Have you ever:
- Forgot to remove access of a departing employee;
- Forgot to collect devices with potential PHI from departing employees;
- Had devices with PHI been lost?
Each one of the previous examples has one thing, potentially more, in common.
- HIPAA Security Officer,
- Security Incidents Procedures,
- Sanction policy.
HIPAA Security Officer. The HIPAA Security Officer should be the first person informed of any incident regarding ePHI or overall security breach within the Organization. Under the Health Insurance Portability and Accountability Act (HIPAA) all Covered Entities and Business Associates must have a HIPAA Security Officer. Some organizations actually have a team responsible for HIPAA, yet even if there is a team, the law requires one person to be ultimately responsible for all actions regarding HIPAA Security. Do you know who your HIPAA Security Officer is?
Security Incidents. Security incidents are defined (45 CFR § 164.304) as “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”
With the rise of cybercrime, the timing requirements of security incidents have come up to the front line with State and Federal legislation dictating timing requirements for reporting, conducting investigations and implementing remedial steps. One important point to remember is that the timing requirements depend on the number of individuals affected and location of the organization.
Sanction Policy [45 CFR § 164.308 (a)(1)(ii)(C)]. The Sanction Policy requires all Covered Entities and Business Associates to “apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.” In other words, a cause and effect policy that covers what the organization actions will be, if an employee violates their policies. There are no specific actions identified under HIPAA but most organizations have termination as one of their options.
In summary, is there a security incident, potential or valid, immediately report the same to the HIPAA Security Officer. Keep in mind, that failure to report incidents in a timely fashion may results in fines and other administrative procedures.
Note: To Learn more about HIPAA Basics and why it’s essential for your Healthcare Business, visit EPICompliance.com