Auditing of technical controls is increasingly important as both the level of use and technical sophistication of applications, hardware, and networking increase.
Q: Is it necessary for organizations to provide HIPAA training for all workforce members, even those who are not involved in patient care? Does that include cafeteria staff, workers employed through a temp or staffing agency, etc.?
If your organization is regulated by HIPAA, either as a covered entity (CE) or as a business associate (BA), you probably started a HIPAA training program years ago when the privacy and security rules mandating training were published. Whether old or recently created, your training program may not have met reasonable expectations to begin with. Now may be a good time to review, refresh, and refine that program to take it to a new level.
Even going out of business doesn’t protect an organization from HIPAA requirements. The Office for Civil Rights recently announced it reached a $100,000 settlement with the receiver liquidating the assets of Filefax, Inc., a Northbrook, Illinois, medical records company that shut down during an investigation of HIPAA violations.
Q: Are we required to explain why a vulnerability was not addressed or was deemed low priority in the risk management plan? If so, are there any examples of acceptable ways to document this per OCR?
