2019 31 1 webinar meeting in the middle ces bas cyber risk v1 · some webinar logistics 1.slide...
TRANSCRIPT
![Page 1: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/1.jpg)
© Clearwater Compliance LLC | All Rights Reserved
Legal Disclaimer
Although the information provided by Clearwater Compliance may be helpful in informing customers and others who have an interest in data privacy and security issues, it does not constitute legal advice. This information may be based in part on current federal law and is subject to change based on changes in federal law or subsequent interpretative guidance. Where this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource and should not be relied upon as a substitute for competent legal advice specific to your circumstances. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND RECOMMENDATIONS PROVIDED BY CLEARWATER IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE.
Copyright Notice
All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.
*The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.
22018-1
![Page 2: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/2.jpg)
Polsinelli provides this material for informational purposes only. The material provided herein is general and is not intended to be legal advice. Nothing herein should be relied upon or used without consulting a lawyer to consider your specific circumstances, possible changes to applicable laws, rules and regulations and other legal issues. Receipt of this material does not establish an attorney-client relationship.
Polsinelli is very proud of the results we obtain for our clients, but you should know that past results do not guarantee future results; that every case is different and must be judged on its own merits; and that the choice of a lawyer is an important decision and should not be based solely upon advertisements.
© 2017 Polsinelli PC. In California, Polsinelli LLP.Polsinelli is a registered mark of Polsinelli PC
![Page 3: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/3.jpg)
© Clearwater Compliance LLC | All Rights Reserved© Clearwater Compliance LLC | All Rights Reserved
MEETING IN THE MIDDLE: COVERED ENTITIES, BUSINESS ASSOCIATES, & CYBER RISK
January 31, 2019
![Page 4: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/4.jpg)
© Clearwater Compliance LLC | All Rights Reserved
4
Some Webinar Logistics
1. Slide materials – Link In Chat Box. Should have also received in reminder email earlier today.
2. Please ask Questions in “Question Area” 3. In case of technical issues, check “Chat Area”4. All attendees are in “Listen Only Mode”5. Please complete Exit Survey when you leave
session 6. Recorded version, final slides and attendance
certificates will be sent within 48 hours
![Page 5: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/5.jpg)
© Clearwater Compliance LLC | All Rights Reserved
5
About Clearwater• Founded in 2009 to provide HIPAA compliance solutions. Today, a rapidly growing portfolio company
of Altaris Capital Partners, a $3B healthcare PE firm.
• Leading provider of cyber risk management and HIPAA compliance solutions for healthcare.
• 400+ healthcare providers and business associate customers, including 60 IDNs.
• Our holistic solution goes deeper to map to the specific needs of each customer, and is powered by:─ IRM|Pro™ - our enterprise Cyber Risk Management System (ECRMS) SaaS platform─ NIST-based, proven methodology─ Experienced professional services – experts in healthcare privacy and security
• Value for our customers: Protect patients and their data, save time and money, safeguard reputation, achieve compliance.
• Proven track record, with a 100% success rate when deliverables submitted to OCR.
![Page 6: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/6.jpg)
© Clearwater Compliance LLC | All Rights Reserved
6
About Polsinelli
Polsinelli serves clients nationally across the full spectrum of their legal needs:100+ services and 70+ industry areas | 800+ Attorneys | 20 Cities – Metropolitan offices in: ▪ Atlanta
▪ Boston▪ Chicago▪ Dallas▪ Denver▪ Houston▪ Kansas City▪ Los Angeles▪ Nashville
▪ New York▪ Phoenix▪ St. Louis▪ San Francisco▪ Silicon Valley▪ Washington, D.C.▪ Wilmington
Legal Industry National Recognition
• Ranked #24 for Client Service Excellence 2018 BTI Client Service A-Team Report
• Ranked #10 for Best Client Relationships 2017 BTI Industry Power Rankings
• Named Among the top 20 best-known firms in the nation 2017 BTI Brand Elite
![Page 7: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/7.jpg)
© Clearwater Compliance LLC | All Rights Reserved
7
About Today’s Presenters Iliana Peters, JD, CISSP Shareholder, Polsinelli PC, Former Acting Deputy Director HHS Office for Civil Rights
• Recognized by the healthcare industry as a preeminent thinker and speaker on data privacy and security, particularly with regard to HIPAA, the HITECH Act, the 21st Century Cures Act, the Genetic Information Nondiscrimination Act (GINA), the Privacy Act, and emerging cyber threats to health data
• For over a decade, she both developed health information privacy and security policy, including on emerging technologies and cyber threats, for the Department of Health and Human Services, and enforced HIPAA regulations through spearheading multi-million dollar settlement agreements and civil money penalties pursuant to HIPAA.
• Member: ABA, AHLA, ISC2, Hispanic National Bar Association
Jon Moore, MS, JD, HCISPPChief Risk Officer & SVP Prof. Services, Clearwater
• 25+ Years Executive Leadership, Technology Consulting and Law• 14+ Years Data Privacy & Security• 10+ Years Healthcare• Former PwC Federal Healthcare Leadership Team• Former IT Operational Leader PwC Federal Practice• BA Economics Haverford College, MS E-Commerce Carnegie Mellon University, JD Dickinson Law Penn State University• Architect of Federal IT GRC Solution• Expertise and Focus: Healthcare, Risk Management, Compliance• Speaker and Published Author on Security, Privacy, IT Strategy and Impact of Emerging Technologies
![Page 8: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/8.jpg)
© Clearwater Compliance LLC | All Rights Reserved
HIPAA’s impact on the business relationship between a covered entity and it’s vendors.
![Page 9: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/9.jpg)
© Clearwater Compliance LLC | All Rights Reserved
KEY DEFINITIONS
![Page 10: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/10.jpg)
© Clearwater Compliance LLC | All Rights Reserved
10
PHI Defined
Individually Identifiable Health
Information
• Any information, including demographic information, collected from an individual, that is created by a CE.
Protected Health Information (PHI)
• Individually identifiable health information held or transmitted in any form or medium by . . . HIPAA covered entities and business associates, subject to certain limited exceptions.”
PHI includes
• Information that relates to all of the following:• The individual’s past, present, or future physical or
mental health or condition• The provision of health care to the individual• The past, present, or future payment for the provision of
health care to the individual• PHI includes any individual identifier, such as name,
address, birth date, Social Security number, IP address
![Page 11: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/11.jpg)
© Clearwater Compliance LLC | All Rights Reserved
11
Covered Entities & Business Associates
“Covered Entities” include:
• Health plans
• Health care clearinghouses
• Health care providers who (i) transmit any health information in electronic
form (ii) in connection with a transaction covered by the HIPAA Privacy Rule.
“Business Associates”:
• Persons or entities that perform a service for, or on behalf of, a Covered
Entity which involves the use or disclosure of PHI
• Need written Business Associate Agreement
![Page 12: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/12.jpg)
© Clearwater Compliance LLC | All Rights Reserved
12
“Business Associates”• Business associate: (1) Except as provided in paragraph (4) of this definition, business associate means, with respect
to a covered entity, a person who:
• (i) On behalf of such covered entity or of an organized health care arrangement (as defined in this section) in which the
covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or
arrangement, creates, receives, maintains, or transmits protected health information for a function or activity regulated by
this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review,
quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and
repricing; or
• (ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting,
consulting, data aggregation (as defined in § 164.501 of this subchapter), management, administrative, accreditation, or
financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity
participates, where the provision of the service involves the disclosure of protected health information from such covered
entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.
• (2) A covered entity may be a business associate of another covered entity.
![Page 13: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/13.jpg)
© Clearwater Compliance LLC | All Rights Reserved
13
“Satisfactory Assurances”• b)(1) Business associate contracts and other arrangements. A covered entity may permit a business associate to create, receive, maintain,
or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances,
in accordance with § 164.314(a), that the business associate will appropriately safeguard the information. A covered entity is not required
to obtain such satisfactory assurances from a business associate that is a subcontractor.
• (2) A business associate may permit a business associate that is a subcontractor to create, receive, maintain, or transmit electronic
protected health information on its behalf only if the business associate obtains satisfactory assurances, in accordance with § 164.314(a),
that the subcontractor will appropriately safeguard the information.
![Page 14: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/14.jpg)
© Clearwater Compliance LLC | All Rights Reserved
REGULATORY OVERVIEW
![Page 15: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/15.jpg)
© Clearwater Compliance LLC | All Rights Reserved
15
Privacy Rule RequirementsFor Business Associates:
• Permitted Uses and Disclosures• Required Uses and Disclosures• Accounting of Disclosures (through BAA)• Subcontractors
![Page 16: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/16.jpg)
© Clearwater Compliance LLC | All Rights Reserved
16
Security Rule Requirements
General requirements. • Covered entities and business associates must do the following:
• (1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.
• (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
• (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.
• Administrative, Physical, and Technical Safeguards
![Page 17: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/17.jpg)
© Clearwater Compliance LLC | All Rights Reserved
17
Breach Notification Rule Requirements
• Standard —(1) General rule. A business associate shall, following the discovery of a breach of unsecured protected health information, notify the covered entity of such breach.• (2) Breaches treated as discovered. For purposes of paragraph (a)(1) of this
section, a breach shall be treated as discovered by a business associate as of the first day on which such breach is known to the business associate or, by exercising reasonable diligence, would have been known to the business associate. A business associate shall be deemed to have knowledge of a breach if the breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is an employee, officer, or other agent of the business associate (determined in accordance with the Federal common law of agency).
![Page 18: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/18.jpg)
© Clearwater Compliance LLC | All Rights Reserved
18
Minimum Necessary Requirements
A CE or BA must limit use or disclosure of PHI to the minimum necessary amount required to meet the purpose of the use or disclosure
There are exceptions: • disclosures to a health care provider for treatment purposes• disclosures to an Individual• disclosures made pursuant to an authorization• disclosures made to HHS• disclosures required by law (but only disclose what is required)
![Page 19: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/19.jpg)
© Clearwater Compliance LLC | All Rights Reserved
HIPAA SECURITY RULE
![Page 20: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/20.jpg)
© Clearwater Compliance LLC | All Rights Reserved
20
HIPAA Security Rule | Types of Safeguards
• Administrative (e.g., policies and procedures, training);
• Technical (e.g., “firewalls”, encryption, access controls, authentication); and
• Physical (e.g., locking desk drawers, restricting facility access, key card access to secure area/data center).
![Page 21: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/21.jpg)
© Clearwater Compliance LLC | All Rights Reserved
21
Administrative Safeguards§ Risk Assessment (ongoing) and
Management § Workforce Authorization and Access§ Security Awareness and Training§ Security Incidents (suggested)§ Emergency and Contingency Plan
Physical Safeguards§ Facility Access Controls § Workstation Use and Security§ Device and Media Controls
Technical Safeguards§ Access Control§ Audit Controls§ Data Integrity§ Authentication§ Transmission Security
Security Policies & Procedures
![Page 22: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/22.jpg)
© Clearwater Compliance LLC | All Rights Reserved
22
Covered Entities versus Business Associates
• No Audit Requirements• Each must understand the risks to the ePHI• Each must ensure protections to downstream vendors
![Page 23: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/23.jpg)
© Clearwater Compliance LLC | All Rights Reserved
23
§ 164.308(a)(1) | Security Management Process
• (1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.• (ii) Implementation specifications:• (A) Risk analysis (Required). Conduct an accurate and thorough assessment of
the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.
![Page 24: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/24.jpg)
© Clearwater Compliance LLC | All Rights Reserved
April 2018 | OCR Cyber Security Newsletter
“A risk analysis is a comprehensive evaluation of a covered entity or business associate’s enterprise to identify the ePHI and the risks and vulnerabilities to the ePHI. The risk analysis is then used to make appropriate modifications to the ePHI system to reduce these risks to a reasonable and appropriate level.”
![Page 25: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/25.jpg)
© Clearwater Compliance LLC | All Rights Reserved
25
Scope
• “Risk analysis” known elsewhere as a “risk assessment.”• For HIPAA, “The risk analysis should consider the potential risks to all of an
entity’s ePHI, regardless of the particular electronic medium in which it is created, received, maintained, or transmitted, or the source or location of its ePHI.”
April 2018 OCR Cyber Security Newsletter
![Page 26: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/26.jpg)
© Clearwater Compliance LLC | All Rights Reserved
26
§ 164.308(a)(1) | Security Management Process
• (1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.• (ii) Implementation specifications:• (A)…
• (B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).
![Page 27: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/27.jpg)
© Clearwater Compliance LLC | All Rights Reserved
27
Monitor and Revise To Reflect:
• Enterprise and Environment Changes• Ongoing Security Control Assessments• Ongoing Remediation Actions• Key Updates• Security Status Reports• Ongoing Risk Assessments• Removal and Disposal
NIST SP 800-37
![Page 28: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/28.jpg)
© Clearwater Compliance LLC | All Rights Reserved
BREACH NOTIFICATION RULE
![Page 29: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/29.jpg)
© Clearwater Compliance LLC | All Rights Reserved
29
Breach Defined
“[B]reach means the acquisition, access, use, or disclosure of [unsecured] protected health information in a manner not permitted under HIPAA which compromises the security or privacy of the protected health information.” 45 C.F.R. §164.402 (2013).
![Page 30: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/30.jpg)
© Clearwater Compliance LLC | All Rights Reserved
30
Breach Defined (cont.)
Secured PHIUsing encryption or an encryption
algorithm specified in HHS guidance to safeguard PHI
Risk Analysis NOT Required
Notification NOT Required
Unsecured PHINOT using encryption or an encryption algorithm specified in HHS guidance to
safeguard PHI
Risk Analysis Required
Notification Required
![Page 31: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/31.jpg)
© Clearwater Compliance LLC | All Rights Reserved
31
Risk of Compromise
1. Evaluate nature and extent of breach – what information?
• Names of patients • Their addresses• Dates of birth • Social Security numbers • Email addresses • Medical billing information • Procedures performed • Physician’s name • Insurance carrier name and • Policy number • Diagnosis information
2. Identity of any known recipient
• Stolen?• Lost?• Unknown?• Ransomware?
3. Actual acquisition or viewing of data
4. Mitigating action • Obtaining assurances of no further disclosures
![Page 32: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/32.jpg)
© Clearwater Compliance LLC | All Rights Reserved
32
Breach Does NOT Include – 3 ExceptionsMust document if an exception applies
1. Good-faith disclosures within the scope of
employment
2. Inadvertent disclosures between otherwise
authorized individuals at the same facility
3. Information disclosed not reasonably retained by
recipient
![Page 33: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/33.jpg)
© Clearwater Compliance LLC | All Rights Reserved
ENFORCEMENT
![Page 34: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/34.jpg)
© Clearwater Compliance LLC | All Rights Reserved
34
Consequence of Non-ComplianceViolations of the HIPAA Rules have serious consequences
• Civil Penalties: May range from $50,000 per incident up to $1.5 million per incident for violations that are not corrected, per calendar year
• Criminal Penalties: In addition to fines, violators may face up to 10 years in prison
![Page 35: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/35.jpg)
© Clearwater Compliance LLC | All Rights Reserved
35
Civil Monetary Penalties
Violation Category Penalty Range for Each Violation
Maximum Penalty for all Violations of an Identical Provision in a Calendar
Year
Entity did not know (and, by exercising reasonable diligence, would not have known) that it violated the applicable provision.
$100 to $50,000 $1,500,000
Violation is due to reasonable cause and not to willful neglect. $1,000 to $50,000 $1,500,000
Violation is due to willful neglect and was correctedduring the 30-day period beginning on the first date the entity knew, or, by exercising reasonable diligence, would have known that the violation occurred.
$10,000 to $50,000 $1,500,000
Violation is due to willful neglect and was not correctedduring the 30-day period beginning on the first date the entity knew, or, by exercising reasonable diligence, would have known that the violation occurred.
At least $50,000 $1,500,000
![Page 36: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/36.jpg)
© Clearwater Compliance LLC | All Rights Reserved
36
500+ Breaches by Type of BreachSeptember 23, 2009 – August 31, 2018
Theft36%
Loss7%
Unauthorized Access/
Disclosure29%
Hacking/IT21%
Improper Disposal
3%
Other4%
Unknown1%
HIPAA Breach Highlights
![Page 37: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/37.jpg)
© Clearwater Compliance LLC | All Rights Reserved
37
Paper Records
21%
Desktop Computer
10%
Laptop15%
Portable Electronic Device
9%
Network Server18%
Email13%
EMR6%
Other9%
500+ Breaches by Location of BreachSeptember 23, 2009 – August 31, 2018
HIPAA Breach Highlights
![Page 38: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/38.jpg)
© Clearwater Compliance LLC | All Rights Reserved
38
HIPAA Breach Highlights500+ Breaches by Type of BreachSeptember 1, 2015 – August 31, 2018
Theft20%
Loss5%
Unauthorized Access/
Disclosure42%
Hacking/IT31%
Improper Disposal
3%
![Page 39: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/39.jpg)
© Clearwater Compliance LLC | All Rights Reserved
39
500+ Breaches by Location of BreachSeptember 1, 2015 – August 31, 2018
HIPAA Breach Highlights
Paper Records
23%
Desktop Computer
7%
Laptop9%
Portable Electronic
Device6%
Network Server22%
Email17%
EMR9%
Other8%
![Page 40: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/40.jpg)
© Clearwater Compliance LLC | All Rights Reserved
40
Enforcement Case Highlights• In most cases, entities able to demonstrate satisfactory compliance through
voluntary cooperation and corrective action • In some cases though, nature or scope of indicated noncompliance warrants
additional enforcement action• Resolution Agreements/Corrective Action Plans
• 58 settlement agreements that include detailed corrective action plans and monetary settlement amounts
• 4 civil money penalties
![Page 41: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/41.jpg)
© Clearwater Compliance LLC | All Rights Reserved
41
Recent HHS Enforcement Actions• February 1, 2018: Fresenius Medical Care North America (FMCNA)
• $3,500,000 • Five breaches add up to millions in settlement costs for entity that failed to heed HIPAA’s risk analysis and risk management rules
• February 13, 2018: Filefax, Inc.• $100,000• Consequences for HIPAA violations don’t stop when a business closes
• June 18, 2018: MD Anderson• $4.3 Million CMP• Judge rules in favor of OCR and requires a Texas cancer center to pay $4.3 million in penalties for HIPAA violations
• September 20, 2018: “ABC Television”• $999,000• Unauthorized Disclosure of Patients’ Protected Health Information During ABC Television Filming Results in Multiple HIPAA Settlements
• October 15, 2018: Anthem• $16 Million• Anthem Pays OCR $16 Million in Record HIPAA Settlement Following Largest U.S. Health Data Breach in History
• November 26, 2018: Allergy Associates of Hartford, P.C.• $125,000• Allergy Practice pays $125,000 to settle doctor's disclosure of patient information to a reporter y
• December 4, 2018: Advanced Care Hospitalists, PL• $500,000• Florida contractor physicians' group shares protected health information with unknown vendor without a business associate agreement
• December 11, 2018: Pagosa Springs Medical Center• $111,400• Colorado hospital failed to terminate former employee’s access to electronic protected health information
![Page 42: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/42.jpg)
© Clearwater Compliance LLC | All Rights Reserved
42
State AG Case to Watch• Indiana Attorney General leading a multi-state civil lawsuit against Medical
Informatics Engineering Inc. and NoMoreClipboard LLC, which sustained a data breach which compromised the data of more than 3.9 million people.
• “Hackers infiltrated a web application called WebChart, which is run by MIE, between May 7 and May 26, 2015. The hackers stole electronic Protected Health Information, including names, phone numbers, mailing addresses, Social Security numbers, and usernames and passwords, among other types of information.”
• Alleges violations of HIPAA Rules, along with state claims including Unfair and Deceptive Practice Laws, Notice of Data Breach statutes, and state Personal Information Protection Acts.
• “Hill's office says it is the first time state attorneys general have joined to pursue a HIPAA-related data breach case in federal court.” See http://www.insideindianabusiness.com/story/39579639/hill-files-multi-state-data-breach-lawsuit.
![Page 43: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/43.jpg)
© Clearwater Compliance LLC | All Rights Reserved
43
Recurring Compliance IssuesRecurring Compliance Issues • Business Associate Agreements
• Risk Analysis
• Failure to Manage Identified Risk, e.g. Encrypt
• Lack of Transmission Security
• Lack of Appropriate Auditing
• No Patching of Software
• Insider Threat
• Improper Disposal
• Insufficient Data Backup and Contingency Planning
![Page 44: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/44.jpg)
© Clearwater Compliance LLC | All Rights Reserved
44
Business Associate AgreementsThe HIPAA Rules generally require that covered entities and business associates enter into agreements with their business associates to ensure that the business associates will appropriately safeguard protected health information. See 45 C.F.R. § 164.308(b).• April 20, 2017: Center for Children’s Digestive Health
• $37,000• No Business Associate Agreement? $31K Mistake
• February 13, 2018: Filefax, Inc.• $100,000• Consequences for HIPAA violations don’t stop when a business closes
![Page 45: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/45.jpg)
© Clearwater Compliance LLC | All Rights Reserved
45
Vendor Cyber Risk Management
• FTC Guidance:• https://www.ftc.gov/tips-advice/business-center/guidance/stick-security-business-blog-
series
• NIST Guidance:• https://www.nist.gov/cyberframework
• HHS Cloud Guidance:• https://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html
• HHS Business Associate Guidance:• https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-
associates/index.html?language=es
• Remote Access Issues
![Page 46: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/46.jpg)
© Clearwater Compliance LLC | All Rights Reserved
46
Upcoming Clearwater Events
Tutorial on OCR-Quality™ Risk Analyses &
Risk Management for CEs & BAs
Webinar
Thursday, February 21 11-12pm CT
Visit Clearwater in the Cybersecurity Command Center
Stop By & See Us!
Breakfast & Breaches: HIPAA & Cyber Risk Management Readiness, Recovery, &
RequirementsExpert Panel Discussion with OCR
Investigators & Cyber Risk Management Experts
Onsite & Virtual Event
Thursday, February 28 7-9:30pm CT | CHICAGO
![Page 47: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/47.jpg)
© Clearwater Compliance LLC | All Rights Reserved
Questions?
Please Complete the Webinar Evaluation After You Exit the Webinar. We Value Your Feedback!
Jon [email protected]: 800-704-3394
Iliana L. [email protected]
![Page 48: 2019 31 1 Webinar Meeting in the Middle CEs BAs Cyber Risk v1 · Some Webinar Logistics 1.Slide materials –Link In Chat Box. Should have ... ─Experienced professional services](https://reader034.vdocuments.us/reader034/viewer/2022052105/60411bce5b4e6616c319252b/html5/thumbnails/48.jpg)
© Clearwater Compliance LLC | All Rights Reserved
Thank You.
© Clearwater Compliance LLC | All Rights Reserved