HIPAA Security Tip #26: Security Incident Response And Reporting

By Iseman Cunningham Riester & Hyde LLP

Covered Entities must implement policies and procedures to address security incident response and reporting. (See Tip #6 for a general discussion of security incidents.) Security incident response and reporting is a “required” specification and includes the obligation to:

  1. identify and respond to known and suspected security incidents;
  2. mitigate the harmful effects of security incidents; and
  3. document security incidents and their outcomes.

Security incident response and reporting policies should require immediate reporting of security incidents to the Security Officer (or a designee for reporting purposes). Because they require specific actions under important circumstances, reporting policies should be clear and simple and easy to remember, with multiple methods for reporting. A clear definition of “security incident” is essential to avoid both over- and under-reporting by employees. Avoid the temptation to front-load the investigation process by requiring lengthy forms and processes, which will deter reporting in the first place.

The Security Rule does not specifically require reporting of security incidents to outside entities. Depending on the incident, however, such a requirement may be imposed by other Federal laws, state law, or contractual obligations with other entities (particularly if your entity is a business associate of another covered entity). Security incident reporting procedures should include procedures for determining when reports to outside entities are desirable or required and should dovetail with existing mandatory reporting policies.



HIPAA Security Tips are written by the attorneys of Iseman, Cunningham, Riester & Hyde, LLP. ICR&H is known for legal work on complex legal problems and transactions for businesses and individuals in the healthcare, construction, and financial industries, among other areas.

(c) 2004 Iseman Cunningham Riester & Hyde LLP. License is granted for all attributed reproduction.

HIPAA Security Tips Archive

fort lauderdale dogs fire

Fort Lauderdale (FL) Firefighters Save Dogs From House Fire, Department Says

Firefighters pulled four dogs from a smoldering Fort Lauderdale home that was in flames just minutes earlier Thursday morning, according to the department.
MN Barn Fire

4,000 Pigs Lost in MN Barn Fire

A fire late Wednesday evening has resulted in a total loss of a hog confinement and the 4,000 hogs inside.