Site icon

HIPAA, Security Incidents, and Reportable Events

In the interconnected world of digital health information, safeguarding Protected Health Information is paramount. Healthcare providers must legally follow the Health Insurance Portability and Accountability Act (HIPAA) to protect patient privacy and maintain trust, and this compliance includes understanding what it means to identify and deal with security incidents.

Among these, the concepts of security incidents, reportable events, and the implementation of the Breach Notification Rule are particularly critical. These aspects of HIPAA are at the heart of ensuring that health information remains confidential and that violations are promptly addressed and communicated appropriately.

This article explains the obligations of HIPAA-covered entities and their business associates under the Breach Notification Rule regarding reportable events. We will explore how to identify security incidents, determine their severity, ascertain if they constitute a reportable event, and understand the necessary steps for notification during a breach.

 

What Is a HIPAA Security Incident?

A HIPAA security incident refers to an event that could potentially compromise the security or privacy of the Protected Health Information. 

Under HIPAA, organizations that deal with PHI are required to protect it with sufficient technical, physical, and administrative measures. If these measures are threatened with potential breach (that is, if there is a possibility that PHI has been accessed or disclosed by or to an unauthorized individual), it is considered a security incident. 

If a HIPAA security incident occurs, the covered entity or business associate must thoroughly document and investigate the incident. Suppose the incident is a breach (see reportable instances). In that case, the organization must notify the HHS and follow additional requirements from the Breach Notification Rule where applicable. 

 

What Is a HIPAA Reportable Event?

A “reportable event” under HIPAA refers explicitly to a breach of unsecured protected health information–or, in this case, PHI that hasn’t been protected via security or encryption.  

Some examples of these breaches might include:

Under these events, PHI has been disclosed to unauthorized parties (or, at least, there is a high likelihood this is so).

 

Are All Security Incidents Reportable Events?

Not all HIPAA security incidents are reportable events. While, by and large, CEs and BAs must document, investigate, and report incidents, there are exceptions. 

These exceptions include:

In general, when a security incident occurs, the covered entity (or its business associate) must investigate if a breach has occurred and whether it’s reportable. They must assess the probability of data compromise based on the scope and scale of the incident, compare against potential exceptions, and make determinations about whether or not it stands as a reportable event.

 

What Is the Breach Notification Rule?

Under the Breach Notification Rule, CEs have several responsibilities when a breach of unsecured protected health information (PHI) has occurred. 

Here are some of the primary responsibilities that CEs and BAs might take on following a reportable event:

How Can I Identify Reportable Events?

Identifying a reportable event under HIPAA primarily involves recognizing when a breach of unsecured protected health information (PHI) has occurred and requires notification. Here are the steps an organization can take to identify a reportable event:

 

Always Be Prepared for HIPAA Breaches with Lazarus Alliance

Security incidents and breaches occur. It’s a fact of business. But, the difference between a low-stress security incident and a massive breach that could cost your company significantly is a dedication to HIPAA requirements around reporting and notifications.

Fill out this form to learn more about how Lazarus Alliance can help you with HIPAA compliance.

[wpforms id=”137574″]

Exit mobile version