© clearwater compliance llc | all rights reserved copyright notice 1 copyright notice. all...
TRANSCRIPT
© Clearwater Compliance LLC | All Rights Reserved
Copyright Notice
1
Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content. For reprint permission and information, please direct your inquiry to [email protected]
© Clearwater Compliance LLC | All Rights Reserved
Legal Disclaimer
2
Legal Disclaimer. This information does not constitute legal advice and is for educational purposes only. This information is based on current federal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.
© Clearwater Compliance LLC | All Rights Reserved3
Welcome to today’s Live Event… we will begin shortly…
Please feel free to use the “Q&A” area to pose any ‘burning’ questions you may have in advance…
© Clearwater Compliance LLC | All Rights Reserved
How the Omnibus Final Rule Raised the Ante
for HIPAA Compliance
November 21, 2013
4
Bob Chaput, MA, CISSP, CIPP/US, CHP, CHSS615-656-4299 or 800-704-3394
[email protected] Compliance LLC
© Clearwater Compliance LLC | All Rights Reserved
About HIPAA-HITECH Compliance
1.We are not attorneys!
2.The Omnibus has arrived!
3.Lots of different interpretations!
So there!
5
© Clearwater Compliance LLC | All Rights Reserved
Poll #1 – What type of organization?
6
© Clearwater Compliance LLC | All Rights Reserved
Bob ChaputMA, CISSP, CIPP/US, CHP, CHSS
7
• President – Clearwater Compliance LLC• 30+ years in Business, Operations and Technology• 20+ years in Healthcare• Executive | Educator |Entrepreneur• Global Executive: GE, JNJ, HWAY• Responsible for largest healthcare datasets in world• Numerous Technical Certifications (MCSE, MCSA, etc)• Expertise and Focus: Healthcare, Financial Services, Retail, Legal
• Member: IAPP, ISC2, HIMSS, ISSA, HCCA, HCAA, CAHP, ACAP, ACHE, AHIMA, NTC, ACP, SIM, Chambers, Boards
http://www.linkedin.com/in/BobChaput
© Clearwater Compliance LLC | All Rights Reserved
Our Passion
8
… And, keeping those same organizations off the
Wall of Shame…!
…we’re helping organizations safeguard the very personal and private healthcare information of millions of fellow Americans…
We’re excited about what we do because…
© Clearwater Compliance LLC | All Rights Reserved
© Clearwater Compliance LLC | All Rights Reserved
Session Agenda
1. Why?2. What?3. When?4. Now What?5. How?6. Resources
© Clearwater Compliance LLC | All Rights Reserved
Nationwide Health Information Network (NwHIN) Vision
11
© Clearwater Compliance LLC | All Rights Reserved
NwHIN and Privacy & Security
12
What if my Protected Health Information is not complete, up-to-date and accurate?
What if my Protected Health Information is shared? With whom?
How?
What if my Protected Health Information is not there when it is needed?
MyPHI /ePHI Privacy &
security are essential to
NwHIN healthcare vision
CONFIDENTIALITY
INTEGRITY
AVAILABILITY
© Clearwater Compliance LLC | All Rights Reserved
What’s The Big Deal1?• Street cost for a stolen Record
• Medical:$50 vs SSN:$1
• Payout for identity theft• Medical:$20,000 vs Regular: $2,000
• Medical records can be exploited 4x longer • Credit cards can be cancelled; medical
records can’t
131RSA Report on Cybercrime and the Healthcare Industry
Medical Record Abuse consequences Prescription Fraud Embarrassment Financial Fraud Personal Data Resale Blackmail / Extortion Medical Claims Fraud Job loss / Reputational
• Majority of clinical fraud? Obtain prescription narcotics for illegitimate use
• ~5% of clinical fraud: Free health care
© Clearwater Compliance LLC | All Rights Reserved
Session Agenda
1. Why?2. What?3. When?4. Now What?5. How?6. Resources
© Clearwater Compliance LLC | All Rights Reserved
Three Pillars of HIPAA-HITECH Compliance…
15
Privacy
Security
Breach
Notification
……
HITECHHIPAA
Breach Notification IFR• 6 pages / 2K words• 4 Standards• 9 Implementation
Specs
Privacy Final Rule• 75 pages / 27K words• 56 Standards• ~ 54 “dense”
Implementation Specs
Security Final Rule• 18 pages / 4.5K words• 22 Standards• ~50 Implementation
Specs
OMNIBUS FINAL RULE
© Clearwater Compliance LLC | All Rights Reserved16
Regulatory “Field Trip”Part 164Part 160
Omnibus Final Rule Big Changes in 160
& 164
© Clearwater Compliance LLC | All Rights Reserved
© Clearwater Compliance LLC | All Rights Reserved
Bottom Line Up Front
THREE absolute “game changers”:
1) More Enforcement2) Bigger Penalties3) Wider Net Cast
18
© Clearwater Compliance LLC | All Rights Reserved
Health Information Technology for Economic and Clinical Health Act
HITECH = Hey It’s Time to End your Compliance Holiday
19
© Clearwater Compliance LLC | All Rights Reserved
Business Associate and Subcontractor Provisions - 45 CFR §160.103
After Omnibus• Create, receive, maintain or transmit PHI• All prior organizations AND,
• Health Information Organizations• e-prescribing gateways• Transmits and has access• Personal Health Record vendors for CEs• SUBCONTRACTORS• Physical storage facilities and electronic
storage vendors that maintain PHI • CE to healthcare provider; NOT BA• GHP to Plan Sponsor; NOT BA
Much Wider Net More Risks & Liabilities More Monitoring by All
Before Omnibus• Performs or assists
in the performance of any function
• TPAs• Analytics firms• Billing companies• IT consultants• Accountants• Etc
© Clearwater Compliance LLC | All Rights Reserved
Applicability of Privacy Rule and Security Rule to Business Associates - 45 CFR §164.104
After Omnibus• BAs to comply with the Privacy Rule
and the Security Rule direct liability• BAs subject to CMPs and criminal
penalties for a violation of the Privacy Rule or Security Rule.
• Remember: subcontractors are BAs!
BAs More Risks & Liabilities More Monitoring by Upstream CEs and BAs Get Going on
Compliance Program Now!
Before Omnibus• Privacy Rule and
Security Rule directly apply only to CEs
• BAs and their subcontractors are only indirectly subject to Rules contractually through BAAs
© Clearwater Compliance LLC | All Rights Reserved
Enforcement: Applicability of Enforcement Rule to Business Associates - 45 CFR §160.300
After Omnibus• BAs directly liable• These sections will add “business
associate” to implement HITECH §13401 and §13404:
• §§ 160.300; 160.304; 160.306(a) and (c); 160.308; 160.310; 160.312; 160.316; 160.401; 160.402; 160.404(b); 160.406; 160.408(c) and (d); and 160.410(a) and (c).
BAs MUST GET SERIOUS NOW Policies, Procedures, People & Safeguards
Before Omnibus• BAs not directly subject to
the HIPAA civil and criminal penalty scheme
• CEs were required to impose certain privacy and security obligations in BAAs
© Clearwater Compliance LLC | All Rights Reserved
Business Associate Agreement Provisions Required by Privacy Rule - 45 CFR §164.504(e)
After Omnibus•ALL PLUS…
• Report breaches of BAA• Report breaches of unsecured PHI • Comply with the Security Rule • Enter into a compliant downstream
agreement with any subcontractor
•New Provision • If BA is to carry out a covered entity’s
obligation under the Privacy Rule BAA must require the BA to accrue CE’s Privacy Rule
BAs and CEs must update BAAs; Grace period for certain BAAs
Before Omnibus• Establish the permitted
and required uses and disclosures of PHI by the business associate. • Limit further use or disclosure• Use appropriate safeguards• Report use or disclosure• Ensure agents / subs protect• Ensure access, amendment,
accounting, etc.• Destroy upon termination• Etc.
© Clearwater Compliance LLC | All Rights Reserved
Definition of Breach - 45 CFR § 164.402 After Omnibus• Added a regulatory presumption
that any acquisition, access, use or disclosure of PHI in violation of the Privacy Rule is a breach
• “Compromise Assessment”• Burden of Proof for CE
• …demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment
• Burden of Proof for BA• …all notifications have been made
More Reportable Breaches More Pressure on CEs and BAs
Before Omnibus• “Harm Standard”• “Secured PHI”• Burden of Proof for CE
• …compromises the security or privacy of the protected health information means poses a significant risk of financial, reputational, or other harm to the individual.
© Clearwater Compliance LLC | All Rights Reserved
1. Reasonable diligence means the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.
2. Reasonable cause means an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect. NEW!
3. Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.
25
Three Terms to Memorize1
145 CFR 160.401 Definitions
Give Your CEO and Outside Counsel
Something to Work With!
© Clearwater Compliance LLC | All Rights Reserved
(C)(ii) Willful Neglect – Not Corrected
$50,000 $1,500,000
Discretion to Use $50K at Any Level CEs & BAs Act Swiftly in Case of Breach
Enforcement: Amount of CMP - 45 CFR § 160.404
Violation Category- Section 1176(a)(1)
Penalty Range for Each Violation
All Such Violations of an Identical Provision in a Calendar Year
(A) Reasonable Diligence (Did Not Know)
$100 - $50,000 $1,500,000
(B) Reasonable Cause $1,000 - $50,000 $1,500,000(C)(i) Willful Neglect – Corrected
$10,000 - $50,000 $1,500,000
© Clearwater Compliance LLC | All Rights Reserved27
Some OCR Corrective Action Plans
Corrective Action Plan (CAP) Requirement
$1.2M
AHP
$1.7M
WLP
$400K
ISU
$50K
HONI
$1.5M
MEEI
$2.3M
CVS
$1.0MRite-Aid
$1.5MBCBS
TN
$1.0M
MGH
$100K
PHX
$865K
UCLA
$1.7MAK
DHSS
Establish a Comprehensive Information Security Program x x
Designate an accountable Security Owner x xDevelop Privacy and Security policies and procedures x x x x x x x
Document authorized access to ePHI xDistribute and update policies and procedures x x x x x x x
Document Process for responding to security incidents x x x x x x x x x
Implement training and sanctions for non-compliance x x x x x x xConduct Risk Analysis / Establish Risk Management Process x x x x x x x x x x x xImplement Reasonable Safeguards to control risks x x x x x x x x x xRegularly review records of information system activity xImplement reasonable steps to select service providers x Testing and monitor security controls following changes x x x x x x x xObtain assessments from qualified independent 3rd party x x x x x x x x
Retain required documentation x x x x x x x x x x
$13.5+M
© Clearwater Compliance LLC | All Rights Reserved
Enforcement: OCR Investigations and Compliance Reviews - 45 CFR §§ 160.306, 160.308, 160.312
Increased Enforcement Don’t Wait Gap Assessments, Risk Analyses, PnPs, Training, etc.
After Omnibus• OCR required to conduct an
investigation or compliance review when a preliminary investigation of the facts indicate a possible violation due to willful neglect (i.e., the third and fourth culpability levels under the civil money penalty provisions).
• Final Rule permits, but does not require, OCR to attempt to resolve by informal means investigations
Before Omnibus• OCR may, but is not
required to, conduct complaint investigations or compliance reviews
• OCR required to attempt to resolve by informal means investigations
© Clearwater Compliance LLC | All Rights Reserved
New “Arrows” in HHS/OCR Enforcement Quiver
• New Civil Monetary Penalty System
• SAG Jurisdiction• OCR Audits• Wider Net • Breach Notification Rule• “Wall of Shame”• CMS MU Attestation Audits• FCA?
29
© Clearwater Compliance LLC | All Rights Reserved
• HIPAA is only a “floor” of federal privacy protections– There are legal consequences if you fail to
meet the federal “floor” of protections– Significance of “willful neglect”
• Essential for civil penalties• HHS MUST formally investigate any complaint if
facts indicate “possible violation due to willful neglect”, HITECH section 13410
• HHS MUST impose a civil penalty• “Willful Neglect” =conscious, intentional failure or
reckless indifference to legal requirements, section 160.410
30
Key Things To Remember
© Clearwater Compliance LLC | All Rights Reserved
Texas HB300 CEs
31
HIPAA-HITECH CEsWhat Happens If I Don't Comply?
• Federal Civil Monetary Penalty System and Criminal Penalties
PLUS…• State of Texas Penalties, Disciplinary Actions and
Audits
• Civil Monetary Penalty System
• Criminal Penalties
• Additional Texas Civil Penalties of $5,000 - $1.5 Million per violation
• Based on…1. Seriousness of the violation;2. Entity's compliance history; 3. Harm done to individuals; and 4. Efforts made to correct violations.
© Clearwater Compliance LLC | All Rights Reserved
Session Agenda
1. Why?2. What?3. When?4. Now What?5. How?6. Resources
© Clearwater Compliance LLC | All Rights Reserved
Omnibus Timing1
• January 17, 2013 Release• January 25, 2013 Publication• March 26, 2013 Effective Date
• September 23, 2013 Compliance Date
1Subject to BAA Transition Provisions
© Clearwater Compliance LLC | All Rights Reserved
Session Agenda
1. Why?2. What?3. When?4. Now What?5. How?
© Clearwater Compliance LLC | All Rights Reserved
Now What?
35
1.Breathe Deeply2.Continue Education3.Leverage Resources4.Think Peer Working Group5.Think Executive Sponsor6.Assess Current Situation7.Think Program, Not
Project
© Clearwater Compliance LLC | All Rights Reserved
Policy defines an organization’s values & expected behaviors; establishes “good faith” intent
People must include talented privacy & security & technical staff, engaged and supportive management and trained/aware colleagues following PnPs.
Procedures or processes – documented -
provide the actions required to deliver on organization’s
values.
Safeguards includes the various families of administrative, physical or
technical security controls (including “guards, guns, and gates”,
encryption, firewalls, anti-malware, intrusion detection, incident
management tools, etc.)
BalancedCompliance
Program
Balanced Compliance Program
Clearwater Compliance Compass™36
© Clearwater Compliance LLC | All Rights Reserved
Session Agenda
1. Why?2. What?3. When?4. Now What?5. How?6. Resources
© Clearwater Compliance LLC | All Rights Reserved
8 Actions to Take Now
38
3. Complete a HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))
4. Complete a HIPAA Security Evaluation (= compliance assessment) (45 CFR § 164.308(a)(8))
5. Complete Technical Testing of Your Environment (45 CFR § 164.308(a)
(8))
6. Implement a Strong, Proactive Business Associate / Management Program (45 CFR §164.502(e) and 45 CFR §164.308(b))
7. Complete Privacy Rule and Breach Rule compliance assessments (45 CFR §164.530 and 45 CFR §164.400)
8. Document and act upon a remediation plan
1. Set Privacy and Security Risk Management & Governance Program in place (45 CFR § 164.308(a)(1))
2. Develop & Implement comprehensive HIPAA Privacy and Security and Breach Notification Policies & Procedures (45 CFR §164.530 and 45 CFR §164.316)
Demonstrate Good Faith
Effort!
© Clearwater Compliance LLC | All Rights Reserved39
Three Industry-Leading SaaS Solutions
… to address all regulatory requirements … to operationalize your program
© Clearwater Compliance LLC | All Rights Reserved 40
Inve
stm
ent
Assurance
Three Ways to Engage… to meet your budget and assurance requirements
© Clearwater Compliance LLC | All Rights Reserved
Session Agenda
1. Why?2. What?3. When?4. Now What?5. How?6. Resources
© Clearwater Compliance LLC | All Rights Reserved
HIPAA-HITECH Compliance Resources
1. HIPAA-HITECH Risk Management eNewsletter2. OCR Audit Resources3. HIPAA-HITECH Resources4. HIPAA Risk Analysis Resources5. HIPAA Privacy Rule Resources
42
http://AboutHIPAA.com/
© Clearwater Compliance LLC | All Rights Reserved
Clearwater CE Omnibus ReadinessCheck™:
http://clearwatercompliance.com/covered-entity-omnibus-readinesscheck/
43
Helpful ResourcesClearwater BA Omnibus
ReadinessCheck™: http://clearwatercompliance.com/business-
associate-omnibus-readinesscheck/
© Clearwater Compliance LLC | All Rights Reserved44
Helpful Resources
Risk Analysis Buyer’s Guide: http://abouthipaa.com/about-hipaa/hipaa-risk-analysis-resources/hipaa-risk-analysis-buyers-
guide-checklist/
AboutHIPAA.com Risk Analysis Resources:
http://abouthipaa.com/about-hipaa/hipaa-risk-analysis-resources/
© Clearwater Compliance LLC | All Rights Reserved45
Clearwater HIPAA Compliance BootCamp™ Events
Take Your HIPAA Privacy and Security Program to a Better
Place, Faster
Other 2014 Plans – Virtual, Web-Based Events (3, 3-hr sessions): • May 14-21-28• August 13-20-27• November 5-12-19
Other 2014 Plans - Live, In-Person Events (9-hours): • March 17 – Detroit• April 24 - San Francisco• July 24 – Boston• October 16 - Los Angeles
December 11 | Live HIPAA BootCamp™ | St. LouisJanuary 16| Live HIPAA BootCamp™ | Austin
February 12, 19, 26 | HIPAA Virtual BootCamp™
© Clearwater Compliance LLC | All Rights Reserved46
Gregory J. Ehardt, JD, LL.M.HIPAA/Assistant Compliance Officer - HCA Adjunct Professor Office of General CounselIdaho State University
Bob Chaput, CISSP, CIPP/US CHP, CHSSCEOClearwater Compliance
Expert Instructors
James C. Pyles, Esq.PrincipalPowers Pyles Sutter & Verville PC
Mary Chaput, MBA, CIPP/US, CHPCFO & Chief Compliance OfficerClearwater Compliance
Meredith Phillips, MHSA, CHC, CHPC Chief Information Privacy & Security Officer Henry Ford Health System
David Finn, CISA, CISM, CRISCHealth IT Officer Symantec Corporation
© Clearwater Compliance LLC | All Rights Reserved
In Summary - You Should Care
47
1. It’s the Law and Regs (many laws and Regs) … HIPAA & HITECH!
2. Your stakeholders trust and expect you to do this… and, may be liable, if you don’t!
3. Your revenues, assets and reputation depends on it!
© Clearwater Compliance LLC | All Rights Reserved
Bob Chaput, MA, CISSP, CIPP/US
http://www.ClearwaterCompliance.com [email protected]
Phone: 800-704-3394 or 615-656-4299
Clearwater Compliance LLC
48
Contact
© Clearwater Compliance LLC | All Rights Reserved
Questions?
49