On June 12, 2016, the HHS Office of Civil Rights (OCR) released guidance, entitled “FACT SHEET: Ransomware and HIPAA,” in response to the rising number of ransomware attacks perpetrated against healthcare entities. The guidance addresses Health Insurance Portability and Accountability Act (HIPAA) issues that may arise when medical records containing Protected Health Information (PHI) are compromised or stolen during a ransomware attack. OCR’s view is that compliance with HIPAA’s information security requirements assists healthcare entities in preventing and recovering from ransomware attacks.
covered entity
Encryption of patient personal information to be the law of the land in New Jersey
Following a number of reports of theft and misplacement of computer disks, laptops, and thumb drives containing unencrypted patient information from New Jersey medical centers, the New Jersey state legislature enacted a law on January 9, 2015, which prohibits health insurance carriers from electronically compiling and maintaining certain patient information unless that information has been encrypted.
The law, New Jersey S562 (“S562”), which will become effective on August 1, 2015, supplements the New Jersey Division of Consumer Affairs Consumer Fraud Act. It was passed in response to an epidemic of breaches at New Jersey hospitals that resulted in the compromise of thousands of patients’ records that were stored on unencrypted computers and computer equipment. The records included patients’ names, addresses, dates of birth, social security numbers and medical information.
By mandating that health care insurers encrypt sensitive patient data, New Jersey seeks to ensure that patients’ personal information is no longer subjected to potential disclosure to unauthorized persons. Sponsors of the legislation argued that it sends a clear message to the public that the government is committed to enforcing the state’s consumer protection laws against health care insurers that have access to patients’ private information.
The key requirements of S562, as well as our recommendations are summarized below.