Shearman And Sterling

balance scale

August 09, 2016

HHS Releases Guidance on Privacy and Security Audits and Ransomware


Jump to...


If your organization operates in the healthcare industry, particularly if it qualifies as a covered entity or business associate under the Health Insurance Portability and Accountability Act (HIPAA), you may have noticed the recent flurry of activity from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).  First, HHS has recently launched phase two of its three-part audit of compliance with HIPAA privacy, security and breach notification rules.  Second, HHS has provided guidance on ransomware which states that the presence of ransomware is a “security incident,” which triggers breach disclosure obligations.  Organizations subject to HIPAA should review its security incident procedures in light of the upcoming audits and the ransomware guidance and even entities outside the healthcare industry may also benefit from reviewing these guidance documents since other agencies and governmental authorities may follow HHS’s lead in these interpretations.

View full memo, HHS Releases Guidance on Privacy and Security Audits and Ransomware

Authors and Contributors

Robert Masella


Mergers & Acquisitions

+1 212 848 5125

+1 212 848 5125

New York

Benjamin Petersen


Intellectual Property Transactions

+1 650 838 3706

+1 650 838 3706

Menlo Park