Question: We have begun auditing our computer systems. Through the audit logs, we discovered that some patient files were inappropriately accessed. Do those logs need to be included in our patients' accounting of disclosures? Answer: "No," says John Parmigiani, senior VP for Consulting Services at QuickCompliance in Avon, CT. However, the log should facilitate your HIPAA security rule-mandated incident reporting system, he says.
"If you determine nothing's been exposed, you're under no reporting requirements," adds Fred Langston, a principal with VeriSign in Seattle, WA. If there has been exposure, the breach must be handled in accordance with your facility's defined policies and procedures for incidents, he confirms.
The Bottom Line: "Auditing flows into the incident response," Parmigiani explains. When a potential breach is discovered, the incident response team then investigates it and makes the necessary contacts, Langston concurs.
Any breaches must be reported, experts agree. "The key function of the reporting requirement is to make sure people whose information has been or may have been compromised have the ability to react," Langston reminds.