Security Incidents: Not Every Incident is a Breach, But Every Incident Counts

Ransomware, phishing, stolen laptops, and cloud mix-ups have basically become background noise in healthcare. In 2023, we saw a record number of attacks—averaging almost two breaches a day.

With that kind of volume, the question isn’t if you’ll face a problem, but how you’ll handle it when you do.

What Actually Is a Security Incident?

HIPAA uses a specific term for these events: Security Incidents.

Ideally, we’d never have them, but the definition is broader than you might think. HIPAA defines an incident as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information.

In plain English, that means:

  • It includes the "near misses": Even failed hacking attempts count.
  • It’s not just patient charts: It covers the systems that handle the data, too.
  • It is NOT automatically a "breach": A breach is a specific type of incident that compromises data security and privacy. Every breach is an incident, but not every incident is a breach.

Why This Matters (Beyond IT)

When we treat security as just "an IT problem," we miss the early warnings. Incidents often start with simple, non-technical mistakes:

  • A staff member clicking a phishing link that looks incredibly real.
  • A laptop left in a backseat and stolen.
  • A vendor’s system getting compromised, which puts your data at risk.

These are teamwork events. Everyone from the front desk to the billing office plays a role in spotting them.

The Legal Clock: Investigation & Timelines

This is the part that often trips organizations up.

HIPAA rules don't just ask you to "look into it,” they put you on a clock.

  1. The "Discovery" Clock

    The moment any employee or agent of your organization knows (or should have known) about an incident, the clock starts ticking. You cannot wait until your investigation is finished to start counting.

  2. The Investigation Phase

    You must investigate promptly. While HIPAA doesn't set a hard "48-hour" rule for the investigation itself, any delay must be "reasonable".

    • Goal: Determine if the PHI was actually compromised (a breach) or if you can prove there was a "low probability of compromise".
    • Timeliness: Your investigation eats into your reporting time. If you take 50 days to investigate, you only have 10 days left to notify everyone.

  3. Reporting Deadlines

    If your investigation confirms a breach, here are your hard deadlines:

    • Notification to Patients: Must be sent without unreasonable delay and absolutely no later than 60 calendar days from discovery.

    • Reporting to the Government (OCR):

      • 500+ Individuals affected: You must notify HHS at the same time you notify the patients (within that 60-day window).

      • Under 500 Individuals: You can log these and report them annually (within 60 days of the end of the calendar year), BUT you still must notify the patients within the original 60-day window.

A Simple Framework for Your Team

You don't need your staff to memorize legal code. Just teach them these three stages:

Stage What to do
Before Build defenses. Do we know how to report a suspicious email or lost device?
During Recognize and Contain. Who do we call first? Don't panic—just disconnect the machine and call the privacy officer.
After Investigate and Learn. Did we document the incident? Did we determine if it was a breach? Did we update our safeguards?

Practical Steps to Take Now

  1. Make reporting strictly "No-Blame."

    Staff won't report a mistake if they think they’ll get fired. Encourage a "when in doubt, report it" culture. Speed is your best defense, and you need them to speak up immediately.

  2. Standardize your first response

    You don’t need a novel; you need a checklist.

    • Suspicious Email? Don't click. Report it. IT isolates the device.
    • Lost Device? Report it immediately so IT can wipe it remotely.

  3. Document Everything

    A short log entry can save you a nightmare later. If regulators investigate, they will look for proof that you took the incident seriously.

    • Log: Dates, times, systems involved, and exactly what you did to fix it.
    • Decision: Specifically record why you decided an incident was (or was not) a reportable breach.

  4. Use real incidents as teaching tools

    Don't just use theoretical examples. Without naming names, tell your staff: "We had three phishing attempts last month. Here is what helped us spot them". This keeps training grounded in reality.

    Quick Readiness Checklist

    • Do staff know exactly who to call when they see something weird?
    • Do we have a written response plan that leadership actually understands?
    • Are we logging incidents centrally (not just in emails)?
    • Do we review incidents to make that critical "Breach vs. Incident" decision?

    If you answered "no" to any of these, that is your starting point.

How EPICompliance Helps

If you're already using EPICompliance, you can use the platform to assign security tasks, store your incident logs, and link your documentation directly to your risk assessments.

If you are new to us, we help you get out of the "chasing papers" mode. Instead of scattering incident records across email and binders, you can keep them in one structured system that regulators appreciate.

Ready to strengthen your defenses and ensure HIPAA Security compliance? Visit the EPICompliance and Taino Consultants websites today to explore a full range of cybersecurity and HIPAA Security solutions designed to protect your organization.