfiltrating it? By analogy, couldn’t someone render the locks on your house unusable (and thus your house inaccessible to you without a forced break-in) without actually accessing your house, acquiring anything within your house, or taking anything out of your house? It would seem that the answer would be yes. But if the OCR is asked that question, the presumption is that the answer is no, at least in the realm of ransomware attacks. Continue Reading OCR: Ransomware Attack Often Is a Data Breach

As published in State Bar of Michigan Health Care Law Section

“In recent years, the likelihood of suffering a data breach has risen significantly for American companies across numerous industries. Health care providers, in particular, have been targeted due to the value of the sensitive information they hold regarding their patients and employees, including birth dates and Social Security numbers. Health care providers that suffer data breaches risk incurring significant fines, settlement amounts, legal fees, negative publicity and increased scrutiny from regulatory authorities …”

To read the publication in its entirety, please click here.

The American Recovery and Reinvestment Act of 2009 (ARRA) tasked the Office of Civil Rights (OCR) (the division of the Department of Health and Human Services responsible for enforcing the Health Insurance Portability and Accountability Act (HIPAA) and regulations promulgated thereto) with conducting audits of covered entities and business associates for compliance with HIPAA.  Phase One concluded in 2012, and covered entities and business associates have since been waiting for the rollout of Phase Two.  The Phase Two audits will be the first time business associates may find themselves face-to-face with OCR, as Phase One audits did not include business associates.  The protocol for Phase Two audits is to include changes to the regulations from the 2013 Omnibus Final Rule, which vastly expanded the types of entities falling within the definition of “business associate” and implemented regulations prescribed by the Health Information Technology for Economic and Clinical Health Act (HITECH) subjecting business associates to liability under HIPAA for compliance with the Security Rule and most of the Privacy Rule.

Phase Two audits were expected to begin in late 2014, but Jocelyn Samuels, the Director of OCR, recently announced that budgetary and staffing considerations have further delayed the rollout of Phase Two audits.  Without specifying a specific date upon which the Phase Two audits would commence, Ms. Samuels did not downplay the imminence of such audits, explaining that the audits would begin “expeditiously.”

Continue Reading Delay of HIPAA Phase Two Audits: Preparing for the Inevitable