Reader Question:
Keep 4 Categories in Mind for HIPAA Security Issues
Published on Tue Sep 20, 2016
Question: We know that any issues that don’t comply with HIPAA regulations are serious, but are there official ways to categorize them?
North Dakota Subscriber
Answer: When a security incident occurs, your best first step is to determine its potential impact. They generally fall into one of four categories:
-
Critical: An event that can cause significant damage, corruption, or loss (compromise) of confidential, critical, and/or strategic organization and patient information. It can lead to potential damage and liability to the organization and its public image.
-
Moderate: An event that may cause damage, corruption, or loss of replaceable information without compromise. It may have a moderate impact on the practice’s operations or reputation, or may lead to legal liability.
-
Minor: This type of event causes inconvenience, aggravation, and/or minor costs associated with recovery. It can include unintentional actions at the user or administrator level or unintentional damage or minor loss of recoverable information. The event will have little – if any – material impact on the practice’s reputation or daily operations.
-
Suspicious activity: This category includes observations that could indicate the possibility of a past, current, or threatened security incident, but that might also be consistent with authorized or non-harmful activities.
“All critical incidents must be investigated and documented as incidents,” says Jim Sheldon-Dean, principal and director of compliance services for Lewis Creek Systems, LLC, based in Charlotte, Vt. Moderate or minor incidents require minimal investigation and documentation as incidents, Sheldon-Dean says, “but will receive full investigation and documentation if it is deemed that the incident is unusual and can be learned from so that similar incidents may be prevented in the future.”
You don’t need to conduct a detailed investigation and complete thorough documentation of a suspicious activity. Just remember that you might have to elevate it to a higher level category, depending on the incident specifics.