It’s Monday morning. You sit down at your desk and turn on your computer. Instead of the usual photo of your smiling staff, you see a red screen with the words “YOUR COMPUTER HAS BEEN LOCKED.” You’ve been hit with ransomware and now your patient records have been encrypted and the hackers are demanding $3000 for the encryption key.
This was a real situation for a Henry Schein dentist. In the end, he turned over 300+ pages of HIPAA documentation during his investigation. HIPAA breaches are on the minds of dentists, but many still believe “it won’t happen to me.” What if it does?
What do you know about responding to a breach?
What is a HIPAA breach?
Under HIPAA Rules, a breach is defined as “…the acquisition, access, use or disclosure of PHI (protected health information) in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.”  Breaches can happen in many ways: hacking incident, stolen records as the result of a break-in, a patient referral sent to the wrong fax number, etc. Breaches happen every day, and the key is being prepared to respond.
If we find ransomware on our computers, is it automatically a breach?
There are many opinions in the IT community. However, HHS has stated that unless it can be demonstrated there is a low probability that PHI has been compromised, ransomware is considered a presumed breach. Therefore, offices should treat it as a breach.
What is the response process if we have a breach in our office?
Following an identified breach your office, there are many steps to follow. While this is not a complete list, it will help to provide you with an understanding of the enormity of the response that is required.
- Contact your privacy attorney – following the discovery of a breach, you should quickly engage the services of HIPAA privacy attorney.
- Notify your patients – you are required to notify patients affected by the breach within 60 days following the discovery of the breach. Patients are to be provided written notification either by first class mail or email, if the patient has agreed to breach notices via email. For the notification, you need to include: what happened, what PHI was involved, what you are doing to fix the issues, what assistance you are providing to you patients, and what you are doing to prevent issues in the future. 
- Notify the media – if your breach affects more than 500 individuals, you then must notify prominent media outlets in your area. This could include tv stations, newspapers, radio stations, etc. In addition, you may also be required to display a notice on your practice website.
- Notify the Secretary of HHS – notification of a breach must be provided to the secretary of HHS. If the breach involves less than 499 patients, then the notification can be provided by end of calendar year. if the breach involves more than 500 patients, then you must provide notification within 60 days of discovery. The notification will include the same information provided to patients along with more specific information about the practices’ HIPAA activities and documentation.
While no one wants to experience a HIPAA breach, there are steps you can take to help prevent one from occurring in your office. Performing an annual risk analysis, updating policies and documenting your risk management activities can help you stay on track and achieve your compliance goals.
Katie Lay is co-founder and CEO of CAEK, Inc., a software-as-a-service company focused on providing software products to assist healthcare practitioners with the management of regulatory compliance. CAEK’s cloud-based platform, LayerCompliance® provides easy-to-use online tools that help streamline and simplify the compliance process. Offering HIPAA and OSHA compliance services in one centralized dashboard, CAEK’s mission is to provide software tools to assist healthcare organizations achieve compliance.
 FACT SHEET: Ransomware and HIPAA. https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf?language=es
 FACT SHEET: Ransomware and HIPAA https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf?language=es