All healthcare Covered Entities and their Business Associates and subcontractors will experience “operational issues” that may or may not be “security incidents” that may or may not be “breaches”. The HIPAA Security Final Rule and HITECH Breach Notification Interim Final Rule meet and compliment each other to set your requirements. Learn more…
Becuase of the certainty of security incidents affecting healthcare organizations and the stiff penalties and embarrassment associated with breaches, your organization needs to be equipped with a formal and tested methodology for identifying and responding to these incidents.
In the HIPAA Security Final Rule, in §164.304 Definitions, a Security incident is defined as “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”
Under the Administrative Safeguards, in §164.308 the requirement for security incident management is spelled out:
(6)(i) Standard: Security incident procedures. Implement policies and procedures to address security incidents.
(ii) Implementation specification: Response and Reporting (Required).
Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.
Section 13402 of the HITECH Act and this Breach Notification Interim Final Rule require covered entities and business associates to provide notification following a breach of unsecured protected health information. Section 13400(1)(A) of the HITECH Act defines ‘‘breach’’ as the ‘‘unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of the protected health information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.’’
The Breach Notification Interim Final Rule essentially provides a prescriptive set of steps one must go through to determine whether a “security incident” does in fact constitute a breach. Organizations must have policies and procedures in place to meet the requirements of both the Security Incident Procedures standard and the Breach Notification interim Final Rule.
Clearwater Compliance is a trusted partner in HIPAA – HITECH compliance. We partner with our clients to help them become and remain HIPAA – HITECH compliant. Following are best-of-breed resources that will help you meet the Security Incident Procedures standard and the Breach Notification interim Final Rule requirements:
- Breach Notification Policy and Procedures ToolKit™
- HIPAA Security Policies and Procedures ToolKit™
- Security Incident Management and Breach Notification Risk Assessment, Reporting and Documentation (RADAR™) Software
More HIPAA HITECH Resources:
The complete HIPAA Privacy, Security and Breach regulations are here.
We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.