|
security
incident procedures (HIPAA)
As part of their
administrative
safeguards, covered entities must implement policies and
procedures to address security incidents. The Security
Rule defines a security incident as "the attempted
or successful unauthorized access, use, disclosure, modification,
or destruction of information or interference with systems
operations in an information system." (164.304)
(The regulations
also define an information system: "[A]n interconnected
set of information resources under the same direct management
control that shares common functionality. A system normally
includes hardware, software, information, data, applications,
communications and people." Given this broad definition,
almost any kind of disruptive activity "counts"
as a security incident.)
This standard has
only one implementation
specification, and it is required: "response and
reporting." This is defined as including three steps:
- identification
and response to suspected or known security incidents;
- mitigation,
to the extent practicable, of harmful effects of security
incidents that are known or suspected; and
- documentation
of the incidents and their outcomes.
The overall aim
is "formal, documented report and response procedures
so that security violations [are] reported and handled promptly."
DHHS has declined to spell out details -- the specific documentation
processes and appropriate responses "will be dependent
upon an entity's environment and the information involved."
(Final Rule, p.101,102)
The requirement
here is for internal reporting and response; external reporting
is not addressed by the standard. That would be governed by
other business or legal considerations, such as any requirements
of state law. (Note,
however, that DHHS might ask to see security incident documentation
as part of a compliance
review.)
See also:
|
