Which of the following is true regarding HIPAA security provisions?
a Covered entities must appoint two chief security officers who can share security responsibilities for hour coverage
b Covered entities must conduct employee security training sessions every six months for all employees
c Covered entities must retain policies for years after they are no longer used
d Covered entities must conduct technical and nontechnical evaluations every six years