Tip: Make sure someone at your agency is ready to take incident reports 24/7.
Under HIPAA regulations, you must have procedures for reporting, processing, and responding to suspected or known information security incidents.
Make sure you’re covering all the HIPAA bases by outlining every step you must take when a security incident occurs. These procedures are essential for investigating, mitigating, and documenting security incidents, so that you can appropriately report and promptly handle security violations and breaches, says Jim Sheldon-Dean, principal and director of compliance services for Lewis Creek Systems based in Charlotte, Vt. According to Sheldon-Dean, your procedures should identify:
-
How to determine what qualifies as an “incident;
-
How to report incidents (including designating a person to whom incidents and alerts must be reported on a 24/7 basis);
-
The steps to take in investigating;
-
The roles and responsibilities of the response team;
-
The steps to take and information to include when documenting incidents;
-
The steps to take to mitigate the effects of incidents (where possible and/or allowed by law);
-
The steps to take to provide business recovery and continuity, including the use of adequate backup procedures;
-
Who may release information about the incident and the procedures for doing so;
-
To which entities incidents involving breaches must be reported;
-
Who is authorized to release a system following an investigation; and
-
How you should perform a follow-up analysis and who should participate.