HHS concludes that ransomware attacks are considered a breach of HIPAA on a “fact specific determination”. If a ransomware attack occurs while the file is still in use and the PHI decrypted, the PHI cannot be considered to have been secured and the ransomware attack is considered a breach of HIPAA that must be notified. ![]() The latest guidance notes that some methods of encryption decrypt PHI when a file is accessed by an authorized user. In 2021, HHS revised earlier guidance relating to the encryption of secured data in ransomware attacks. The definition of a HIPAA breach is often interpreted as “the acquisition, access, use, or disclosure of unsecured protected health information” – implying that, if PHI has been secured by encryption, a ransomware attack is not considered a breach of HIPAA. Is a Ransomware Attack Considered a Breach of HIPAA? ![]() However, this exception is subject to a Covered Entity and Business Associate acquiring documentation showing that a timely notification would impede a criminal investigation or cause damage to national security. One further exception to the breach notification requirements is when breach notifications can be delayed beyond sixty days due to law enforcement involvement. Prior to HITECH, HHS had to prove harm had occurred due to a breach of HIPAA before taking enforcement action. Since the passage of the HITECH Act in 2009, a burden of proof exists for Covered Entities and Business Associates to demonstrate that all notifications are made as required, or that a use or disclosure not permitted by the Privacy Rule was not considered a breach of HIPAA. ![]()
0 Comments
Leave a Reply. |