$2$a$.$ A best practice for managing risk in an IT infrastructure is by using automation. Processes should be automated as much as possible to reduce human errors. Continuous monitoring is also a best practice. With continuous monitoring, controls are implemented and then checked and audited to ensure the controls are still in place. For example, after system patches are deployed, compliance audits are conducted regularly to verify that all systems are patched. Access controls, which lock down systems and data, are verified regularly to ensure they have not been modified. Continuous monitoring methods can be both automated and manual.

Answer the following question$($s$)$:

Do you believe there is a downside to automated continuous monitoring? Why or why not?

$2$b$.$ The HIPAA Privacy Rule determines how a health plan or covered entity may share protected health information $($PHI$).$ The Privacy Rule provides guidelines for when and how an employer is lawfully allowed to access an employees$$ PHI

Human resources $($HR$)$ departments maintain a variety of employment records.

Answer the following question$($s$)$:

Do HR departments have to abide by the HIPAA Privacy Rule when handling, creating, or storing an employee$$s records? Why or why not?