One of the most important factors when it comes to determining the level of culpability by HHS and other law enforcement agencies is whether or not the incident was a result of negligence on behalf of management, or if it was simply an event that took place that was beyond control or knowledge of anyone in the organization. Further, it is considered if the management has taken the necessary steps in the past to prevent the incident that took place, or if the cause of an incident was lack of systems and safeguards in place. The entire new tiered penalty system of the Final OMNIBUS Security Rule enacted in September of 2013 is structured around these factors.
All covered entities are required by law to provide training resources for all members of staff. In addition, the law requires all training sessions to be documented. This requirement is often overlooked by compliance officers, however, it is designed specifically for the purpose of determining the level of culpability in the event of an audit. Let us explain why this is important.
In the event of a data breach or other incident triggering an audit, if a covered entity cannot produce training logs and other documents that HHS considers to be the core of compliance documentation, it becomes very difficult to convince the law enforcement authorities that the incident was not a result of lack of proper training and safeguards in place. https://www.hipaanswers.com/hipaa-training-requirements/
Lack of training logs and other required documents can turn what could have been a simple request from HHS to make changes within 30 days necessary to avoid such incidents in the future, into an incident that took place as a result of violation committed due to negligence. Penalties for such violations are severe, up to 1.5 million per violation per calendar year. In addition, if proved that management was aware of the issue, or involved to an extent, this can result in possible criminal penalties and even imprisonment.