Identifying and Responding to Security Incidents Policy (UBIT HIPAA)

Category: HIPAA Security
Responsible Office: UBIT HIPAA Compliance
Responsible Executive: Vice President and Chief Information Officer (VPCIO)
Approved By (Name/Title): J. Brice Bible, VPCIO

CATEGORY: Administrative Safeguards
TYPE: Required Implementation Specification for Addressing Security Incidents Standards
CITATION: 45 CFR 164.308(a)(6)(ii)(A)

The University at Buffalo Information Technology (UBIT) operates as a covered entity as defined by the U.S. Department of Health and Human Services Office of Civil Rights. HIPAA Regulation Text 45 CFR Part 164.308 (a)(6)(i) requires a covered entity to implement policies and procedures to address security incidents.

UBIT implements policies and procedures that:

• Promptly identify and respond to suspected or known security incidents
• Mitigate, to the extent practical, harmful effects of known security incidents
• Document security incidents and their outcomes 

These policies and procedures apply to suspected or known security incidents that occur within the UBIT-covered entity.

This policy applies to all UBIT workforce members.

Workforce members: Adhere to all policies and procedures as written.

HIPAA Security and Privacy Officer: Ensures implementation of policies and procedures to promptly identify, report, and respond to security incidents.

Compliance Officer: Participates in ensuring the implementation of policies and procedures to promptly identify, report, and respond to security incidents in conjunction with the HIPAA Security and Privacy Officer.

Date Approved: 12/4/2017