Appendix Q 459
The requirements make up a standard incident handling policy that any entity should
have in place as part of its security policies. This is another example of the similarity
between HIPAA security regulations and information security best practices. The
questions below are based on some of the comments and clarifications to the security
incident requirement as documented in the Federal Register. In addition to the
questions below, the Incident Handling checklist should be used when evaluating
this HIPAA requirement.
1. Is an incident handling policy in place? (See Incident Handling checklist
for further best practices related to incident handling.)
Guidance: For this requirement, there should be, at the minimum, an In-
cident Handling policy in place. Like the other security policies, it should
be readily accessible by employees and be maintained. With incident man-
agement, some entities, particularly the smaller ones, will say that every-
one knows what to do in the event of an incident. As with other security
policies, this becomes a problem when the number of employees grows or
if turnover occurs. In addition, the policy is a requirement for HIPAA pur-
poses so it must be documented and used for handling security incidents.
Client Response:
2. As part of the incident handling process, are there any requirements for
documenting the details of a security incident?
Guidance: Per the HIPAA regulations, there are no specific documenta-
tion requirements relative to security incidents. Documentation should be
based on the individual entity’s business requirements. Specific recom-
mendations for what to document are contained in the Incident Handling
questionnaire in the appendices of this book.
Client Response:
3. Are there any business or legal requirements related to reporting inci-
dents? If so, are they addressed in the Incident Handling policy?
Guidance: Based on the HIPAA security regulations comments and re-
sponses as documented in the Federal Register, no requirements exist for
internal or external reporting. Companies are free to tailor their reporting
based on their own business requirements. Keep in mind that an entity
AU1706_book.fm Page 459 Tuesday, August 17, 2004 11:02 AM