This policy is listed for reference only and should be reviewed with your lawyer before implementing them into daily practice. We are not lawyers and are not providing any legal advice. View our legal disclaimer.

Security Incident Procedures: Responses & Reporting (Required)

Reference: 45 CFR §164.308 (a)(1)(ii)(A)
Last Updated: February 7, 2024


Goal: Identify and respond to suspected or known security incidents; mitigate, as appropriate, harmful effects of security incidents that are known; and document security incidents and their outcomes.

The purpose of this policy is to define what the organization should do to be able to effectively respond to security incidents involving its ePHI.


Procedure: The Security Manager must ensure timely response to potential threats. It is also critical that the following procedures take place whenever a potential threat is identified.

    • All employees shall be aware of suspicious activity that may indicate the presence of viruses in the system. The most common indicators include:
      • Warning message from anti-viral software
      • Strange messages or graphics
      • Drive lights blinking
      • Missing files and/or data
      • Running out of memory
      • Increased file size
      • Program taking longer to load than normal
    • Events to report
      • Any event in which access to PHI might have been gained by an unauthorized person
      • Any event in which a device containing (or may be containing) PHI has (or might have been) lost, stolen or infected with malicious software (viruses, trojans, etc.)
      • Any event in which an account belonging to a person that has access to the data might have been compromised or the password shared with an unauthorized person (responding to phishing emails, someone shoulder surfing and writing down your password, etc.)
      • Any attempt to physically enter or break into a secure area where PHI is or might be stored
      • Any other event in which PHI has been or might have been lost or stolen
      • Any other event in which PHI has been or might have been improperly used (e.g. used without the individual’s written authorization if authorization is required)
    • Whenever a computer is believed to be infected with a virus, users must follow the subsequent steps:
      • Stop: Do not turn off the PC or unplug your computer/device
      • Disconnect: Unplug the network cable from the back of the computer/device and turn off any wireless internet connection
      • Take Notes: Identify what activity indicated a virus or unauthorized intrusion may be present
      • Get help: Contact your Supervisor or Security Manager
        • DO NOT attempt to take any further action on your own.
        • DO NOT attempt to research what happened.
        • DO NOT attempt to encrypt any or otherwise protect any sensitive data on your system.
        • Doing any of these things may destroy crucial forensic data.
      • The Security Manager must ensure that the following procedures are followed whenever the existence of a virus is detected:
        • Boot the PC from a write-protected diskette containing the anti-virus software
        • Scan the hard drive (memory, boot sector and all files) for viruses
        • Identify any viruses found, by name
        • Clean any specific viruses found
        • Rescan the hard drive and scan and clean all diskettes
        • Attempt to determine source of infection (for tracking purposes)
        • Determine any other infections that may have occurred due to this infection
        • Restore any lost software from its original media or write-protected archives

The Security Manager will document and log incidents and outcomes related to ePHI incidents.

All Security Incidents shall be investigated by the Security Manager or its designated representative. Person conducting the investigation shall use the Internal Investigation Form.

Findings/Recommendations of the investigation shall include:

        • An analysis that relates each potential security incident to possible results;
        • Potential remedies including if needed disciplinary actions;
        • Sanitized information for training purposes;
        • Preventive actions and possibility of recurrences.

All results of investigations shall be kept by the Security Manager for a period of seven years.

Simplify Your Compliance with
Software and Guided Coaching
Let your patients and clients know that you take HIPAA seriously with the HIPAA Seal of Compliance for your website, storefront, and marketing materials.

Get instant access to HIPAA Compliance News and Updates

You'll get your first checklist as soon as you sign up!

overlapping hands

Our Mission

To safeguard medical data by providing secure, reliable, and fully HIPAA-compliant hosting solutions, enabling healthcare professionals to focus on their primary mission of providing care.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram