How to Track HIPAA Security Incidents Like a Pro


As a HIPAA privacy or security officer, you are used to seeing HIPAA compliance issues pop up out of nowhere. You don’t have the time to chase down the details of every security incident in your organization. However, security incident tracking doesn’t have to be chaotic or unorganized. 

Follow these four steps to set yourself up to track and manage security incidents like a pro. 

1. Know How HIPAA Defines a Security Incident 

First things first – you must know the difference between a security incident and a breach.

§ 164.304 Definitions.Security incident means the attempted or successful unauthorized accessusedisclosure, modification, or destruction of information or interference with system operations in an information system.” – Cornell Law School, Legal Information Institute 

breach occurs when an unauthorized person/entity successfully accesses, uses, discloses, modifies, or destroys unsecured protected health information (PHI) in a manner not allowed by the HIPAA Privacy RuleYou must report breaches to the Department of Health and Human Services Office for Civil Rights (HHS/OCR). 

However, if the security incident does not result in a breach, you must simply record the incident and make plans to mitigate any harmful effects. You may also be required to provide remedial training. 

2. Have Security Incident Reporting Procedures  

Make sure employees know how to recognize and report a security incident. HIPAA training and security reminders are good ways to keep staff up-to-date on security incident reporting procedures. The goal is to equip employees to report security incidents to the proper authority and in a timely manner. 

READ MORE: How to Manage HIPAA Security Reminders in 5 Easy Steps 

There are many types of security incidents, but here are some common incidents you and your staff should be aware of: 

  • Malware attack. Viruses and other malware often use email to enter your organization. These are security incidents your staff must be able to recognize and report immediately. 
  • Denial of serviceThis security incident prevents users from accessing a system. Contact your IT department immediately, as this could be a sign of an organizationwide denial of service. 
  • Loss or theft. Losing an electronic device that contains ePHI, such as an unencrypted laptop or USB, is a serious security incident that can lead to a major breach. Report it ASAP! 

3. Keep a Security Incident Log 

The HIPAA Security Rule requires you to document all security incidents and their outcomes. A security incident log helps you quickly record and correct security problems as they arise, as well as notice recurrent issues facing your organization. 

For example, if several employees mistakenly bring your organization’s unencrypted mobile devices to their home, this signals a recurrent security issue that you need to fix (encrypt the devices, use device check-out/check-in logs, and reinforce employee training). 

Keep in mind, you must maintain your incident log for six years from the date of the incidents.   

4. Use a Security Incident Tracking Tool 

A Word document or Excel spreadsheet can be just as cumbersome as a pen-and-paper log. So, to make security incident tracking easier, we recommend using a system, software, or tool designed for this purpose. 

We designed the Security Incident module of our HIPAA management software to streamline security incident trackingYou can use it to record an incident’s details and remediation steps with the click of a button and use tags to keep your log organized. 

Plus, entries in the Security Incident module automatically record the person who added the incident, add a timestamp, and list modification details. This allows you to have precise information to present to the OCR in the event of an audit. 

In healthcare, security incidents are inevitable. However, they don’t have to leave you scrambling to keep track of every detail. You should proactively equip your team to recognize and report security incidents.  

You must also keep a detailed security incident log, whether on paper or with software or other tools. This will help you fix current security issues and recognize patterns so that you can guard yourself against future security threats. 

Check out our Breach Notification Letter Template!

Our free template makes it easy to create a compliant breach notification.

Breach Notification Letter Template

To learn more about how HIPAAtrek can take your HIPAA management to the next level, check out our platform page or shoot us an email – we’d love to answer your questions! 

Request A HIPAAtrek Demo

HIPAAtrek User
Compliance is complicated. Your compliance software doesn’t have to be. Schedule your demo today!

You Might Also Like

Double Extortion: What It Is, and How You Can Prevent It

If organizations refuse to pay their ransom, attackers are threatening to release the data publicly. This will of course include sensitive information and PHI. Before Double Extortion, we assumed that hackers could not actually access our data and were only with-holding it from victims to disrupt the ability to continue their work. Now we know they can extract this information and publish it online, breaching our patient’s security.

Read More »