Q&A: Determining whether ransomware is a reportable breach

Q. If a ransomware attack occurs and it encrypts our EHR, is that a reportable breach?

A. It might or might not be a reportable breach. OCR issued guidance regarding when ransomware is and is not a reportable breach. If the data stored in the EHR was encrypted at the time of the attack and you can prove it was encrypted, it does not represent a breach of unsecure PHI; therefore, it would not be reportable.

On the other hand, if the data was not encrypted, CEs are required to complete the four-factor risk assessment found in the HIPAA Breach Notification Rule. If the CE can prove through, for example, a thorough forensic investigation that there was a low risk of compromise, the breach is not reportable. If the risk of compromise is not considered low, the breach is reportable. In the end, CEs need to be able to prove whether a breach occurred and what the risk level was determined to be.

Editor’s note: This question was answered by Chris Apgar. Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a Briefings on HIPAA editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are that of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Editor Nicole Votta at nvotta@hcpro.com.