HIPAA Incident Management – Customers notified of a hack, Documented Processes

45 CFR § 164.304 defines security incident as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

The Security Incident Procedures standard

(i) requires a covered entity to implement policies and procedures to address security incidents.

What’s a covered entity? A covered entity under HIPAA must comply with the Rules’ requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information. If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information.

(ii) requires a covered entity to identify and respond to suspected or known security incidents, mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity, and document security incidents and their outcomes.

Questions to consider

Are formal investigations conducted into the loss of information or IT equipment?

The answer here has to be yes.

Are customers notified if their information is breached or stolen?

The answer here has to be yes. The notification process should be defined and can be unique to each customer as outlined in the Master Services Agreement (MSA).

Do you have documented incident management process?

For the cloud servers, you can leverage AWS. The Amazon Incident Management team employs industry-standard diagnostic procedures to drive resolution during business-impacting events. Staff operators provide 24 x 7 x 365 coverage to detect incidents and to manage the impact and resolution. AWS’s incident response program, plans and procedures have been developed in alignment with ISO 27001 standard. The AWS SOC 1 Type 2 report provides details on the specific control activities executed by AWS.

If you don’t want to run on AWS because you want a tighter BAA, then you can investigate Aptible or ClearData. Aptible has a Gridiron solution that provides a nice incident management solution