The objective of the Wizard is to teach Users (i.e. Expresso® Users) how to use the our Breach Notification Framework (i.e. how to legally determine whether a Breach has occurred) for processing Incidents and to facilitate Users creating the required documentation in a systematic fashion. The Wizard is broken down into a series of Sections some of which are described below.
Each time the User presses on the “pencil button” a “wizard” appears that helps the User make a decision that is critical to determining whether Breach Notification is triggered. The current state (i.e. what is selected) of the wizard is saved each time you hit “OK,” which implies that the Incident Document is also saved at this time as well. The reasons for the incremental saves are many-fold but include the following: (1) to document the decision that a User made during this step in the Framework; and (2) to allow the User to complete the Incident Document over time as information is required to be gathered from various parts of the Organization. The purpose of each wizard is to “decision data” that gets copied into the respective “description control” field of its respective Section.
This section answers the first question in the Framework which has two components: (1) whether the PHI has been secured according to the NIST standards and, if not; (2) whether the Privacy Rule has been violated.
This Section answers the question whether not one of the Breach exceptions apply? If one of the Exceptions apply, then there is no Breach by definition. If on the other hand, no Exception applies then analysis continues to Step 3 in the Framework.
This Section determines whether the probability that the PHI was compromised is low. From a legal perspective, if the User gets to this Step in the Framework then the law presumes a Breach. However, it is a “rebuttable” presumption depending on the User having compelling evidence that the probability of the PHI being compromised is low dependent on a number of factors.
This section helps the User determine how many patients were impacted by the Breach and across what states or jurisdictions? It also helps the User determine the number of days that a State or Jurisdiction (“Jurisdiction”) requires a Breach to be reported in. Remember that there are BOTH Federal and State and Jurisdictional Breach reporting requirements. The Jurisdiction requirements will almost certainly be “stricter” than the Federal requirements, otherwise the Federal requirements pre-empt.
This Section helps a User decide what PHI data elements where compromised during a Breach. This is by no means an exhaustive list of PHI data elements. Remember at this point in the process the User has already decided that Breach Notification is triggered. These last Sections are, including the previous one, are gathering the information necessary to Notify according to applicable law.
Our Wizard, together with our Breach Notification Framework and our Breach Response Framework, will save your organization tens of thousands of dollars when (not if) your organization experiences a Breach. These tools do not obviate the need for experienced counsel, however they save hundreds of man hours of billable time by allowing your organization to make a preliminary determination and, if required, gather and document the information to notify the respective stakeholders: patients, HHS, and federal/state authorities, in a manner consistent with applicable law. Our Wizard maintains a Jurisdictions table that enables you to quickly determine the notification requirements of all U.S. states/territories that may have been impacted by the Breach. It also allows you to view the actual state laws that apply, when more information is required.
With Expresso® 2.5 we continue to deliver on the promise of Enterprise Compliance for the Masses. This is our second major release in 2019, the first was our Compliance Repository where a single version of the truth can be maintained on our cloud, fully encrypted, so that your organization can quickly and effectively report compliance status should HHS, a court of law, or the executive management team come calling.