Expresso® Breach Notification Wizard


ExpressoRThe objective of the Wizard is to teach Expresso® Users how to use our Breach Notification Framework (i.e. how to legally determine whether a breach has occurred) and to facilitate creating the required documentation in a systematic fashion.

The wizard maintains a database of State Notification Dates so you determine when you must notify HHS and each State where a patient's data was compromised. It also helps you capture all the facts you will need for Notification, including the factors that your organization is taking to mitigate damages.

Edit Incidents

The Wizard allows Expresso® Users to analyze Security Incidents (“Incidents”) to determine whether a Breach has occurred. The reader should first read the “Pieces of the Puzzle” section of our Breach Notification Framework (included in DOCS/Products) in its entirety, to get a baseline understanding of what the Wizard will accomplish. Essentially, it will walk Expresso® Users through an analytical framework (“Framework”) that consists of a series of questions in order to determine if Breach Notification is triggered under applicable law. The Wizard also provides an automated way to “fill out” an Incident Document. When a user clicks on “Incidents” from the Expresso® Main Menu they will see a grid that allows them to create and/or edit new Incident documents. The Edit function works like any other Expresso® grid. When the User clicks on the Identifier ID to edit, the corresponding Incident Document displays. Or, a new Incident can be created by clicking on the New Incident button.

The Incident Document is broken down into a series of “Sections” not all of which are required. What determines whether a Section is required is if the analytical Framework encompassed by the Wizard mandates further processing to determine if Breach Notification has been triggered. Each Section is covered in detail below.

 Each time the User presses on the “pencil button” a “wizard” appears that helps the User make a decision that is critical to determining whether Breach Notification is triggered. The current state (i.e. what is selected) of the Wizard is saved each time you hit “UPDATE,” which implies that the Incident Document is also saved at this time. The reason for the incremental saves are many-fold, but include the following: (1) to document the decision that a User made during this step in the Framework; and (2) to allow the user to complete the Incident Document over time as information is gathered from various parts of the Organization is obtained.

The purpose of each Wizard Step is to provide the ability to make decisions regarding associated data that will be documented in the respective “description control” field of its respective Section.

General Information

Edit_IncidentThis section contains general information about the Incident Document (“Document”). It can be thought of as the “global information” that applies to the entire Document.

 

 

 

 

 

 

 

 

 

The data attributes are as follows:

Data Attribute

Description

Identifier*

This is the unique identifier assigned by the Organization to the current Incident. Asterisk is a required field.

Date

This is the date that the organization was notified of the Breach or was discovered.

Organization*

This is the name of the Customer’s organization as contained in their Account Settings table. Asterisk is a required field.

Owner

This is the person responsible for resolve the Breach. Note: This could be a pull-down from the “Admins” in the Users’ table—but it could be someone else that is responsible (e.g. the CEO or outside counsel).

System

This is the Information System where the Breach occurred). Remember that an Information System is defined to be much broader than just an “app;” it could be a network, database, etc.

Location

This is the physical location (e.g. New York) within the Organization wherein the Breach occurred. This could be one of many organizational locations; or it could be the location of a Business Associate

Description

This is a free form description of the Incident as entered by the Organization.

There are no Framework decisions made on this Screen. Its purpose is to provide the general information required to track the Incident.

Breach Analysis Step 1

This section answers the first question in the Framework which has two components: (1) whether the PHI has been secured according to the NIST standards and, if not; (2) whether the Privacy Rule has been violated.

Step1

Pressing the Pencil Icon next to the “PHI Secured?” brings up the following wizard where the user selects whether the PHI in question has been secured according to the NIST protocols with respect to various PHI “states” (e.g. at rest, in motion, disposed of, etc.).

PHI_Secured

If “None” is selected, then the Wizard continues to the second part of question one of the Framework: “Whether the Privacy Rule was violated.” If on the other hand one of the protocols is selected, then this means that the Breach Notification analysis stopped because the PHI in question has been rendered “unusable, unreadable, or indecipherable” to unauthorized persons and therefore your Organization is sheltered by the Breach Notification safe harbor. There is no Breach by definition. The Stop/Go button is turned Red; otherwise, it is Green indicating that the analysis continues.

The Wizard only depicts a partial list of acceptable ways to “use and disclose” PHI in a manner that does not violate the Privacy Rule. If the Privacy Rule is not violated, then there is no breach by definition and again the Breach Notification analysis stops.  If on the other hand, the PHI in question was “used or disclosed” in a manner not allowed by the Privacy Rule, then analysis continues to the second Step in the Framework. The Stop/Go buttons behave as expected.

The data attributes for this Section are as follows.

Data Attribute

Description

PHI Secured? (Boolean)

This button is turned green to indicate that the Wizard has been used to determine if the PHI in question has been secured according to NIST Standards. If it has, then the Stop/Go button is turned to RED which means that the analysis need not proceed further, otherwise it is to GREEN indicating that analysis must proceed.

Stop/Go 1 (Boolean)

See the description above

Privacy Rule violated? (Boolean)

This button is turned green to indicate that the Wizard has been used to determine if the Privacy Rule has been violated. The wizard displays a popup with 25 questions listing valid reasons for using PHI. See the Decision Tree Document (“DTD”) in the Appendix. If the user selects a valid reason for sharing PHI, then that reason is copied into this section’s description box. If there is a valid reason for using the PHI under Privacy Rule, then the Stop/Go button is turned to RED which means that the analysis need not proceed further otherwise it is GREEN indicating that the analysis must proceed.

Stop/G0 2 (Boolean)

See the description above.

 

Data Attribute

Description

Description

This is a WYSIWIG text box that has information potentially copied into it from both Wizards, BUT the User can enter text as well if desired. Be sure to click on the UPDATE button to save your input.

 

Breach Analysis Step 2

This Section answers the question of whether not one of the Breach exceptions applies. If one of the Exceptions apply, then there is no Breach by definition. If on the other hand, no Exception applies then analysis continues to Step 3 in the Framework. The Stop/Go behaves as expected

Step 2_Breach_Exceptions_Analysis
The data attributes for this Section are as follows.
Pressing the Pencil Icon next to “Exception applies?” brings up the following wizard where the User selects whether an exception to the definition of Breach applies.

Data Attribute

Description

Exception Applies? (Boolean)

This button is turned green to indicate that the Wizard has been used to determine if one of the Breach exceptions apply. If an exception applies, then the Stop/Go button is turned to RED which means that the analysis need not proceed further otherwise it is to GREEN indicating that the analysis must proceed.

Stop/Go 3 (Boolean)

See the description above.

Description

This is a WYSIWIG text box that has information potentially copied into it from Wizard2 or Wizard3, BUT the User can enter text into it as they see fit.

Breach Analysis Step 3

This Section determines whether the probability that the PHI was compromised is low. From a legal perspective, if the User gets to this Step in the Framework then the law presumes a Breach. However, it is a “rebuttable” presumption depending on the User having compelling evidence that the probability of the PHI being compromised is low dependent on several factors.

Step 3 Prob

Pressing the Pencil Icon next to “Probabilities?” brings up the following Wizard where the User decides, based on several factors, as to whether the probability that the PHI in question was compromised is low? Only if you can make a compelling argument (more likely your counsel) that the probability is indeed low, can you prevent Breach Notification from triggering. Rebutting the presumption of a Breach is a high legal bar to hurdle, but it is not impossible. There are definitely some “fact patterns” where the probability may be low. Selecting “None” means that presumption of a Breach cannot be rebutted. The Stop/Go behaves as expected.

Prob Factors

 

Finally our Wizard performs the Breach Notification Date math for you (and more). Both at the federal and state levels. If you have gotten this far, our recommendation is that you watch this video or Contact Us for a demo.