• Home
  • Blog
  • Contact
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceHIPAA Compliance
  • Home
  • Blog
  • Contact

Security Incident Procedures: What This HIPAA Security Rule Administrative Safeguard Standard Means

March 2, 2009 HIPAA Law No Comments

This is the sixth Administrative Safeguard Standard of the HIPAA Administrative Simplification Security Rule. It has one implementation specification:  Response and Reporting, which is required for compliance. As we have noted in earlier postings, with enactment of the American Recovery and Reinvestment Act of 2009 (“ARRA”) on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010.

This safeguard standard and its implementation specification require covered entities to establish policies and procedures to respond to security incidents and to report them. A security incident is defined as “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.” [68 Federal Register 8376]. This definition is comprehensive, covering a wide variety of risks to information and systems that a covered entity may encounter. The definition also highlights the imperative for covered entities to consider in its risk analysis potential vulnerabilities and threats that could impact vulnerable information and system points in the absence of actions to mitigate those risks.

On Tuesday, March 3, HIPAA.com will post a discussion of the Response and Reporting implementation specification for the Security Incident Procedures Safeguard Standard, and will include a sample Security Incident Report and Security Incident Log formats.

Tags: 20092010Administrative Safeguard StandardAmerican Recovery and Reinvestment Act of 2009ARRAbusiness associatesFebruary 17Federal RegisterHIPAA Security Ruleimplementation specificationResponse and Reportingsecurity incidentSecurity Incident LogSecurity Incident ProceduresSecurity Incident ReportSecurity Rulesystem operationssystem pointsthreatsunauthorized accessunauthorized destructionunauthorized disclosureunauthorized modificationunauthorized usevulnerabilities
No Comments
Share
0

You also might be interested in

HIPAA Final Rule: Business Associate Notification Timing, Policy and Procedure Updates, Retraining, and Documentation

Feb 1, 2013

February 1, 2013.  Today, we wrap up discussion of breach[...]

HHS Publishes NPRM for HIPAA Health Plan Identifier and Delay for ICD-10 Compliance Date

Apr 17, 2012

April 17, 2012.  The Office of the Secretary of the[...]

One Week from Today: 5010/D.0 Final Rule Effective Date

Mar 10, 2009

They’re coming: the Ides of March (the 14th); NCAA Basketball[...]

Leave a Reply Cancel Reply

Categories

  • 5010
  • American Recovery and Reinvestment Act
  • Enforcement
  • GINA
  • Health Care Reform
  • Health IT and HITECH
  • HIPAA Law
  • Identifiers
  • Meaningful Use
  • Privacy
  • Red Flags Rules
  • Security
  • Transactions & Code Sets
  • Uncategorized

Recent Posts

  • Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices
  • HIPAA Breach: Who You Gonna Call?
  • Can I Be Sued for a HIPAA Violation?
  • Business Associate Agreements – a First Look at Indemnification
  • Gmail, Google Apps for Business HIPAA Business Associate Agreements

Archives

Contact Us

We're currently offline. Send us an email and we'll get back to you, asap.

Send Message
HIPAA- Health Insurance Portability Accountability Act

© 2023 · hipaa.com

Prev Next