Bryan Cave Combines with Berwin Leighton Paisner to Form Bryan Cave Leighton Paisner LLP Learn More

Covered entities and business associates are required to identify and report breaches of unsecured protected health information (“PHI”) and security incidents. “Breach” is defined as the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Laws which compromises the security or privacy of the PHI, and is not one of the breach exclusions.1 Breach applies to both paper and electronic PHI. “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of electronic PHI (“EPHI”) or interference with the entity’s system operations in its information system.2 The Federal Office for Civil Rights (“OCR”) has recommended that covered entities and business associates have incident response teams capable of identifying and handling breaches and security incidents.3 Incident response plans and policies should be developed, reviewed annually, and approved by management.

Being capable of responding quickly and appropriately to breaches and security incidents must be a high priority for covered entities and business associates. The potential effects of these events can be devastating, both financially and legally, as well as create significant consequences from a public relations perspective.

Average total cost of security incident in 2016 is $4 million, or $355 per record for healthcare entities.4

Fines imposed by the OCR for breaches and security incidents in the past 12 months total $23,194,000. 

Having an incident response team can decrease the cost of a security incident by $16 per record.5 In 2015, hacking was the leading cause for the largest security incidents.

An incident response team (“IRT”) must be specific to the covered entity/business associate and should be structured based on the mission, size, structure, and function of the entity. The purposes of the IRT should include both proactive and reactive functions: incident preparation and prevention; incident reporting; analysis of incidents; responding to incidents; and post-incident activities.

In developing the incident response plan, policy, and procedures, the following are some of the considerations:

  1. Who should be on the IRT?
  2. Who should lead the IRT?
  3. Why is an IRT needed?
  4. Define the goals and functions of the IRT.
  5. Should the IRT be ad hoc or a major job function?
  6. Should any responsibilities be outsourced?
  7. How will the IRT be implemented?

1. 45 CFR §164.402.

2. 45 CFR §164.304.

3. “Is Your Covered Entity or Business Associate Capable of Responding to a Cyber Security Incident?” OCR, July 2016 (available at

4. “2016 Cost of Data Breach Study: Global Analysis,” Ponemon Institute LLC, June 2016 (available at

5. Id, at p. 14.