This is the sixth Administrative Safeguard Standard of the HIPAA Administrative Simplification Security Rule. It has one implementation specification: Response and Reporting, which is required for compliance. As we have noted in earlier postings, with enactment of the American Recovery and Reinvestment Act of 2009 (“ARRA”) on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010.
This safeguard standard and its implementation specification require covered entities to establish policies and procedures to respond to security incidents and to report them. A security incident is defined as “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.” [68 Federal Register 8376]. This definition is comprehensive, covering a wide variety of risks to information and systems that a covered entity may encounter. The definition also highlights the imperative for covered entities to consider in its risk analysis potential vulnerabilities and threats that could impact vulnerable information and system points in the absence of actions to mitigate those risks.
On Tuesday, March 3, HIPAA.com will post a discussion of the Response and Reporting implementation specification for the Security Incident Procedures Safeguard Standard, and will include a sample Security Incident Report and Security Incident Log formats.