News & Analysis as of September 11, 2025

Business Associates › Ransomware › Department of Health and Human Services (HHS)

+ Follow

Business Associates can refer broadly to individuals engaged in business relationships with one another. However, in the HIPAA context, the term has a specific statutory meaning and those characterized as... more +

Business Associates can refer broadly to individuals engaged in business relationships with one another. However, in the HIPAA context, the term has a specific statutory meaning and those characterized as business associates have expanded data protection obligations and duties. Essentially, a business associate under HIPAA is a person or entity that performs certain functions or services which necessitates exposure to protected health information on behalf of a covered entity. Typical business associate functions include: claims processing or administration, data analysis, billing, etc. less -

OCR’s “Risk Analysis” Enforcement Initiative Continues Against Another Business Associate

Jackson Lewis P.C. on 8/19/2025

On August 18, 2025, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced a settlement with BST & Co. CPAs, LLP (BST). The announcement continues OCR’s escalating enforcement of the HIPAA...more

What HIPAA Security Rule Surprises Await Healthcare Providers for the Second Half of 2024?

Holland & Knight LLP on 5/14/2024

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has, as part of its mandate, the responsibility to enforce the Health Insurance Portability and Accountability Act (HIPAA) Security Rule....more

HHS Issue Six Figure Penalty for Ransomware Attack

Bricker Graydon LLP on 1/5/2024

Late last year, the Department of Health and Human Services (HHS) issued its first HIPAA settlement agreement involving a ransomware attack. In the press release announcing the settlement, HHS stated that they began...more

Business Associate Agrees to $100,000 Settlement Following Cyber Attack

Saul Ewing LLP on 11/9/2023

On Halloween, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a $100,000 settlement under the Health Insurance Portability and Accountability Act (HIPAA) with Doctors’...more

2022 Outlook: More Dangerous Ransomware Coupled With Inadequate Security Practices

Health Care Compliance Association (HCCA) on 1/17/2022

Report on Patient Privacy 22, no. 1 (January, 2022) - As the COVID-19 pandemic enters its third year, real “security fatigue” with pandemic-related issues will combine with cybercriminals’ increasingly sophisticated...more

Still Missing a New Leader, Former OCR Directors, Experts Offer Advice, Task List

Health Care Compliance Association (HCCA) on 8/13/2021

Issue a final rule revising the privacy regulation and write guidance on the information blocking rule. Formalize the fledgling audit program required by Congress more than 10 years ago. Engage with providers and other...more

How Can Healthcare Organizations Prepare for the Next Cyberattack?

Latham & Watkins LLP on 7/11/2017

HHS OCR issues checklist, iterative guidance in wake of WannaCry and Petya attacks; Anthem breach settlement provides additional lessons. Key Points: ..Healthcare organizations are particularly vulnerable to ransomware...more

A Closer Look at the OCR’s Guidance on Ransomware

BakerHostetler on 8/23/2016

In the wake of several high-profile ransomware infections targeting hospitals and health care organizations, the Department of Health and Human Services Office for Civil Rights (OCR) has issued guidance on the growing threat...more

Guidance on Ransomware Attacks under HIPAA and State Data Breach Notification Laws

McDermott Will & Schulte on 8/8/2016

The US Department of Health and Human Services (HHS) has recently issued guidance under the Health Insurance Portability and Accountability Act (HIPAA) on what covered entities and business associates can do to prevent and...more

HHS OCR Guidance on Ransomware Attacks: They Constitute a “Security Incident” and Are Likely a Data Breach

Foley Hoag LLP - Security, Privacy and the... on 7/25/2016

On July 11, 2016, the HHS Office of Civil Rights (OCR) released guidance on HIPAA covered entities’ responsibilities in a ransomware attack, a type of cyber-attack that has targeted the health care sector extensively in...more

Ransomware Attack is a Breach – Unless You Can Prove Otherwise

Baker Donelson on 7/25/2016

Ransomware is the fastest growing malware threat in the United States, targeting simple home computers to elaborate corporate IT networks. The Federal Bureau of Investigation recently reported an increase in ransomware...more

OCR Issues New Guidance on Ransomware and HIPAA

Arnall Golden Gregory LLP on 7/20/2016

In response to a rising number of ransomware attacks on healthcare systems, the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) has issued new ransomware guidance on the HIPAA obligations of...more

OCR Announces New HIPAA Guidance on Ransomware

Cozen O'Connor on 7/14/2016

In response to the increasing prevalence of ransomware cyber-attacks by hackers on electronic health information systems in hospitals and medical practices, the Department of Health and Human Services (HHS) Office for Civil...more

Department of Health and Human Services Cracks Down on Vendor Oversight in Recent Hospital Settlements

Patterson Belknap Webb & Tyler LLP on 4/26/2016

From the rise in ransomware attacks to inadvertent disclosure of information by subcontractors, the health services industry is reminded that a potential consequence of a data breach is the threat of a regulatory enforcement...more

14 Results

/

View per page

Page: of 1