2019 31 1 webinar meeting in the middle ces bas cyber risk v1 · some webinar logistics 1.slide...

© Clearwater Compliance LLC | All Rights Reserved

Legal Disclaimer

Although the information provided by Clearwater Compliance may be helpful in informing customers and others who have an interest in data privacy and security issues, it does not constitute legal advice. This information may be based in part on current federal law and is subject to change based on changes in federal law or subsequent interpretative guidance. Where this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource and should not be relied upon as a substitute for competent legal advice specific to your circumstances. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND RECOMMENDATIONS PROVIDED BY CLEARWATER IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE.

Copyright Notice

All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.

*The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.

22018-1

Polsinelli provides this material for informational purposes only. The material provided herein is general and is not intended to be legal advice. Nothing herein should be relied upon or used without consulting a lawyer to consider your specific circumstances, possible changes to applicable laws, rules and regulations and other legal issues. Receipt of this material does not establish an attorney-client relationship.

Polsinelli is very proud of the results we obtain for our clients, but you should know that past results do not guarantee future results; that every case is different and must be judged on its own merits; and that the choice of a lawyer is an important decision and should not be based solely upon advertisements.

© 2017 Polsinelli PC. In California, Polsinelli LLP.Polsinelli is a registered mark of Polsinelli PC

© Clearwater Compliance LLC | All Rights Reserved© Clearwater Compliance LLC | All Rights Reserved

MEETING IN THE MIDDLE: COVERED ENTITIES, BUSINESS ASSOCIATES, & CYBER RISK

January 31, 2019


4

Some Webinar Logistics

1. Slide materials – Link In Chat Box. Should have also received in reminder email earlier today.

2. Please ask Questions in “Question Area” 3. In case of technical issues, check “Chat Area”4. All attendees are in “Listen Only Mode”5. Please complete Exit Survey when you leave

session 6. Recorded version, final slides and attendance

certificates will be sent within 48 hours


5

About Clearwater• Founded in 2009 to provide HIPAA compliance solutions. Today, a rapidly growing portfolio company

of Altaris Capital Partners, a $3B healthcare PE firm.

• Leading provider of cyber risk management and HIPAA compliance solutions for healthcare.

• 400+ healthcare providers and business associate customers, including 60 IDNs.

• Our holistic solution goes deeper to map to the specific needs of each customer, and is powered by:─ IRM|Pro™ - our enterprise Cyber Risk Management System (ECRMS) SaaS platform─ NIST-based, proven methodology─ Experienced professional services – experts in healthcare privacy and security

• Value for our customers: Protect patients and their data, save time and money, safeguard reputation, achieve compliance.

• Proven track record, with a 100% success rate when deliverables submitted to OCR.


6

About Polsinelli

Polsinelli serves clients nationally across the full spectrum of their legal needs:100+ services and 70+ industry areas | 800+ Attorneys | 20 Cities – Metropolitan offices in: ▪ Atlanta

▪ Boston▪ Chicago▪ Dallas▪ Denver▪ Houston▪ Kansas City▪ Los Angeles▪ Nashville

▪ New York▪ Phoenix▪ St. Louis▪ San Francisco▪ Silicon Valley▪ Washington, D.C.▪ Wilmington

Legal Industry National Recognition

• Ranked #24 for Client Service Excellence 2018 BTI Client Service A-Team Report

• Ranked #10 for Best Client Relationships 2017 BTI Industry Power Rankings

• Named Among the top 20 best-known firms in the nation 2017 BTI Brand Elite


7

About Today’s Presenters Iliana Peters, JD, CISSP Shareholder, Polsinelli PC, Former Acting Deputy Director HHS Office for Civil Rights

• Recognized by the healthcare industry as a preeminent thinker and speaker on data privacy and security, particularly with regard to HIPAA, the HITECH Act, the 21st Century Cures Act, the Genetic Information Nondiscrimination Act (GINA), the Privacy Act, and emerging cyber threats to health data

• For over a decade, she both developed health information privacy and security policy, including on emerging technologies and cyber threats, for the Department of Health and Human Services, and enforced HIPAA regulations through spearheading multi-million dollar settlement agreements and civil money penalties pursuant to HIPAA.

• Member: ABA, AHLA, ISC2, Hispanic National Bar Association

Jon Moore, MS, JD, HCISPPChief Risk Officer & SVP Prof. Services, Clearwater

• 25+ Years Executive Leadership, Technology Consulting and Law• 14+ Years Data Privacy & Security• 10+ Years Healthcare• Former PwC Federal Healthcare Leadership Team• Former IT Operational Leader PwC Federal Practice• BA Economics Haverford College, MS E-Commerce Carnegie Mellon University, JD Dickinson Law Penn State University• Architect of Federal IT GRC Solution• Expertise and Focus: Healthcare, Risk Management, Compliance• Speaker and Published Author on Security, Privacy, IT Strategy and Impact of Emerging Technologies


HIPAA’s impact on the business relationship between a covered entity and it’s vendors.


KEY DEFINITIONS


10

PHI Defined

Individually Identifiable Health

Information

• Any information, including demographic information, collected from an individual, that is created by a CE.

Protected Health Information (PHI)

• Individually identifiable health information held or transmitted in any form or medium by . . . HIPAA covered entities and business associates, subject to certain limited exceptions.”

PHI includes

• Information that relates to all of the following:• The individual’s past, present, or future physical or

mental health or condition• The provision of health care to the individual• The past, present, or future payment for the provision of

health care to the individual• PHI includes any individual identifier, such as name,

address, birth date, Social Security number, IP address


11

Covered Entities & Business Associates

“Covered Entities” include:

• Health plans

• Health care clearinghouses

• Health care providers who (i) transmit any health information in electronic

form (ii) in connection with a transaction covered by the HIPAA Privacy Rule.

“Business Associates”:

• Persons or entities that perform a service for, or on behalf of, a Covered

Entity which involves the use or disclosure of PHI

• Need written Business Associate Agreement


12

“Business Associates”• Business associate: (1) Except as provided in paragraph (4) of this definition, business associate means, with respect

to a covered entity, a person who:

• (i) On behalf of such covered entity or of an organized health care arrangement (as defined in this section) in which the

covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or

arrangement, creates, receives, maintains, or transmits protected health information for a function or activity regulated by

this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review,

quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and

repricing; or

• (ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting,

consulting, data aggregation (as defined in § 164.501 of this subchapter), management, administrative, accreditation, or

financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity

participates, where the provision of the service involves the disclosure of protected health information from such covered

entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.

• (2) A covered entity may be a business associate of another covered entity.


13

“Satisfactory Assurances”• b)(1) Business associate contracts and other arrangements. A covered entity may permit a business associate to create, receive, maintain,

or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances,

in accordance with § 164.314(a), that the business associate will appropriately safeguard the information. A covered entity is not required

to obtain such satisfactory assurances from a business associate that is a subcontractor.

• (2) A business associate may permit a business associate that is a subcontractor to create, receive, maintain, or transmit electronic

protected health information on its behalf only if the business associate obtains satisfactory assurances, in accordance with § 164.314(a),

that the subcontractor will appropriately safeguard the information.


REGULATORY OVERVIEW


15

Privacy Rule RequirementsFor Business Associates:

• Permitted Uses and Disclosures• Required Uses and Disclosures• Accounting of Disclosures (through BAA)• Subcontractors


16

Security Rule Requirements

General requirements. • Covered entities and business associates must do the following:

• (1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.

• (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

• (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.

• Administrative, Physical, and Technical Safeguards


17

Breach Notification Rule Requirements

• Standard —(1) General rule. A business associate shall, following the discovery of a breach of unsecured protected health information, notify the covered entity of such breach.• (2) Breaches treated as discovered. For purposes of paragraph (a)(1) of this

section, a breach shall be treated as discovered by a business associate as of the first day on which such breach is known to the business associate or, by exercising reasonable diligence, would have been known to the business associate. A business associate shall be deemed to have knowledge of a breach if the breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is an employee, officer, or other agent of the business associate (determined in accordance with the Federal common law of agency).


18

Minimum Necessary Requirements

A CE or BA must limit use or disclosure of PHI to the minimum necessary amount required to meet the purpose of the use or disclosure

There are exceptions: • disclosures to a health care provider for treatment purposes• disclosures to an Individual• disclosures made pursuant to an authorization• disclosures made to HHS• disclosures required by law (but only disclose what is required)


HIPAA SECURITY RULE


20

HIPAA Security Rule | Types of Safeguards

• Administrative (e.g., policies and procedures, training);

• Technical (e.g., “firewalls”, encryption, access controls, authentication); and

• Physical (e.g., locking desk drawers, restricting facility access, key card access to secure area/data center).


21

Administrative Safeguards§ Risk Assessment (ongoing) and

Management § Workforce Authorization and Access§ Security Awareness and Training§ Security Incidents (suggested)§ Emergency and Contingency Plan

Physical Safeguards§ Facility Access Controls § Workstation Use and Security§ Device and Media Controls

Technical Safeguards§ Access Control§ Audit Controls§ Data Integrity§ Authentication§ Transmission Security

Security Policies & Procedures


22

Covered Entities versus Business Associates

• No Audit Requirements• Each must understand the risks to the ePHI• Each must ensure protections to downstream vendors


23

§ 164.308(a)(1) | Security Management Process

• (1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.• (ii) Implementation specifications:• (A) Risk analysis (Required). Conduct an accurate and thorough assessment of

the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.


April 2018 | OCR Cyber Security Newsletter

“A risk analysis is a comprehensive evaluation of a covered entity or business associate’s enterprise to identify the ePHI and the risks and vulnerabilities to the ePHI. The risk analysis is then used to make appropriate modifications to the ePHI system to reduce these risks to a reasonable and appropriate level.”


25

Scope

• “Risk analysis” known elsewhere as a “risk assessment.”• For HIPAA, “The risk analysis should consider the potential risks to all of an

entity’s ePHI, regardless of the particular electronic medium in which it is created, received, maintained, or transmitted, or the source or location of its ePHI.”

April 2018 OCR Cyber Security Newsletter


26

§ 164.308(a)(1) | Security Management Process

• (1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.• (ii) Implementation specifications:• (A)…

• (B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).


27

Monitor and Revise To Reflect:

• Enterprise and Environment Changes• Ongoing Security Control Assessments• Ongoing Remediation Actions• Key Updates• Security Status Reports• Ongoing Risk Assessments• Removal and Disposal

NIST SP 800-37


BREACH NOTIFICATION RULE


29

Breach Defined

“[B]reach means the acquisition, access, use, or disclosure of [unsecured] protected health information in a manner not permitted under HIPAA which compromises the security or privacy of the protected health information.” 45 C.F.R. §164.402 (2013).


30

Breach Defined (cont.)

Secured PHIUsing encryption or an encryption

algorithm specified in HHS guidance to safeguard PHI

Risk Analysis NOT Required

Notification NOT Required

Unsecured PHINOT using encryption or an encryption algorithm specified in HHS guidance to

safeguard PHI

Risk Analysis Required

Notification Required


31

Risk of Compromise

1. Evaluate nature and extent of breach – what information?

• Names of patients • Their addresses• Dates of birth • Social Security numbers • Email addresses • Medical billing information • Procedures performed • Physician’s name • Insurance carrier name and • Policy number • Diagnosis information

2. Identity of any known recipient

• Stolen?• Lost?• Unknown?• Ransomware?

3. Actual acquisition or viewing of data

4. Mitigating action • Obtaining assurances of no further disclosures


32

Breach Does NOT Include – 3 ExceptionsMust document if an exception applies

1. Good-faith disclosures within the scope of

employment

2. Inadvertent disclosures between otherwise

authorized individuals at the same facility

3. Information disclosed not reasonably retained by

recipient


ENFORCEMENT


34

Consequence of Non-ComplianceViolations of the HIPAA Rules have serious consequences

• Civil Penalties: May range from $50,000 per incident up to $1.5 million per incident for violations that are not corrected, per calendar year

• Criminal Penalties: In addition to fines, violators may face up to 10 years in prison


35

Civil Monetary Penalties

Violation Category Penalty Range for Each Violation

Maximum Penalty for all Violations of an Identical Provision in a Calendar

Year

Entity did not know (and, by exercising reasonable diligence, would not have known) that it violated the applicable provision.

$100 to $50,000 $1,500,000

Violation is due to reasonable cause and not to willful neglect. $1,000 to $50,000 $1,500,000

Violation is due to willful neglect and was correctedduring the 30-day period beginning on the first date the entity knew, or, by exercising reasonable diligence, would have known that the violation occurred.

$10,000 to $50,000 $1,500,000

Violation is due to willful neglect and was not correctedduring the 30-day period beginning on the first date the entity knew, or, by exercising reasonable diligence, would have known that the violation occurred.

At least $50,000 $1,500,000


36

500+ Breaches by Type of BreachSeptember 23, 2009 – August 31, 2018

Theft36%

Loss7%

Unauthorized Access/

Disclosure29%

Hacking/IT21%

Improper Disposal

3%

Other4%

Unknown1%

HIPAA Breach Highlights


37

Paper Records

21%

Desktop Computer

10%

Laptop15%

Portable Electronic Device

9%

Network Server18%

Email13%

EMR6%

Other9%

500+ Breaches by Location of BreachSeptember 23, 2009 – August 31, 2018



38

HIPAA Breach Highlights500+ Breaches by Type of BreachSeptember 1, 2015 – August 31, 2018

Theft20%

Loss5%

Unauthorized Access/

Disclosure42%

Hacking/IT31%

Improper Disposal

3%


39

500+ Breaches by Location of BreachSeptember 1, 2015 – August 31, 2018


Paper Records

23%

Desktop Computer

7%

Laptop9%

Portable Electronic

Device6%

Network Server22%

Email17%

EMR9%

Other8%


40

Enforcement Case Highlights• In most cases, entities able to demonstrate satisfactory compliance through

voluntary cooperation and corrective action • In some cases though, nature or scope of indicated noncompliance warrants

additional enforcement action• Resolution Agreements/Corrective Action Plans

• 58 settlement agreements that include detailed corrective action plans and monetary settlement amounts

• 4 civil money penalties


41

Recent HHS Enforcement Actions• February 1, 2018: Fresenius Medical Care North America (FMCNA)

• $3,500,000 • Five breaches add up to millions in settlement costs for entity that failed to heed HIPAA’s risk analysis and risk management rules

• February 13, 2018: Filefax, Inc.• $100,000• Consequences for HIPAA violations don’t stop when a business closes

• June 18, 2018: MD Anderson• $4.3 Million CMP• Judge rules in favor of OCR and requires a Texas cancer center to pay $4.3 million in penalties for HIPAA violations

• September 20, 2018: “ABC Television”• $999,000• Unauthorized Disclosure of Patients’ Protected Health Information During ABC Television Filming Results in Multiple HIPAA Settlements

• October 15, 2018: Anthem• $16 Million• Anthem Pays OCR $16 Million in Record HIPAA Settlement Following Largest U.S. Health Data Breach in History

• November 26, 2018: Allergy Associates of Hartford, P.C.• $125,000• Allergy Practice pays $125,000 to settle doctor's disclosure of patient information to a reporter y

• December 4, 2018: Advanced Care Hospitalists, PL• $500,000• Florida contractor physicians' group shares protected health information with unknown vendor without a business associate agreement

• December 11, 2018: Pagosa Springs Medical Center• $111,400• Colorado hospital failed to terminate former employee’s access to electronic protected health information

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/fmcna/index.html

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/filefax/index.html

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/mdanderson/index.html

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/allergyassociates/index.html

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ach/index.html

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/pagosasprings/index.html


42

State AG Case to Watch• Indiana Attorney General leading a multi-state civil lawsuit against Medical

Informatics Engineering Inc. and NoMoreClipboard LLC, which sustained a data breach which compromised the data of more than 3.9 million people.

• “Hackers infiltrated a web application called WebChart, which is run by MIE, between May 7 and May 26, 2015. The hackers stole electronic Protected Health Information, including names, phone numbers, mailing addresses, Social Security numbers, and usernames and passwords, among other types of information.”

• Alleges violations of HIPAA Rules, along with state claims including Unfair and Deceptive Practice Laws, Notice of Data Breach statutes, and state Personal Information Protection Acts.

• “Hill's office says it is the first time state attorneys general have joined to pursue a HIPAA-related data breach case in federal court.” See http://www.insideindianabusiness.com/story/39579639/hill-files-multi-state-data-breach-lawsuit.

http://www.insideindianabusiness.com/story/39579639/hill-files-multi-state-data-breach-lawsuit


43

Recurring Compliance IssuesRecurring Compliance Issues • Business Associate Agreements

• Risk Analysis

• Failure to Manage Identified Risk, e.g. Encrypt

• Lack of Transmission Security

• Lack of Appropriate Auditing

• No Patching of Software

• Insider Threat

• Improper Disposal

• Insufficient Data Backup and Contingency Planning


44

Business Associate AgreementsThe HIPAA Rules generally require that covered entities and business associates enter into agreements with their business associates to ensure that the business associates will appropriately safeguard protected health information. See 45 C.F.R. § 164.308(b).• April 20, 2017: Center for Children’s Digestive Health

• $37,000• No Business Associate Agreement? $31K Mistake

• February 13, 2018: Filefax, Inc.• $100,000• Consequences for HIPAA violations don’t stop when a business closes

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ccdh/index.html

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/filefax/index.html


45

Vendor Cyber Risk Management

• FTC Guidance:• https://www.ftc.gov/tips-advice/business-center/guidance/stick-security-business-blog-

series

• NIST Guidance:• https://www.nist.gov/cyberframework

• HHS Cloud Guidance:• https://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html

• HHS Business Associate Guidance:• https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-

associates/index.html?language=es

• Remote Access Issues

https://www.ftc.gov/tips-advice/business-center/guidance/stick-security-business-blog-series

https://www.nist.gov/cyberframework

https://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html

https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html?language=es


46

Upcoming Clearwater Events

Tutorial on OCR-Quality™ Risk Analyses &

Risk Management for CEs & BAs

Webinar

Thursday, February 21 11-12pm CT

Visit Clearwater in the Cybersecurity Command Center

Stop By & See Us!

Breakfast & Breaches: HIPAA & Cyber Risk Management Readiness, Recovery, &

RequirementsExpert Panel Discussion with OCR

Investigators & Cyber Risk Management Experts

Onsite & Virtual Event

Thursday, February 28 7-9:30pm CT | CHICAGO


Questions?

Please Complete the Webinar Evaluation After You Exit the Webinar. We Value Your Feedback!

Jon [email protected]: 800-704-3394

Iliana L. [email protected]

mailto:[email protected]

mailto:[email protected]


Thank You.


2019 31 1 webinar meeting in the middle ces bas cyber risk v1 · some webinar logistics 1.slide...

Documents