Data breaches and security incidents are often spoken of in the same context. While they are related, they are not the same. And the distinction between the two terms is very important in HIPAA.
A data breach, under HIPAA or not, is significant. A data breach means that there has been unauthorized access to PHI. This is not simply a vulnerability but a defined outcome exposing protected data.
A security incident increases the risk of a data breach but it is not a data breach. An example might be a misconfigured server where a default account password might not have been changed. In order to determine if this incident resulted in a data breach, an investigation must be conducted to assess if the vulnerable server account was used to gain unauthorized access to data on the server or accessible from the server.
Every security incident and breach needs to be investigated, with the investigation and outcome well documented.
Under HIPAA, there are no reporting requirements for security incidents.
Under HIPAA, there are several reporting requirements for data breaches that covered entities must follow, listed below.
Business associates have slightly different reporting requirements than covered entities. Business associates are required to notify the covered entities they support within 60 days of a breach. Business associates should also assist covered entities in identifying the impacted individuals. The requirements of business associates are typically defined in a business associate agreement (BAA).
HIPAA penalties are based on now adhering to HIPAA rules. These penalties can be levied against organizations whether there is a breach or not.
Every security incident must be investigated and, if it is determined that a data breach has occurred, the proper notifications should be done as fast as possible and no later than 60 days from the determination that a data breach occurred.