Skip to Content

HIPAA - Response and Reporting 164.308(a)(6)(ii)

453  Matthew Burdick September 28, 2022  Administrative Safeguards

Overview:
Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.


Action Items:
1) Obtain and review policies and procedures related to responding and reporting security incidents. Evaluate and determine if incident response procedures are in place. Elements to review may include but are not limited to: A methodology for defining security incidents based on levels of criticality; Provisions for reporting and responding to all types of known and suspicious security incidents based on criticality levels of such incidents; The roles and responsibilities of workforce members including the entity's security incident response team
2) Obtain and review documentation of responding to, reporting, and mitigating security incidents. Evaluate and determine if security incident response, reporting, and mitigation procedures are followed by workforce members; are conducted in a timely manner; and their outcomes are properly documented and communicated to the appropriate workforce members.


Related Documents:
1) Policies and procedures related to responding and reporting security incidents.
2) Documentation of responding to, reporting, and mitigating security incidents.


Additional Guidance:
Security incident procedures must describe how workforce members are to respond to an incident. This may include: preserving evidence; mitigating, to the extent possible, the situation that caused the incident; documenting the incident and the outcome; and evaluating security incidents as part of ongoing risk management. Covered entities must be aware of any number of possible incidents that they may have to deal with. For example:
- Stolen or otherwise inappropriately obtained passwords that are used to access EPHI
- Corrupted backup tapes that do not allow restoration of EPHI
- Virus attacks that interfere with the operations of information systems with EPHI
- Physical break-ins leading to the theft of media with EPHI
- Failure to terminate the account of a former employee that is then used by an unauthorized user to access information systems with EPHI
- Providing media with EPHI, such as a PC hard drive or laptop, to another user who is not authorized to access the EPHI prior to removing the EPHI stored on the media.


A covered entity’s security incident procedures must establish adequate response and reporting procedures for these and other types of events.

Sample questions for covered entities to consider:
- Are policies and procedures developed and implemented to address security incidents?
- Do the security incident policies and procedures list possible types of security incidents and the response for each?
- Do the security incident policies and procedures identify to whom security incidents must be reported?
Not Rated
Secure Code