Risk register · R-024
A terminated workforce account remained active
The access review found one account still enabled after the workforce member’s final day.
Select a scenario, then walk from finding to requirement, owner, evidence, and audit record. The records are illustrative. The underlying model is implemented in Protexa.
Risk register · R-024
The access review found one account still enabled after the workforce member’s final day.
45 CFR § 164.308(a)(3)(ii)(C)
Implement procedures for terminating access to electronic protected health information when employment ends.
Assigned work · T-118
Disable the account, revoke active sessions, and record the completion time against the finding.
Uploaded artifact · EV-441
System record shows the account disabled and all sessions revoked. The artifact is attached to the control record for review and export.
Generated trace · AP-026
The finding, governing requirement, assigned remediation, source evidence, and reviewer decision are linked in one trace.
Risk register · R-031
The procedure exists, but no exercise verifies that authorized staff can reach ePHI during an outage.
45 CFR § 164.312(a)(2)(ii)
Establish procedures for obtaining necessary electronic protected health information during an emergency.
Assigned work · T-126
Run a tabletop exercise, document participants and results, then route the record for independent review.
Expected artifact
Upload the completed scenario, attendance record, observed result, and corrective actions before review can begin.
Trace status
The governing requirement and owner are linked, but the chain stops at evidence. Protexa exposes the missing proof before an audit does.
Vendor register · V-014
The vendor relationship requires documented assurance that protected information is appropriately safeguarded.
45 CFR § 164.308(b)(1)
Obtain satisfactory assurance that the business associate will appropriately safeguard electronic protected health information.
Assigned work · T-109
Confirm the agreement, security review, renewal date, and services covered before approving the vendor record.
Artifact bundle · EV-398
Signed agreement and assessment are present. The reviewer is checking whether the service scope matches the vendor record.
Trace status
All source material is linked. The chain becomes audit-ready when the assigned reviewer records approval or returns a specific exception.
Assessment responses, gap identification, remediation tasks, evidence records, human review states, parent-linked decision traces, and audit-bundle exports.
Completed audit-pack archives receive a SHA-256 hash. Trace lineage inside the bundle is represented by structured nodes and parent IDs.
Record identifiers, organizations, people, dates, and scenario details on this page are fabricated. No customer or patient data is used.
Protexa turns assessment state, remediation work, evidence, and human decisions into an exportable record an auditor can inspect.