Effective HIPAA Incident Management

HIPAA incident management is the process of tracking, responding to, and documenting HIPAA security incidents as they are detected by automated security tools or reported by members of the workforce. An effective HIPAA incident management process not only supports compliance with the Administrative Safeguards of the HIPAA Security Rule, but it can also help identify gaps in an organization’s security defenses.

All HIPAA covered entities and business associates are required to have procedures in place for identifying and responding to suspected or known security incidents, mitigating any harmful effects of the incidents, and documenting the incidents and their outcomes (§164.308(a)(6)). It is also common for covered entities and business associates to implement procedures to regularly review security incident tracking reports as part of the required Security Management Process (§164.308(a)(1)).

However, the HIPAA Security Rule allows covered entities and business associates to be flexible in how they comply with these Administrative Safeguards. The degree of flexibility depends on an organization’s size, complexity, and capabilities, its existing technical infrastructure, hardware, and software security capabilities, and the cost of security measures compared to the probability and criticality of potential risks to Protected Health Information (PHI).

The flexibility of approach means that larger organizations with a wider attack surface can invest in an automated HIPAA incident management system, while smaller organizations can save on the cost of HIPAA compliance by implementing manual processes or subscribing to a HIPAA incident management software package. Regardless of whether HIPAA incident management is fully automated, manual, or semi-manual, the process must include specific elements.

Options for Detecting and Reporting Incidents

Although the HIPAA Security Rule requires covered entities and business associates to “identify and respond to suspected or known security incidents”, it is difficult to “reasonably and appropriately” comply with this requirement due to the definition of a security incident in the HIPAA Security Rule:

“Security incident means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”  Source: §164.304.

This definition implies that covered entities and business associates should have measures in place to detect (for example) unsuccessful attempted port scans, failed brute force attacks, and spam emails blocked and returned by a mail filter. While it is possible to deploy automated HIPAA incident management systems with these capabilities, a cost vs. potential risk analysis would make the deployment of such a system unreasonable for most organizations.

However it is necessary for covered entities and business associates to have reasonable measures in place to detect port scans, brute force attacks, spam emails that avoid detection, and any other security incident that could have an adverse impact on the confidentiality, integrity, or availability of electronic PHI. Once an incident of this nature is detected, it is also necessary to have measures in place to report the incident quickly so it can be tracked and responded to.

Most organizations use a combination of automated and manual procedures for reporting security incidents. For example, anti-virus software will automatically produce an AV alert if it detects malware during a scan, while many anti-phishing solutions include mail client plugs-in for users to manually report suspected phishing emails directly to the IT Security Team. Some platforms combine automated and manually reported incidents for easier management.

HIPAA Incident Tracking and Monitoring

HIPAA incident tracking and monitoring has three purposes. The first is to prioritize reports of security incidents so the most critical threats are responded to first. The second purpose of HIPAA incident tracking and monitoring is to ensure all security incidents are addressed. The third purpose is so that that there are security incident tracking reports that can be regularly reviewed to comply with the HIPAA Security Management Process standard (§164.308(a)(1)).

As with the options for detecting and reporting HIPAA security incidents, the HIPAA incident management process for tracking and monitoring can be automated, manual, or a combination of the two. For many organizations, the “combination of the two” option is the most preferable – the joint workforce of “man and machine” mitigating the risks of false negatives in automated processes and risks associated with human error in solely manual processes.

The “combination of the two” option can also be more effective at identifying trends in security incidents when tracking reports are reviewed. Whereas solely automated processes are capable of analyzing data out of context, and solely manual processes are more likely to be overwhelmed by the volume of data, a joint workforce can identify gaps in an organization’s security defenses that are relevant to the organization’s operations and risk analyses.

HIPAA Incident Handling and Response

The HIPAA incident handling and response element of the HIPAA incident management process consists of containment, mitigation, and recovery. As different types of threat can be contained, mitigated, and recovered from in different ways, there is no one-size-fits-all playbook for HIPAA incident handling and response. Covered entities and business associates are therefore advised to follow the guidance of the HIPAA Security Rule which (summarized) states:

“Covered entities and business associates must implement […] policies and procedures (§164.316(a)), that protect against any reasonably anticipated threats or hazards to the security or integrity of electronic PHI (§164.306(a)(2)), and establish procedures to restore any loss of data ( §164.308(a)(7))”.

The summarized guidance effectively requires covered entities and business associates to develop a HIPAA incident management policy for reasonably anticipated incidents, and implement procedures for HIPAA incident handling and response that ensure the restoration of any data lost in an incident. Importantly, the policies and procedures need to be readily available to individuals responsible for HIPAA incident handling and response.

In addition, the policies and procedures must be “periodically evaluated” to ensure they continue to meet the requirements of the HIPAA Security Rule (§164.308(a)(8)). While some automated HIPAA incident management systems can keep policies up-to-date, human involvement is still recommended in order to ensure the accuracy of automated updates and that changes to HIPAA incident policies do not compromise existing security measures.

Documenting HIPAA Security Incidents

It was mentioned previously that the documentation of security incidents and their outcomes is a requirement of the Administrative Safeguards (§164.308(a)(6)). The standard provides no guidance on what a HIPAA incident document should contain – potentially limiting opportunities to learn from the incident, implement measures to reduce the likelihood of similar incidents, provide appropriate workforce training, and mitigate the consequences of future incidents.

Again, there is no one-size-fits-all playbook for HIPAA incident documentation because some types of incidents can be contained, mitigated, and recovered from quickly, whereas other types are more involved and consist of more stages. As a guide, covered entities and business associates are advised to include the following in a HIPAA incident document as a minimum:

Incident Details

• Date and time of the incident.
• Location where the incident occurred.
• Description of the incident, including how it was discovered.

Individuals Involved

• Name of workforce member/software solution that generated an alert.
• Name of workforce member(s) who investigated the incident.
• Name(s) of any other personnel involved in resolving the incident.

Details of the Incident

• Explanation of what happened (unauthorized access, ransomware attack, etc.).
• Explanation of how it happened (misconfiguration, interaction with phishing email, etc.).
• Explanation of chain of events leading up to incident if human error is involved.

Details of Information Accessed (if applicable)

• Type of information accessed and whether it qualifies as PHI.
• Whether the information was removed/deleted/compromised.
• Scale of the incident (i.e., number of individuals affected).

Immediate Actions Taken

• Steps taken to contain and mitigate the incident.
• Time(s) at which steps were taken in relation to initial report.
• Impact of the immediate actions on operations.

Investigation and Resolution

• Findings of internal review.
• Corrective actions taken to prevent future incidents.
• Policy updates or employee training implemented.

Regulatory Reporting (if applicable)

• Affected individuals notified.
• State attorney general notified.
• HHS’ Office for Civil Rights notified.

Signature/Approval

• Signatures from those involved in the incident and compliance officers.

Breach Risk Assessments and Notifications

If a HIPAA security incident has resulted in an impermissible use or disclosure of unsecured PHI, the incident is notifable to affected individuals, state attorneys general, and HHS’ Office for Civil Rights  unless the covered entity or business associate can demonstrate via a breach risk assessment that there is a low probability the unsecured PHI has been compromised. The breach risk assessment should consider the following factors:

1. The nature and extent of the accessed information, including the types of identifiers and the likelihood of re-identification.
2. Whether the unauthorized person who accessed the information or to whom a disclosure of PHI was made will further disclose the information.
3. Whether unsecured PHI was actually acquired or viewed, and – if viewed – the likelihood of the information being retained.
4. The extent to which the consequences of the HIPAA security incident have been mitigated.

Organizations can notify all breaches “out of an abundance of caution”, but a HIPAA incident management policy of this nature can result in an unnecessary loss of trust by patients and unnecessary compliance investigations by regulatory authorities. It is therefore advisable to include breach risk assessments in a HIPAA incident management process and, if a breach is notifiable, only then follow the HIPAA breach notification requirements.

HIPAA Incident Management Best Practices

While some elements in a HIPAA incident management process are mandatory (appoint a Security Officer, have procedures in place for identifying and responding to security incidents, etc.), covered entities and business associates can streamline the process by implementing certain HIPAA incident management best practices. Suggested best practices include (but are not limited to):

• Make it simple for members of the workforce to report security incidents.
• Ensure all incidents are reported to a single location so they can be prioritized.
• Assign responsibility for HIPAA incident handling for each type of incident.
• Develop a HIPAA incident management policy for each type of incident.
• Periodically evaluate policy and procedures to ensure they remain effective.
• Ensure the actions taken during the security incident are documented.
• Assess each security incident for breach notification obligations.
• Review security incident tracking reports to identify vulnerabilities that require additional technical safeguards or additional HIPAA training.

Implementing an effective HIPAA incident management process can help covered entities and business associates identify trends in attack vectors and gaps in the organization’s security defenses. Consequently, covered entities and business associates are advised to review their existing processes for HIPAA incident management and streamline them where necessary using a combination of automated systems and manual procedures.