As a HIPAA privacy or security officer, you are used to seeing HIPAA compliance issues pop up out of nowhere. You don’t have the time to chase down the details of every security incident in your organization. However, security incident tracking doesn’t have to be chaotic or unorganized.
Follow these four steps to set yourself up to track and manage security incidents like a pro.
1. Know How HIPAA Defines a Security Incident
First things first – you must know the difference between a security incident and a breach.
§ 164.304 Definitions.“Security incident means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.” – Cornell Law School, Legal Information Institute
A breach occurs when an unauthorized person/entity successfully accesses, uses, discloses, modifies, or destroys unsecured protected health information (PHI) in a manner not allowed by the HIPAA Privacy Rule. You must report breaches to the Department of Health and Human Services Office for Civil Rights (HHS/OCR).
However, if the security incident does not result in a breach, you must simply record the incident and make plans to mitigate any harmful effects. You may also be required to provide remedial training.
2. Have Security Incident Reporting Procedures
Make sure employees know how to recognize and report a security incident. HIPAA training and security reminders are good ways to keep staff up-to-date on security incident reporting procedures. The goal is to equip employees to report security incidents to the proper authority and in a timely manner.
There are many types of security incidents, but here are some common incidents you and your staff should be aware of:
- Malware attack. Viruses and other malware often use email to enter your organization. These are security incidents your staff must be able to recognize and report immediately.
- Denial of service. This security incident prevents users from accessing a system. Contact your IT department immediately, as this could be a sign of an organization–wide denial of service.
- Loss or theft. Losing an electronic device that contains ePHI, such as an unencrypted laptop or USB, is a serious security incident that can lead to a major breach. Report it ASAP!
3. Keep a Security Incident Log
The HIPAA Security Rule requires you to document all security incidents and their outcomes. A security incident log helps you quickly record and correct security problems as they arise, as well as notice recurrent issues facing your organization.
For example, if several employees mistakenly bring your organization’s unencrypted mobile devices to their home, this signals a recurrent security issue that you need to fix (encrypt the devices, use device check-out/check-in logs, and reinforce employee training).
Keep in mind, you must maintain your incident log for six years from the date of the incidents.
4. Use a Security Incident Tracking Tool
A Word document or Excel spreadsheet can be just as cumbersome as a pen-and-paper log. So, to make security incident tracking easier, we recommend using a system, software, or tool designed for this purpose.
We designed the Security Incident module of our HIPAA management software to streamline security incident tracking. You can use it to record an incident’s details and remediation steps with the click of a button and use tags to keep your log organized.
Plus, entries in the Security Incident module automatically record the person who added the incident, add a timestamp, and list modification details. This allows you to have precise information to present to the OCR in the event of an audit.
In healthcare, security incidents are inevitable. However, they don’t have to leave you scrambling to keep track of every detail. You should proactively equip your team to recognize and report security incidents.
You must also keep a detailed security incident log, whether on paper or with software or other tools. This will help you fix current security issues and recognize patterns so that you can guard yourself against future security threats.