The HIPAA Guide - Celebrating Over 15 Years Online

What is the HIPAA Definition of a Security Incident?

January 17, 2025HIPAA Training Articles0

The HIPAA definition of a security incident is an “attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system”. The inclusion of the word “attempted” in the definition means unsuccessful attempts to access information and systems must be included in system activity reviews, risk analyses, and emergency preparedness plans.  

The reason it is important to be aware of the HIPAA definition of a security incident is that HIPAA regulated entities are required to identify, document, and respond to all suspected or known security incidents – whether successful or not – as part of the information system activity review required by §164.308(a)(1). Compliance with this standard is necessary to support compliance with many other HIPAA Security Rule standards.

For example, HIPAA regulated entities are required to account for suspected or known security incidents – whether successful or not – when conducting risk analyses in order to comply with the General Requirements of the HIPAA Security Rule (§164.306(a)). The General Requirements require HIPAA regulated entities to protect against any reasonably anticipated threats to the security or integrity of electronic Protected Health Information.

HIPAA Training for Employees

Thereafter, based on the outcome of their risk analyses, HIPAA regulated entities are required to implement policies and procedures to address reasonably anticipated security incidents, include policies and procedures that are applicable to workforce members in HIPAA training, and periodically test the policies and procedures when they form part of a HIPAA contingency plan, emergency mode operation plan, or disaster recovery plan.

What PHI Does the HIPAA Definition of a Security Incident Apply To?

Before it is possible to identify, document, and respond to HIPAA security incidents, it is necessary to dissect the HIPAA definition of a security incident in order to determine what the definition covers. In this respect, the first thing to determine is whether the HIPAA definition of a security incident applies just to electronic Protected Health Information or to Protected Health Information in any format (i.e., paper forms, medical charts, x-ray film, etc.).

As the HIPAA definition of a security incident appears in the definitions section of the HIPAA Security Rule, rather than in the definitions section of the HIPAA General Provisions or HIPAA Privacy Rule, it is reasonable to assume the HIPAA definition of a security incident only applies to electronic Protected Health Information. Furthermore, all other references to HIPAA security incidents (policies, procedures, reports, etc.) only appear in the HIPAA Security Rule.

There are standards in the HIPAA Privacy Rule that require HIPAA regulated entities to safeguard the privacy of Protected Health Information. There is also a standard in the HIPAA Security Rule’s General Requirements that requires HIPAA regulated entities to protect against disclosures not permitted by the HIPAA Privacy Rule. Nonetheless, it would appear the definition of a security incident under HIPAA only applies to electronic Protected Health Information.

What is a HIPAA Security Incident?

A HIPAA security incident can be any seemingly “immaterial incident” attributable to an external actor such as a spam email blocked by an email filter, a failed brute force login attempt, or a ping, port scan, or other unsuccessful broadcast attack in search of vulnerabilities. HHS has published guidance about immaterial incidents stating they should be monitored in order to identify increases in spam emails, brute force attacks, and suspicious patterns of pings (etc.).

However, most “serious” HIPAA security incidents are attributable to negligent actions of workforce members. It has been calculated that 80% of data breaches in healthcare have a “human element” once interactions with phishing emails, misconfigured servers, snooping, and misdeliveries are accounted for. The use of unsanctioned software to create, receive, store, or transmit Protected Health Information is also a cause of serious HIPAA security incidents.

For reference, in HHS’ most recent report to Congress, it was revealed that HHS’ Office for Civil Rights receives more than 60,000 breach notifications per year. While not all HIPAA data breaches are attributable to HIPAA security incidents (because some might be due to paper or oral disclosures), the implication is that the majority of serious HIPAA security incidents are attributable to a lack of HIPAA knowledge, a lack of compliance with HIPAA policies and procedures, or a lack of care.

How to Reduce the Volume of Serious HIPAA Security Incidents

As mentioned previously, HIPAA regulated entities are required by the General Requirements of the HIPAA Security Rule to protect against any reasonably anticipated threats or hazards to the security or integrity of electronic Protected Health Information. As also mentioned previously, the majority of serious HIPAA security incidents are attributable to the negligent actions of workforce members, rather than solely the work of external actors.

Therefore, while it is important to monitor trends in immaterial incidents and include them in system activity reviews, risk analyses, and emergency preparedness plans, the way to reduce the volume of serious HIPAA security incidents is to properly educate workforce members on why serious HIPAA security incidents happen and what the real consequences of HIPAA security incidents are in terms on the impact they have on patients.

There are many online HIPAA awareness training courses that can fill gaps in workforce HIPAA knowledge and help make HIPAA policies and procedures more understandable. The theory behind online HIPAA awareness training courses is that, if workforce members better understand why a HIPAA policy exists, they are more likely to comply with it and not try to circumnavigate security controls or take compliance shortcuts “to get the job done”.

The Real Consequences of HIPAA Security Incidents for Patients

With regards to training members of the workforce to take more care, this can be achieved by providing real life examples of patients dying due to a workforce member’s carelessness. For example, the recent cyberattack at Ascension Health started after an employee “accidently” downloaded a malicious attachment to an email. At least one patient died due to the non-availability of the EHR, while several more experienced near-miss events.

Other real consequences of HIPAA security incidents for patients include medical identity theft. A recent report into the scale of medical identity theft claimed it affected almost 2 million patients per year – more than a quarter of whom suffered a misdiagnosis, were prescribed the wrong medication, or received the wrong treatment (i.e., wrong site surgery) due to the misuse of their health records and inaccuracies in their health records as a result.

A further study looked into the impact of HIPAA security incidents on patients due to healthcare organizations retrospectively – rather than proactively – implementing measures to respond to impermissible disclosures of Protected Health Information and HIPAA data breaches. The study found a reduction in the timeliness of care and an increase in patient mortality rates for three years following HIPAA security incidents.

It is Important to Understand the Full HIPAA Definition of a Security Incident

It is important to understand the full HIPAA definition of a security incident because some sources interpret the definition as only relating to security mechanisms and policies to support them. However, as our explanation of HIPAA security incidents demonstrates, the implementation of more security mechanisms and security policies will do little to reduce the volume of serious HIPAA security incidents attributable to workforce negligence.

Understanding the full definition of a security incident under HIPAA will also enable HIPAA regulated entities to develop more effective security incident response plans that incorporate issues such as a reluctance by negligent workforce members to report incidents. This may not only help to reduce the number of HIPAA security incidents, but may also help mitigate the consequences of those that still occur as required by §164.308(a)(6) of the HIPAA Security Rule.

HIPAA regulated entities who want to demonstrate a good faith effort to comply with HIPAA must include both successful and unsuccessful human elements into system activity reviews, risk analyses, and emergency preparedness plans in order to better safeguard the security of electronic Protected Health Information, and mitigate the consequences of operational disruptions, medical identity theft, and a reduction in patient care.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/

The HIPAA Guide is a registered trademark. Copyright © 2007-2026 The HIPAA Guide. All rights reserved.