RESPONSE AND REPORTING
POLICY # 20
ADMINISTRATIVE MANUAL
APPROVED BY:
ADOPTED:
SUPERCEDES POLICY:
REVISED:
REVIEWED:
DATE:
REVIEW:
PAGE:
HIPAA Security
Rule Language:
“Identify and respond to suspected or known security incidents; mitigate,
to the extent practicable, harmful effects of security incidents that are
known to the covered entity; and document security incidents and their
outcomes.”
Policy Summary:
Sindecuse Health Center (SHC) must be able to effectively detect and
respond to security incidents in order to protect the confidentiality,
integrity, and availability of its information systems. SHC must organize
and maintain a security incident response team (SIRT) that will be SHC’s
primary coordinator of security incident reporting and response. When
responding to an incident, the SIRT must take all appropriate actions to
ensure the confidentiality, integrity, and availability of SHC information
systems. Whenever evidence clearly shows that a SHC information
system has been subject to a security incident, an investigation must be
performed by the SHC SIRT or SIRT-designated persons.
Purpose:
This policy reflects SHC’s commitment to effectively detect and respond
to security incidents in order to protect the confidentiality, integrity, and
availability of its information systems.
Policy:
1. SHC must be able to effectively detect and respond to security
incidents in order to protect the confidentiality, integrity, and availability
of its information systems.
2. SHC must organize and maintain a security incident response team
(SIRT) that will be SHC’s primary coordinator of security incident
reporting and response. The SIRT must provide accelerated notification,
damage control, and problem correction services when a security incident
occurs. The SIRT should include SHC’s security officer. The specific
responsibilities and scope of the SIRT must be defined in a charter.
3. SHC’s SIRT must create and document a formal security incident
Page 1 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
RESPONSE AND REPORTING
reporting procedure, which must be regularly reviewed and revised as
necessary. The SIRT must provide SHC workforce members with an
easy to use and effective process for reporting security incidents. All
SHC workforce members must be regularly made aware of this process.
4. A SHC workforce member must not prevent another member from
reporting a security incident.
5. The SIRT must appropriately respond to all security incidents that are
reported to it via the SHC security incident reporting process.
6. When responding to an incident, the SIRT must take all appropriate
actions to ensure that the confidentiality, integrity, and availability of
SHC information systems has not been compromised. Such actions can
include, but are not limited to, temporarily removing an information
system from the SHC network, requesting access to an information
system or viewing data.
7. All SIRT actions that will significantly affect SHC workforce
members must be defined by procedures that clearly detail decisionmaking processes and implementation steps.
8. Whenever evidence shows that a SHC information system has been
subject to a security incident, an investigation must be conducted by the
SHC SIRT. Such investigations should provide sufficient information to
ensure that:


Vulnerabilities that lead to the incident(s) are identified.
Appropriate security controls are established to mitigate the
above vulnerabilities.
9. SHC’s SIRT must create and document formal guidelines on security
incident evidence collection. Such guidelines must be provided to all
SHC information system owners and administrators. These guidelines
must be regularly reviewed and revised as necessary.
10. For purposes of analysis and possible prosecution, SHC must collect
appropriate evidence regarding security incidents.
Scope/Applicability: This policy is applicable to all departments that use or disclose electronic
protected health information for any purposes.
This policy’s scope includes all electronic protected health information,
as described in Definitions below.
Regulatory
Category:
Administrative Safeguards
Page 2 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
RESPONSE AND REPORTING
Regulatory Type:
REQUIRED Implementation Specification for Security Incident
Procedures Standard
Regulatory
Reference:
45 CFR 164.308(a)(6)(ii)
Definitions:
Electronic protected health information means individually identifiable
health information that is:


Transmitted by electronic media
Maintained in electronic media
Electronic media means:
(1) Electronic storage media including memory devices in computers
(hard drives) and any removable/transportable digital memory medium,
such as magnetic tape or disk, optical disk, or digital memory card; or
(2) Transmission media used to exchange information already in
electronic storage media. Transmission media include, for example, the
internet (wide-open), extranet (using internet technology to link a
business with information accessible only to collaborating parties), leased
lines, dial-up lines, private networks, and the physical movement of
removable/transportable electronic storage media. Certain transmissions,
including of paper, via facsimile, and of voice, via telephone, are not
considered to be transmissions via electronic media, because the
information being exchanged did not exist in electronic form before the
transmission.
Information system means an interconnected set of information resources
under the same direct management control that shares common
functionality. A system normally includes hardware, software,
information, data, applications, communications, and people.
Workforce member means employees, volunteers, and other persons
whose conduct, in the performance of work for a covered entity, is under
the direct control of such entity, whether or not they are paid by the
covered entity. This includes full and part time employees, affiliates,
associates, students, volunteers, and staff from third party entities who
provide service to the covered entity.
Availability means the property that data or information is accessible and
useable upon demand by an authorized person.
Confidentiality means the property that data or information is not made
available or disclosed to unauthorized persons or processes.
Integrity means the property that data or information have not been
Page 3 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
RESPONSE AND REPORTING
altered or destroyed in an unauthorized manner.
Security incident means the attempted or successful unauthorized access,
use, disclosure, modification, or destruction of information or
interference with system operations in an information system.
Responsible
Department:
SHC workforce
Policy Authority/
Enforcement:
SHC’s Security Official is responsible for monitoring and enforcement of
this policy, in accordance with Procedure #(TBD).
Related Policies:
Security Incident Procedures
Renewal/Review:
This policy is to be reviewed annually to determine if the policy complies
with current HIPAA Security regulations. In the event that significant
related regulatory changes occur, the policy will be reviewed and updated
as needed.
Procedures:
TBD
Page 4 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.