Question: We have begun auditing our computer systems. Through the audit logs, we discovered that some patient files were inappropriately accessed. Do those logs need to be included in our patients' accounting of disclosures? West Virginia Subscriber Answer: "No," says John Parmigiani, senior VP for Consulting Services at QuickCompliance in Avon, CT. However, the log should facilitate your HIPAA security rule-mandated incident reporting system, he says. "If you determine nothing's been exposed, you're under no reporting requirements," adds Fred Langston, a principal with VeriSign in Seattle, WA. If there has been exposure, the breach must be handled in accordance with your facility's defined policies and procedures for incidents, he confirms. The Bottom Line: "Auditing flows into the incident response," Parmigiani explains. When a potential breach is discovered, the incident response team then investigates it and makes the necessary contacts, Langston concurs.