Once a breach has been discovered and defined
Here are steps you should take to help to ease your mind.
The breach must now be "logged" just right
If you want to sleep at night.
It's not really all that complicated
It requires a list that's signed and dated.
First, how many were affected?
Then where was the breach detected?
Business Associates were involved?
If not, half of the problem's solved
Date of breach and when you knew.
Type of breach, location too.
Type of PHI exposed
Firewall good? Browsers closed?
Tell exactly how and when
Was required notice sent to them?
(those whose PHI was lost)
Your actions taken and the cost.
Mitigation steps complete?
Documented nice and neat?
Keep a history that's precise.
And now you're done. Isn't that nice?
Michael Smith, Client Success Manager