California HIPAA training for small businesses


Security Incidents

HIPAA defines a security incident as, "...the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system." § 164.304

Recognizing a security incident quickly, and reporting it promptly, is the best way to limit damage. Investigating the root cause will require more time but it may be necessary to stop further disclosures of information.

Unauthorized Activities

Security incidents from unauthorized activities are caused by human beings, namely people that work for the coverend entity (CE) or the business associate (BA).

yes we train our employees

Most incidents involve multiple factors. The process of investigation is an opportunity for the CE or BA to improve its administrative safeguards and retrain the workforce.

Interference with Operations

yes we train our employees

Security incidents involving "...interference with system operations..." are usually caused by malware (e.g., viruses, worms, trojan horses, spyware).

System operations problems are usually associated with weak "technical safeguards." § 164.312

Symptoms of infection includes slow computer performance, numerous popups, frequent browser redirects, infection warnings and advertisements to buy additional software to "fix" the problem.


Response is Required

HIPAA requires covered entities (CEs) and business associates (BAs) to...

"Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes." § 164.308 (a)(6)

The Security Rule requires CEs and BAs to respond to security incidents but does not require reporting to HHS or any other government agency. The incident and the outcome must be documented internally with the CE or BA.

The Security Management Process standard § 164.308(a)(1)(ii)(D) also requires information system activity review. CEs must "...implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports."

Security Incident or Breach?

yes we train our employees

A security incident is not a breach unless it involves protected health information (PHI).

"Breach means the acquisition, access, use, or disclosure of PHI in a manner not permitted ... which compromises the security or privacy of the PHI." § 164.402

Breach does not include unintentional or inadvertent disclosures by CE workforce members or BAs — if PHI is not further disclosed, or if the unauthorized person is not reasonably able to retain the PHI, or if there is a low probability PHI was actually compromised.

Low probability of compromise can be demonstrated by a four-step test. § 164.402(2)(i), (ii), (iii), (iv)

Breach Notifications

A CE must notify the Secretary if it discovers a breach of unsecured PHI. § 164.408 All notifications must be submitted to the Secretary using the Web portal below. OCR Instructions yes we train our employees

Lorem ipsum dolor sit amet, lectus euismod. Lorem per vestibulum et. In et consequat eu velit ac praesent, orci venenatis enim dolor. Orci suscipit lectus at id posuere, commodo per erat amet wisi cum, parturient suspendisse potenti gravida, leo morbi nec ipsum gravida, lacinia mollis.

Lorem ipsum dolor sit amet, lectus euismod. Lorem ipsum dolor sit amet, lectus euismod.

Incident Investigations

Investigations are tricky in a small, close-knit office environment. Yet, it is important to contain the problem and mitigate damages soon as possible. Any suspected crime should be reported to the police. Otherwise, the CE privacy official should investigate according to protocols in the CE or BA's incident response plan.

If the CE or BA does not have a written plan, it is important to size up the situation and start writing. Ask how the incident happened before asking who is responsible. Employees have the right to expect fairness but they have no right to keep secrets. No one should be promised anonymity.

After the fire is put out, the entity must clean up the mess and deal with losses. It may be necessary to make an insurance claim.

BA Contracts

yes we train our employees

HIPAA requires BA contracts to deal with security incidents and breaches of PHI.

The BA must " to the CE any security incident of which it becomes aware, including breaches of unsecured PHI as required by § 164.410." § 164.314(a)(2)(i)(C)

HHS suggests the following paragraph: "...Report to covered entity any use or disclosure of protected health information not provided for by the Agreement of which it becomes aware, including breaches of unsecured protected health information as required at 45 CFR 164.410, and any security incident of which it becomes aware.."


If you prefer a different size or shape, please ask. Contact

California HIPAA training for small businesses

Search Our Site

    © Darnall Law Office 2015