By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow
Read other articles by this author
The HIPAA Security Rule includes requirements for a security incident response plan that are important to know especially as the number of reported data breaches continues to rise.
The Data
Check Point Research provided a mid-year report on cyber attack trends that indicated a 69% increase in targeted healthcare data breaches between 2021 and 2022. As a result of this increase, the Office of Civil Rights (OCR) issued a reminder in its Cybersecurity Newsletter last month.
Security Incident Plan
The HIPAA Security Rule requires that HIPAA entities implement policies and procedures in a plan addressing security incidents. That includes data breaches. The plan should include documentation that outlines how the healthcare business will:
- Identify security incidents
- Respond to security incidents
- Mitigate the harmful effects of security incidents
- Document security incidents and their outcomes
In addition to outlining these bullet points, the OCR recommends that a team is assembled for the tasks. Those individuals would be trained to respond to the security incident.
Choosing the right team members is important. Individuals should be full-time employees and ideally have expertise that will be an asset to the goals of the team. That would include organizational and technical skills. Identify communication channels among the team. Define a schedule of policy reviews and training.
Requirements
If the breach affects 500 or more individuals, it is considered a large-scale breach. This needs to be reported within 60 days of discovery. Notification needs to be given to the OCR, affected individuals, and the media. If it is a smaller breach of fewer than 500 individuals, the reporting time frame changes to 60 days within the end of the calendar year in which it was discovered. However, the OCR and affected individuals must still be notified as well. Remember, details for meeting breach reporting guidelines should always be consulted as they may change.
This article was originally published on HIPAA Secure Now! and is republished here with permission.