1. What type of ongoing educational activities would you provide for your organization's workforce to facilitate compliance with the HIPAA Privacy Rule and the ARRA privacy provisions? How would you implement these activities?
2. What criteria would you use to determine whether an incident is a security breach that workforce members should report per the ARRA requirements? What types of notification to individuals would you recommend? Would the method of notification vary based on the nature of the breach?
3. What process would you use to update policies and procedures? How frequently would you update them? How would you ensure that they continue to be valid and compliant with HIPAA, including ARRA provisions?