The hardest part is determining whether a breach has occurred that triggers HIPAA’s breach notification requirements. It will be a fact-specific inquiry; however, when ransomware encrypts an entity’s ePHI, a breach has occurred. That breach is presumed to be reportable unless the covered entity or BA can demonstrate that there is a low probability that the ePHI has been compromised based on an analysis of four factors, namely:
(1) the nature and extent of the ePHI involved, including the types of identifiers and the likelihood of re-identification;
(2) the identity of the unauthorized person who used the ePHI or to whom the disclosure was made;
(3) whether the ePHI was actually acquired or viewed; and (4) the extent to which the risk to the ePHI has been mitigated.
To find this out, you will need to hire forensic experts to help figure out the scope of the attack. They can help you find out where the attack entered your system, how it spread, if it obtained any ephi, and if it is a reportable breach. If so, you will have to go through the steps with HHS and the OCR. If not, you will need to fully document the event, including how it happened, when it happened, what you did to stop it, how you plan on stopping it in the future, etc. Also, as a side note, you will need to make sure your employees are educated on not letting malware into your practice’s network.
There is no time like the present to update your software with the latest patches, implement anti-phishing training and software, and review your data recovery processes. Perform HIPAA training, test your backup procedures, test your business continuity plan and document that you have done all this. Don’t wait for the disaster to happen before you put these policies and procedures in place. Look at it as a fire drill. You want tp practice your exit strategy before the fire. Test, test test!