I disagree with the commonly held view that security incidents involving Protected Health Information are inevitable for all organizations.  However,  in the event the worst case scenario does happen and you have a HIPAA breach, you need to have a robust and well-developed incident response plan.  It can seem overwhelming at first, but can be made manageable by dividing it into small tasks; which when combined create a comprehensive plan of action.  

Step One:  Have A Team In Place

Incidents require clearly defined roles and responsibilities in order to be handled appropriately.  There should be a team of individuals who are tasked with handling all aspects of the incident response.  The team should be defined beforehand, and everyone should understand their roles and the roles of all other team members.  The team should be led by the Incident Response Coordinator.  Teams can be as little as two people in small organizations, or can be ten or more people in large organizations.  You want to have at least one individual from your IT staff on the team, as well as at least one member of upper management.  If you have an in-house legal or compliance department, they should be included as well.

Step Two:  Determining When A Breach Has Occurred

HIPAA defines a security incident as the “attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operation in an information system.” Keep in mind that an incident is not always a breach (unauthorized access, acquisition, use or disclosure of PHI), but a breach is always an incident.  You need to have a way to monitor your system to determine when incidents occur, as well as a criteria established for what qualifies as an incident.  These can be technology solutions, like continuous monitoring, or less sophisticated processes.  The size and complexity of your organization will determine what monitoring method is appropriate.  Once an incident is qualified, the Incident Response Team should be mobilized.

Step Three: Containment

The most immediate need for the Incident Response Team upon detection and qualification of an incident is containment.  Damage control actions should be taken immediately to mitigate the impact of the incident.

Step Four:  Document and Notify

Once the incident has been contained, it must be thoroughly documented.  Documentation should include what caused the incident, what actually happened, and what information was vulnerable.  Working with the legal or compliance members of the team, appropriate notification will be determined.  Keep in mind, your state may have specific notification requirements if PHI was inappropriately accessed.

Step Five:  Remediation and Recovery

After initial documentation and notification, a deeper analysis of the incident is performed.  The goal is to prevent the cause of this incident from creating additional problems in the future.  Depending on the steps taken to contain and end the incident, a recovery plan may be necessary at this stage.

Step Six:  Post Incident Assessment

After the incident has completely ended, the time for learning begins.  Lesson learned meetings should be scheduled, a corrective/preventative action plan should be prepared, and staff should be re-trained.  The Incident Response Team should also be assessed and changes to the Incident Response Plan made.

In summary, each of these six steps are necessary for proper response to a security incident.  When combined into one plan, they create a robust approach to how incidents will be detected, mitigated, and prevented in the future.  As with most aspects of HIPAA compliance, the critical pieces are establishing a strong team, and having a comprehensive plan in place before an incident ever occurs.

Learn more:

HIPAA Incident vs. HIPAA Breach

How To Ensure Timely Notification of a HIPAA Breach

Is a Ransomware Attack a HIPAA Breach?