From: Lexology
Douglas F. Brent | Stoll Keenon Ogden PLLC
***
But it’s more than that. The unwanted encryption of Personal Health Information following a ransomware attack may be treated by HHS as a HIPAA breach, even when the PHI had already been encrypted by the covered entity to comply with the Security Rule.
***
HHS/OCR says whether or not the presence of ransomware would be a breach under the HIPAA Rules is a fact-specific determination, noting a breach under the HIPAA Rules is defined as, “…the acquisition, access, use, or disclosure of PHI in a manner not permitted which . . . compromises the security or privacy of the PHI.”
Leave a Reply