The modern privacy era in health care began with the passage of the Health Insurance Portability and
Accountability Act (HIPAA) in 1996. During the past two decades, HIPAA has changed significantly through legislative and rule-making processes, with the bulk of those efforts focused on protection of patient’s personal information. Physicians, health centers and hospitals
are often on the front lines of those efforts, spending significant time, resources and money to comply with procedures required by the Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR).
The latest change to HIPAA happened in July 2016. OCR announced that when a covered entity or business associate is hit by a software breach known as ransomware, the incident is presumed to be a reportable breach unless the entity can prove otherwise. This is
a significant reversal of previous OCR policy in which no action was needed if the entity had determined there was no breach.
By definition, ransomware is a form of malicious software (also known as “malware”) that encrypts or rewrites the code on a computer’s information to block the owner’s access to it unless a ransom is paid.
To view this Issue Brief in it's entirety, please log in.