Have you ever:
Each of the previous examples has one thing, potentially more, in common.
HIPAA Security Officer. The HIPAA Security Officer should be the first person to manage any incident regarding ePHI or any overall security breach within the Organization. Under the Health Insurance Portability and Accountability Act (HIPAA), all Covered Entities and Business Associates must have a HIPAA Security Officer. Some organizations actually have a team responsible for HIPAA. Yet, even if there is a team, the law requires one person to be ultimately responsible for all actions regarding HIPAA Security. Do you know who your HIPAA Security Officer is?
Security Incidents. Security incidents are defined (45 CFR § 164.304) as "the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system."
With the rise of cybercrime, the timing requirements of security incidents have come up to the front line with State and Federal legislation dictating timing requirements for reporting, conducting investigations, and implementing remedial steps. One important point to remember is that the timing requirements depend on the number of individuals affected and the location of the organization.
Sanction Policy [45 CFR § 164.308 (a)(1)(ii)(C)]. The Sanction Policy requires all Covered Entities and Business Associates to “apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.” In other words, a cause and effect policy that covers what the organization’s actions will be if an employee violates their policies. There are no specific actions identified under HIPAA, but most organizations have termination as one of their options.
In summary, if there is a security incident, potential or valid, immediately report the same to the HIPAA Security Officer. Keep in mind, that failure to report incidents in a timely fashion may result in fines and other administrative procedures.