The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations.
A security incident under HIPAA is defined broadly to include both attempted and successful unauthorized activities involving information systems that contain ePHI. This encompasses a wide range of events: unauthorized login attempts, malware infections, phishing attacks, unauthorized access to patient records, loss or theft of devices containing ePHI, unauthorized modifications to data, and interference with system availability. Importantly, HIPAA includes attempted incidents in its definition, meaning organizations must monitor for and respond to failed attack attempts as well as successful compromises.
It is important to distinguish between security incidents and breaches. All breaches are security incidents, but not all security incidents are breaches. A security incident becomes a breach when it involves the actual acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule and compromises the security or privacy of the PHI. For example, a failed login attempt is a security incident but not a breach. An employee accessing a patient record without authorization and sharing it externally is both a security incident and a breach. Organizations must have processes to detect security incidents, assess whether they rise to the level of a breach, and respond appropriately in each case.
HIPAA requires covered entities and business associates to implement policies and procedures for identifying, responding to, and mitigating security incidents, and to document security incidents and their outcomes. An effective incident response program includes detection capabilities such as intrusion detection systems, log monitoring, and user behavior analytics; a documented response plan with defined roles and escalation procedures; containment and remediation processes; forensic investigation capabilities; and post-incident review and lessons learned. All security incidents must be documented regardless of whether they rise to the level of a breach. Organizations with business associates must ensure that the BA reports security incidents in accordance with the Business Associate Agreement.