For a better experience, click the Compatibility Mode icon above to turn off Compatibility Mode, which is only for viewing older websites.

Security Incident Reporting Procedures

Drexel University Clinical Covered Entities
HIPAA Privacy and Security Program
Security Policies and Procedures

Policy Title: Security Incident Reporting Procedures
Policy Number: IS-05 (Administration Safeguard)
Effective Date: April 20, 2005; September 23, 2013
Last Revision: September 1, 2017
Responsible Officer: Vice President, Chief Compliance, Privacy and Internal Audit Officer

Table of Contents

Applicability

This policy applies to all Covered Entities within Drexel University.

Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.

I. Purpose

To provide the process and form used for Security Incident reporting and to provide the e-mail address for the reporting of spam to the HIPAA Security Officer.

II. Policy: Reporting Suspect Conduct

Drexel University (DU) requires, through our HIPAA Privacy and Security Program, meaningful and open communication. To this end, we require that Workforce Members report conduct that a reasonable person would, in good faith, believe to be inappropriate or irresponsible in protecting the confidentiality of electronic protected health information (e-PHI), the integrity of e-PHI data on our system, and the availability of e-PHI. Failure to report inappropriate or irresponsible conduct is a personnel violation (under our HIPAA Privacy and Security Program).

To facilitate this reporting, we have created a user-friendly process of reporting potentially or actual policy violations or threats to the confidentiality, integrity and availability of our systems or data containing e-PHI.

The DU Privacy Committee will serve as the "incident response team."

Workforce Members are trained to use the HIPAA Security Incident Form provided with this policy to report a suspected violation or procedure action that permits an attempted or successful violation to occur, and mail it to the Privacy Officer at mail stop 666 or leave it on the desk of the Privacy or Security Officer. You are not required to sign the form.

It is the policy of DU to encourage disclosure and to discuss areas for improvement. To this end, there shall be no retribution for reporting conduct that a reasonable person acting in good faith would have believed to be inappropriate or irresponsible.

III. Definitions

Security Incident is the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system.

Violation is an actual or suspected violation of any DU HIPAA Privacy and Security Program compliance policy.

IV. Procedure

  1. HIPAA Security Incident Reporting
    1. Specific occurrences that could trigger the reporting of a Security Incident may include, but are not limited to the following:
      • Any suspicious or known breach of security by a Workforce Member that is known to be a violation of DU's philosophy of protecting and safeguarding e-PHI;
      • Any suspicious or known breach of security by an external third party that is known to be a violation of DU's philosophy of protecting and safeguarding e-PHI;
      • Any suspicious activity uncovered as a result of a review of routine or random audit trail;
      • Suspected or proven violation of protection of malicious software, including the introduction of malicious software;
      • The violation of the login attempt policy, such as using or attempting to get another user's login and/or password;
      • The sharing of passwords;
      • Inappropriate access to the Internet;
      • Improper network activity; and
      • Improper email activity.
    2. Workforce Members are to use the attached HIPAA Security Incident Report Form to report a suspected violation or procedure that permits a violation to occur.
      1. Fax it to 267.359.5500 or Mail it to Chief Privacy Officer, Drexel University, 13th Floor Bellet Building, 1505 Race Street, Philadelphia, PA 19102.
      2. You are not required to sign your name to the form.
    3. Data Stewards will report suspected security breaches, unauthorized access, audit train data or other system warnings about unusual or inappropriate activity, violations of policy and weaknesses in security measures within 24 hours of becoming aware of the incident.
  2. Reporting Spam
  3. To report "spam," simply click on the "Report Spam" icon at the top right message banner of the email that is spam. Each Affected Member and all students may make a personal contribution to the security of the network by assisting in the control of spam in this manner.

  4. Response to Incident Report
    1. Upon receipt of a completed Incident Report or other report of violation, the Security Officer and the incident response team will review it (and conduct an initial investigation if necessary) in order to determine the validity and level of risk associated with the reported incident. All security incidents reported to the Security Officer will be noted in DU's incident log.
    2. The Security Officer, Privacy Officer, Director of Information Systems, and any other affected Department Manager will convene within a reasonable period of time to determine what course of action should be taken as a result of a Security Incident, including investigation, reporting to law enforcement if necessary, applying sanctions if necessary, mitigating any harmful effects to the extent necessary, and determining if the issue should be evaluated as part as a larger review.
    3. All necessary action, including outcomes, will be handled promptly and documented in accordance with DU's policy. On a routine basis, the Security Officer will provide to the organization's senior management aggregate reporting of Security Incident reports and the organization's response.
    4. Each Workforce Member will be contacted directly and individually in the event of a problem.
    5. DU will make all reasonable efforts to keep confidential the identity of the reporting employee.

V. References

45 CFR §§ 164.308(a)(6)(i), (ii)

Cross References: IM-09, Incident Reporting; IM-10, Responding to External Investigations and Inquiries; IS-01, Access to e-PHI on DU Information Systems

 Back to Top