The following potential security issues were identified in a routine audit of log-ins to the electronic health record and other systems:

· Renee Blackmore accessed her own medical billing information and accounts receivable file two weeks after being hired but before she had completed all new-employee training.

· Marissa Benmore was found to have accessed the medical records in the EHR of two other persons with the last name of “Benmore.” Marissa has worked for this organization for two years.

In your opinion, how should a HIPAA Security Officer approach these two employees and handle the issues? What changes to training would you plan and implement for all employees based on these experiences?