What is a “Security Incident” under the HIPAA Security Rule?  

Under the HIPAA Security Rule, a security incident is defined as:

• The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information in an information system; or
• The attempted or successful unauthorized access, use, disclosure, modification or interference with system operations in an information system. 

In plain English, a HIPAA security incident is an attempt (which can be successful or not) to do something unauthorized. The “something” that is unauthorized, is an unauthorized access, use, disclosure, modification, destruction, or interference.

A HIPAA security incident may occur when:

1. The unauthorized attempt to access, use, disclose, modify, destroy, or interfere, targets an organization’s information system.
2. The unauthorized attempt is made to access, use, disclose, modify, or interfere with that information system’s system operations.

What are Some Examples of HIPAA Security Incidents?

Examples of a HIPAA security incident include:

• Theft of passwords that are used to access electronic protected health information (ePHI).
• Virus attacks that interfere with the operations of information systems with ePHI.
• Physical break-ins that lead to the theft of media (e.g., electronic storage devices) that contain ePHI.
• Failure to terminate the account of a former employee that is then used by an unauthorized user to access information systems with ePHI.
• Providing media with ePHI, such as a PC hard drive or laptop, to another user who is not authorized to access the ePHI prior to removing the ePHI stored on the media.

What are HIPAA Security Incident Procedures? 

Covered entities and business associates must develop Security Incident Procedures under the Security Incident Procedures standard of the HIPAA Security Rule. The procedures must establish adequate response and reporting procedures for HIPAA security incidents. 

HIPAA Security incident procedures must address the following:

• How to identify a security incident
• What specific actions constitute a security incident
• How, and to whom, the incident should be reported
• How security incidents should be documented, and what information should be contained in the documentation
• The response to be taken in the event of a particular security incident   

Creating the HIPAA security incident procedure should not involve reinventing the wheel.

To determine what constitutes a HIPAA security incident, an entity should be able to rely upon the information that it has already gathered in complying with the other Security Rule standards.

Specifically, the organization should be able to rely upon the risk assessment and risk management procedures it has developed under the Security Rule. Risk assessment and risk management procedures identify potential security threats; the security incident procedure then describes what to do if and when those threats materialize.

HIPAA security incident procedures must contain one final element:  The procedures must describe how workforce members are to respond to a security incident. Response procedures describe how employees should:

• Preserve evidence
• Mitigate, to the extent possible, the situation that caused the incident
• Document the incident and outcome
• Evaluate security incidents as part of ongoing risk management 

Compliancy Group Simplifies HIPAA Compliance

Covered entities and business associates can address the requirement to develop security incident procedures by working with Compliancy Group to address federal HIPAA security standards. Developing effective security incident procedures is required to become HIPAA-compliant. 

Our ongoing support and web-based compliance app, The Guard™, gives health care organizations the tools to address HIPAA Security Rule standards so they can get back to confidently running their business.

Find out how Compliancy Group has helped thousands of organizations like yours Achieve, Illustrate, and Maintain  their HIPAA compliance!