Jeff Duncan Brecht authored an article for the latest edition of Health Care Liability & Litigation, a semi-annual publication of the American Health Lawyers Association, titled “OCR’s 2016 Ransomware ‘Guidance’: A Health Care Provider’s New Best Friend?” The article discusses the implications of the U.S. Department of Health and Human Services Office for Civil Rights (OCR) 2016 Fact Sheet; specifically, the conditions under which a breach of protected health information is presumed to have occurred.
Now, under OCR’s 2016 guidelines, it appears that providers infected with ransomware must instead start with the presumption that PHI was breached. This means that, where ransomware has historically been considered by many to be a (potentially costly) annoyance to providers, 25 OCR’s new automatic HIPAA breach presumption could make ransomware attacks even more costly, from both a financial and a public relations perspective. It is possible that OCR’s 2016 HIPAA guidelines could cause providers to conclude that more ransomware attacks are breaches.