© clearwater compliance llc | all rights reserved copyright notice 1 copyright notice. all...

© Clearwater Compliance LLC | All Rights Reserved

Copyright Notice

1

Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content. For reprint permission and information, please direct your inquiry to [email protected]

mailto:[email protected]


Legal Disclaimer

2

Legal Disclaimer. This information does not constitute legal advice and is for educational purposes only. This information is based on current federal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.

© Clearwater Compliance LLC | All Rights Reserved3

Welcome to today’s Live Event… we will begin shortly…

Please feel free to use the “Q&A” area to pose any ‘burning’ questions you may have in advance…


How the Omnibus Final Rule Raised the Ante

for HIPAA Compliance

November 21, 2013

4

Bob Chaput, MA, CISSP, CIPP/US, CHP, CHSS615-656-4299 or 800-704-3394

[email protected] Compliance LLC

http://www.linkedin.com/in/BobChaput



About HIPAA-HITECH Compliance

1.We are not attorneys!

2.The Omnibus has arrived!

3.Lots of different interpretations!

So there!

5


Poll #1 – What type of organization?

6


Bob ChaputMA, CISSP, CIPP/US, CHP, CHSS

7

• President – Clearwater Compliance LLC• 30+ years in Business, Operations and Technology• 20+ years in Healthcare• Executive | Educator |Entrepreneur• Global Executive: GE, JNJ, HWAY• Responsible for largest healthcare datasets in world• Numerous Technical Certifications (MCSE, MCSA, etc)• Expertise and Focus: Healthcare, Financial Services, Retail, Legal

• Member: IAPP, ISC2, HIMSS, ISSA, HCCA, HCAA, CAHP, ACAP, ACHE, AHIMA, NTC, ACP, SIM, Chambers, Boards


http://hipaasecurityassessment.com/




Our Passion

8

… And, keeping those same organizations off the

Wall of Shame…!

…we’re helping organizations safeguard the very personal and private healthcare information of millions of fellow Americans…

We’re excited about what we do because…


Session Agenda

1. Why?2. What?3. When?4. Now What?5. How?6. Resources


Nationwide Health Information Network (NwHIN) Vision

11

http://www.youtube.com/watch?v=rFuGuGlIFcw

http://www.ge.com/index.html


NwHIN and Privacy & Security

12

What if my Protected Health Information is not complete, up-to-date and accurate?

What if my Protected Health Information is shared? With whom?

How?

What if my Protected Health Information is not there when it is needed?

MyPHI /ePHI Privacy &

security are essential to

NwHIN healthcare vision

CONFIDENTIALITY

INTEGRITY

AVAILABILITY


What’s The Big Deal1?• Street cost for a stolen Record

• Medical:$50 vs SSN:$1

• Payout for identity theft• Medical:$20,000 vs Regular: $2,000

• Medical records can be exploited 4x longer • Credit cards can be cancelled; medical

records can’t

131RSA Report on Cybercrime and the Healthcare Industry

Medical Record Abuse consequences Prescription Fraud Embarrassment Financial Fraud Personal Data Resale Blackmail / Extortion Medical Claims Fraud Job loss / Reputational

• Majority of clinical fraud? Obtain prescription narcotics for illegitimate use

• ~5% of clinical fraud: Free health care

http://abouthipaa.com/wp-content/uploads/RSA-Report-on-Cybercrime-and-the-Healthcare-Industry.pdf

http://abouthipaa.com/wp-content/uploads/RSA-Report-on-Cybercrime-and-the-Healthcare-Industry.pdf


Session Agenda



Three Pillars of HIPAA-HITECH Compliance…

15

Privacy

Security

Breach

Notification

……

HITECHHIPAA

Breach Notification IFR• 6 pages / 2K words• 4 Standards• 9 Implementation

Specs

Privacy Final Rule• 75 pages / 27K words• 56 Standards• ~ 54 “dense”

Implementation Specs

Security Final Rule• 18 pages / 4.5K words• 22 Standards• ~50 Implementation

Specs

OMNIBUS FINAL RULE


Regulatory “Field Trip”Part 164Part 160

Omnibus Final Rule Big Changes in 160

& 164

http://www.ecfr.gov/cgi-bin/text-idx?c=ecfr&sid=16609cfc04f0ec2dcffd5625ac8ecd8f&tpl=/ecfrbrowse/Title45/45cfr164_main_02.tpl

http://www.ecfr.gov/cgi-bin/text-idx?c=ecfr&sid=16609cfc04f0ec2dcffd5625ac8ecd8f&tpl=/ecfrbrowse/Title45/45cfr160_main_02.tpl

http://abouthipaa.com/wp-content/uploads/2013-01073_OminbusFinalRule_FederalRegister.pdf


Bottom Line Up Front

THREE absolute “game changers”:

1) More Enforcement2) Bigger Penalties3) Wider Net Cast

18


Health Information Technology for Economic and Clinical Health Act

HITECH = Hey It’s Time to End your Compliance Holiday

19


Business Associate and Subcontractor Provisions - 45 CFR §160.103

After Omnibus• Create, receive, maintain or transmit PHI• All prior organizations AND,

• Health Information Organizations• e-prescribing gateways• Transmits and has access• Personal Health Record vendors for CEs• SUBCONTRACTORS• Physical storage facilities and electronic

storage vendors that maintain PHI • CE to healthcare provider; NOT BA• GHP to Plan Sponsor; NOT BA

Much Wider Net More Risks & Liabilities More Monitoring by All

Before Omnibus• Performs or assists

in the performance of any function

• TPAs• Analytics firms• Billing companies• IT consultants• Accountants• Etc


Applicability of Privacy Rule and Security Rule to Business Associates - 45 CFR §164.104

After Omnibus• BAs to comply with the Privacy Rule

and the Security Rule direct liability• BAs subject to CMPs and criminal

penalties for a violation of the Privacy Rule or Security Rule.

• Remember: subcontractors are BAs!

BAs More Risks & Liabilities More Monitoring by Upstream CEs and BAs Get Going on

Compliance Program Now!

Before Omnibus• Privacy Rule and

Security Rule directly apply only to CEs

• BAs and their subcontractors are only indirectly subject to Rules contractually through BAAs


Enforcement: Applicability of Enforcement Rule to Business Associates - 45 CFR §160.300

After Omnibus• BAs directly liable• These sections will add “business

associate” to implement HITECH §13401 and §13404:

• §§ 160.300; 160.304; 160.306(a) and (c); 160.308; 160.310; 160.312; 160.316; 160.401; 160.402; 160.404(b); 160.406; 160.408(c) and (d); and 160.410(a) and (c).

BAs MUST GET SERIOUS NOW Policies, Procedures, People & Safeguards

Before Omnibus• BAs not directly subject to

the HIPAA civil and criminal penalty scheme

• CEs were required to impose certain privacy and security obligations in BAAs


Business Associate Agreement Provisions Required by Privacy Rule - 45 CFR §164.504(e)

After Omnibus•ALL PLUS…

• Report breaches of BAA• Report breaches of unsecured PHI • Comply with the Security Rule • Enter into a compliant downstream

agreement with any subcontractor

•New Provision • If BA is to carry out a covered entity’s

obligation under the Privacy Rule BAA must require the BA to accrue CE’s Privacy Rule

BAs and CEs must update BAAs; Grace period for certain BAAs

Before Omnibus• Establish the permitted

and required uses and disclosures of PHI by the business associate. • Limit further use or disclosure• Use appropriate safeguards• Report use or disclosure• Ensure agents / subs protect• Ensure access, amendment,

accounting, etc.• Destroy upon termination• Etc.


Definition of Breach - 45 CFR § 164.402 After Omnibus• Added a regulatory presumption

that any acquisition, access, use or disclosure of PHI in violation of the Privacy Rule is a breach

• “Compromise Assessment”• Burden of Proof for CE

• …demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment

• Burden of Proof for BA• …all notifications have been made

More Reportable Breaches More Pressure on CEs and BAs

Before Omnibus• “Harm Standard”• “Secured PHI”• Burden of Proof for CE

• …compromises the security or privacy of the protected health information means poses a significant risk of financial, reputational, or other harm to the individual.


1. Reasonable diligence means the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.

2. Reasonable cause means an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect. NEW!

3. Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.

25

Three Terms to Memorize1

145 CFR 160.401 Definitions

Give Your CEO and Outside Counsel

Something to Work With!


(C)(ii) Willful Neglect – Not Corrected

$50,000 $1,500,000

Discretion to Use $50K at Any Level CEs & BAs Act Swiftly in Case of Breach

Enforcement: Amount of CMP - 45 CFR § 160.404

Violation Category- Section 1176(a)(1)

Penalty Range for Each Violation

All Such Violations of an Identical Provision in a Calendar Year

(A) Reasonable Diligence (Did Not Know)

$100 - $50,000 $1,500,000

(B) Reasonable Cause $1,000 - $50,000 $1,500,000(C)(i) Willful Neglect – Corrected

$10,000 - $50,000 $1,500,000


Some OCR Corrective Action Plans

Corrective Action Plan (CAP) Requirement

$1.2M

AHP

$1.7M

WLP

$400K

ISU

$50K

HONI

$1.5M

MEEI

$2.3M

CVS

$1.0MRite-Aid

$1.5MBCBS

TN

$1.0M

MGH

$100K

PHX

$865K

UCLA

$1.7MAK

DHSS

Establish a Comprehensive Information Security Program x x

Designate an accountable Security Owner x xDevelop Privacy and Security policies and procedures x x x x x x x

Document authorized access to ePHI xDistribute and update policies and procedures x x x x x x x

Document Process for responding to security incidents x x x x x x x x x

Implement training and sanctions for non-compliance x x x x x x xConduct Risk Analysis / Establish Risk Management Process x x x x x x x x x x x xImplement Reasonable Safeguards to control risks x x x x x x x x x xRegularly review records of information system activity xImplement reasonable steps to select service providers x Testing and monitor security controls following changes x x x x x x x xObtain assessments from qualified independent 3rd party x x x x x x x x

Retain required documentation x x x x x x x x x x

$13.5+M


Enforcement: OCR Investigations and Compliance Reviews - 45 CFR §§ 160.306, 160.308, 160.312

Increased Enforcement Don’t Wait Gap Assessments, Risk Analyses, PnPs, Training, etc.

After Omnibus• OCR required to conduct an

investigation or compliance review when a preliminary investigation of the facts indicate a possible violation due to willful neglect (i.e., the third and fourth culpability levels under the civil money penalty provisions).

• Final Rule permits, but does not require, OCR to attempt to resolve by informal means investigations

Before Omnibus• OCR may, but is not

required to, conduct complaint investigations or compliance reviews

• OCR required to attempt to resolve by informal means investigations


New “Arrows” in HHS/OCR Enforcement Quiver

• New Civil Monetary Penalty System

• SAG Jurisdiction• OCR Audits• Wider Net • Breach Notification Rule• “Wall of Shame”• CMS MU Attestation Audits• FCA?

29


• HIPAA is only a “floor” of federal privacy protections– There are legal consequences if you fail to

meet the federal “floor” of protections– Significance of “willful neglect”

• Essential for civil penalties• HHS MUST formally investigate any complaint if

facts indicate “possible violation due to willful neglect”, HITECH section 13410

• HHS MUST impose a civil penalty• “Willful Neglect” =conscious, intentional failure or

reckless indifference to legal requirements, section 160.410

30

Key Things To Remember


Texas HB300 CEs

31

HIPAA-HITECH CEsWhat Happens If I Don't Comply?

• Federal Civil Monetary Penalty System and Criminal Penalties

PLUS…• State of Texas Penalties, Disciplinary Actions and

Audits

• Civil Monetary Penalty System

• Criminal Penalties

• Additional Texas Civil Penalties of $5,000 - $1.5 Million per violation

• Based on…1. Seriousness of the violation;2. Entity's compliance history; 3. Harm done to individuals; and 4. Efforts made to correct violations.


Session Agenda



Omnibus Timing1

• January 17, 2013 Release• January 25, 2013 Publication• March 26, 2013 Effective Date

• September 23, 2013 Compliance Date

1Subject to BAA Transition Provisions


Session Agenda

1. Why?2. What?3. When?4. Now What?5. How?


Now What?

35

1.Breathe Deeply2.Continue Education3.Leverage Resources4.Think Peer Working Group5.Think Executive Sponsor6.Assess Current Situation7.Think Program, Not

Project


Policy defines an organization’s values & expected behaviors; establishes “good faith” intent

People must include talented privacy & security & technical staff, engaged and supportive management and trained/aware colleagues following PnPs.

Procedures or processes – documented -

provide the actions required to deliver on organization’s

values.

Safeguards includes the various families of administrative, physical or

technical security controls (including “guards, guns, and gates”,

encryption, firewalls, anti-malware, intrusion detection, incident

management tools, etc.)

BalancedCompliance

Program

Balanced Compliance Program

Clearwater Compliance Compass™36


Session Agenda



8 Actions to Take Now

38

3. Complete a HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))

4. Complete a HIPAA Security Evaluation (= compliance assessment) (45 CFR § 164.308(a)(8))

5. Complete Technical Testing of Your Environment (45 CFR § 164.308(a)

(8))

6. Implement a Strong, Proactive Business Associate / Management Program (45 CFR §164.502(e) and 45 CFR §164.308(b))

7. Complete Privacy Rule and Breach Rule compliance assessments (45 CFR §164.530 and 45 CFR §164.400)

8. Document and act upon a remediation plan

1. Set Privacy and Security Risk Management & Governance Program in place (45 CFR § 164.308(a)(1))

2. Develop & Implement comprehensive HIPAA Privacy and Security and Breach Notification Policies & Procedures (45 CFR §164.530 and 45 CFR §164.316)

Demonstrate Good Faith

Effort!


Three Industry-Leading SaaS Solutions

… to address all regulatory requirements … to operationalize your program

https://www.hipaasecurityassessment.com/

https://www.hipaaprivacybreachassessment.com/

https://hipaasecurityriskanalysis.com/


Session Agenda



HIPAA-HITECH Compliance Resources

1. HIPAA-HITECH Risk Management eNewsletter2. OCR Audit Resources3. HIPAA-HITECH Resources4. HIPAA Risk Analysis Resources5. HIPAA Privacy Rule Resources

42

http://AboutHIPAA.com/

http://abouthipaa.com/

http://abouthipaa.com/


Clearwater CE Omnibus ReadinessCheck™:

http://clearwatercompliance.com/covered-entity-omnibus-readinesscheck/

43

Helpful ResourcesClearwater BA Omnibus

ReadinessCheck™: http://clearwatercompliance.com/business-

associate-omnibus-readinesscheck/



http://clearwatercompliance.com/business-associate-omnibus-readinesscheck/



Helpful Resources

Risk Analysis Buyer’s Guide: http://abouthipaa.com/about-hipaa/hipaa-risk-analysis-resources/hipaa-risk-analysis-buyers-

guide-checklist/

AboutHIPAA.com Risk Analysis Resources:

http://abouthipaa.com/about-hipaa/hipaa-risk-analysis-resources/

http://abouthipaa.com/about-hipaa/hipaa-risk-analysis-resources/hipaa-risk-analysis-buyers-guide-checklist/

http://abouthipaa.com/about-hipaa/hipaa-risk-analysis-resources/hipaa-risk-analysis-buyers-guide-checklist/


Clearwater HIPAA Compliance BootCamp™ Events

Take Your HIPAA Privacy and Security Program to a Better

Place, Faster

Other 2014 Plans – Virtual, Web-Based Events (3, 3-hr sessions): • May 14-21-28• August 13-20-27• November 5-12-19

Other 2014 Plans - Live, In-Person Events (9-hours): • March 17 – Detroit• April 24 - San Francisco• July 24 – Boston• October 16 - Los Angeles

December 11 | Live HIPAA BootCamp™ | St. LouisJanuary 16| Live HIPAA BootCamp™ | Austin

February 12, 19, 26 | HIPAA Virtual BootCamp™

http://clearwatercompliance.com/shop/clearwater-hipaa-compliance-bootcamp/



https://attendee.gototraining.com/r/3160994028653644033

https://attendee.gototraining.com/r/3160994028653644033

http://www.clearwatercompliance.com/bootcamp


Gregory J. Ehardt, JD, LL.M.HIPAA/Assistant Compliance Officer - HCA Adjunct Professor Office of General CounselIdaho State University

Bob Chaput, CISSP, CIPP/US CHP, CHSSCEOClearwater Compliance

Expert Instructors

James C. Pyles, Esq.PrincipalPowers Pyles Sutter & Verville PC

Mary Chaput, MBA, CIPP/US, CHPCFO & Chief Compliance OfficerClearwater Compliance

Meredith Phillips, MHSA, CHC, CHPC Chief Information Privacy & Security Officer Henry Ford Health System

David Finn, CISA, CISM, CRISCHealth IT Officer Symantec Corporation


In Summary - You Should Care

47

1. It’s the Law and Regs (many laws and Regs) … HIPAA & HITECH!

2. Your stakeholders trust and expect you to do this… and, may be liable, if you don’t!

3. Your revenues, assets and reputation depends on it!


Bob Chaput, MA, CISSP, CIPP/US

http://www.ClearwaterCompliance.com [email protected]

Phone: 800-704-3394 or 615-656-4299

Clearwater Compliance LLC

48

Contact



http://www.clearwatercompliance.com/

mailto:[email protected]

http://www.linkedin.com/in/bobchaput

http://twitter.com/AboutHIPAA

http://abouthipaa.com/feed/rss/

http://www.vimeo.com/hipaahitechexpert

http://www.slideshare.net/rchaput


http://abouthipaali.org/


Questions?

49

© clearwater compliance llc | all rights reserved copyright notice 1 copyright notice. all...

Documents