Guide to HIPAA Incident Management
HIPAA incident management covers all stages of identifying and reporting an incident, tracking the incident, responding to the incident and mitigating its consequences, and documenting the incident and its outcome. How these stages are completed can depend on multiple factors – including how a HIPAA incident is defined.
In healthcare, the word “incident” is most often considered to mean a patient safety incident, as in an unintended or unexpected event that could have led to, or did lead to, harm to a patient or caregiver. However, HIPAA has a different definition of incident inasmuch as a HIPAA incident is defined as:
“The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.” (§164.304).
Because this definition of a HIPAA incident appears in the HIPAA Security Rule, it is often considered to apply only to incidents that threaten the confidentiality, integrity, and availability of electronic Protected Health Information (PHI). This interpretation aligns with the security incident procedures standard in the HIPAA Security Rule’s Administrative Safeguards:
“Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents […] and document security incidents and their outcomes”. (§164.308(a)(6)).
Could the Definition Apply to PHI in Other Forms?
The definition of a HIPAA incident could apply to PHI in other forms (i.e., verbal, written, etc.) depending on how an organization interprets the definition. Indeed, developing a HIPAA incident management framework would help HIPAA covered entities (and business associates where applicable) comply with the Administrative Requirements of the HIPAA Privacy Rule:
“Reasonably safeguard PHI from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart.” (§164.530(c)(2)).
The application of a HIPAA incident management framework that covers both privacy incidents and security incidents has the advantage of streamlining incident response procedures, and appears to align with an interpretation of the HIPAA incident definition offered by HHS’ Office for Civil Rights in the preamble to the HIPAA Security Rule in 2003:
“An entity should be able to rely upon the information gathered in complying with the other security standards […] and the privacy standards to determine what constitutes a security incident in the context of its business operations.”
What a HIPAA Incident Management Framework Consists Of
To determine whether an organization should apply the same incident response procedures to both privacy and security incidents, it is best to establish what a HIPAA incident management framework consists of and whether it would be better to apply the framework universally, or adopt different procedures for privacy and security incidents.
Incident Identification and Reporting
There are many ways in which attempted or successful HIPAA incidents can be identified and reported. Due to the volume of attempts to gain unauthorized access to PHI, security incidents are usually detected and blocked by security software solutions that either report all attempts to automated systems or produce activity reports for review.
When a security incident avoids automatic detection – or when a privacy incident is identified by a member of the workforce – there needs to be a HIPAA incident reporting policy in place so the incident can be quickly escalated to the individual(s) or team responsible for tracking the incident, assessing the risk level, and responding to the incident.
Incident Tracking and Assessment
HIPAA incident tracking and assessment has the objectives of documenting each reported incident, prioritizing reports of security incidents, and ensuring all reported incidents are responded to. The documentation step is essential to comply with the “review” requirements of the HIPAA Security Management Process standard (§164.308(a)(1)).
Incidents can be tracked, assessed, and prioritized either manually, by using automated software, or a combination of the two. The “combination option” tends to be preferred by most healthcare that have adopted HIPAA incident management software as it mitigates the risks of human error and false negatives in automated processes.
Incident Response and Review
The incident response and review elements of a HIPAA incident management framework consists of containing, mitigating, and recovering from the incident, and then reviewing the whole HIPAA incident management process to see if any steps could have been completed quicker (i.e., reporting) or more efficiently (i.e., prioritization).
How incidents should be responded to depends on the nature and criticality of each incident, and whether the incidents are targeting electronic PHI or physical PHI. Reviews should also take into consideration whether the manual detection of an incident was due to all workforce members receiving adequate training, or attributable to luck!
HIPAA Incident Management Best Practices
Although some elements of a HIPAA incident management framework are mandatory, HIPAA covered entities and business associates are allowed a “flexibility of approach” in how HIPAA incidents are managed. Suggested best practices to include in a customized HIPAA incident management framework include:
- Make it easy for workforce members to manually report HIPAA incidents.
- Ensure reports are sent to a centralized location for tracking and assessment.
- Develop a HIPAA incident management policy for each type of incident.
- Periodically evaluate HIPAA incident management policies to ensure they are current.
- Document all actions taken during each incident and retain the documentation.
- Assess each HIPAA incident for breach notification obligations.
- Review HIPAA incident tracking reports to identify issues that need addressing with further technical safeguards or HIPAA training.
Implementing an effective HIPAA incident management framework can be challenging for covered entities and business associates – regardless of the interpretation of a HIPAA incident. Nonetheless, developing and implementing a HIPAA incident management framework can help organizations respond better to HIPAA incidents, identify emerging attack types, and fill gaps in HIPAA compliance activities.
