Healthcare organizations must take extra special care of protected health information (PHI). And part of the HIPAA security rule is a group of rules regarding how to respond to a security incident and how to go about reporting that incident depending on the severity.

Make sure your organization understands the following policies and has them all in place.

The purpose of these policies is to formalize the response to, and reporting of, security incidents. This includes identification and response to suspected or known security incidents, the mitigation of the harmful effects of known or suspected security incidents to the extent possible, and the documentation of security incidents and their outcomes. It is imperative that a formal reporting and response policy be followed when responding to security incidents.

Your healthcare organization shall employ tools and techniques to monitor events, detect attacks and provide identification of unauthorized use of the systems that contain Electronic Protected Health Information (EPHI).


All security incidents, threats or violations that affect or may affect the confidentiality, integrity or availability of EPHI shall be reported and responded to promptly.

Incidents that shall be reported include, but are not limited to:

The organization’s Compliance Officers shall be notified immediately of any suspected or real security incident. If it is unclear as to whether a situation is a security incident, the Compliance Officers shall be contacted to evaluate the situation.


Your Compliance Officers shall track the incident. The Compliance Officers must determine if a report of the incident shall be forwarded to the Health and Human Services (HHS). The criteria for this varies depending on the particular incident. But err on the side of caution and report to the HHS if you suspect a breach. Reporting to the HHS does not normally result in a fine if you are being proactive.

Compliance Officers are the only employee’s that can fully resolve an incident. Other employees, the IT department, management, etc should not be making the final decision about classifying an incident as a breach or not. The Compliance Officers shall evaluate the report to determine if an investigation of the incident is necessary. The Compliance Officers shall determine if your organization’s lawyers, law enforcement, Human Resources, or any other department should be contacted about this incident.

All HIPAA security related incidents and their outcomes need to be logged and documented by the Compliance Officers. This includes all relevant information (who, what, when, where, and why) of the incident. A timeline should be kept from the very beginning of any incident and made available to the HHS and OCR if requested.

All incidents should be reviewed and investigated and if the breached PHI has been compromised (unauthorized individuals have received and viewed the PHI) the breach will be reported to HHS at this site

Your organization and its Compliance Officers must record all incidents and retain these incident reports for six years.


Your organization must train personnel on how their particular job or position needs to respond to a security incident. Each employee should know how to report an incident and know to whom to report it.

Your employees must have annual training refreshers.

Also, be sure your employees know how to report an incident anonymously if they might fear retaliation for reporting it. Show employees how to use the HHS website to report an incident during their training.