the critical difference - hipaa security compliance ... · o how to conduct a bona fide hipaa...

May 15, 2015

The Critical Difference - HIPAA Security Compliance Evaluation vs. HIPAA Security Risk Analysis

© Clearwater Compliance | All Rights Reserved

2

Copyright NoticeCopyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.

For reprint permission and information, please direct your inquiry to [email protected]

mailto:[email protected]


3

Legal DisclaimerLegal Disclaimer. This information does not constitute legal advice and is for educational purposes only. This information is based on current federal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.


4

Clearwater Information Risk Management Life Cycle1

1Adopted from NIST SP800-39


5

Some Ground Rules…1. Slide materials

A.Check “Chat” or “Question” area on GoToWebinar Control panel to copy/paste link and download materials

2. Questions in “Question Area” on GTW Control Panel

3. In case of technical issues, check “Chat Area”4. All Attendees are in Listen Only Mode5. Please complete Exit Survey, when you leave

session6. Recorded version and final slides within 48

hours


6

We are not attorneys!

The Omnibus has arrived!

Lots of different interpretations!

About HIPAA-HITECH Compliance


7

Bob Chaput, MA, CISSP, HCISPP, CRISC, CIPP/US • President – Clearwater Compliance LLC• 35+ years in Business, Operations and Technology• 25+ years in Healthcare• Executive | Educator |Entrepreneur• Global Executive: GE, JNJ, HWAY• Responsible for largest healthcare datasets in world• Numerous Technical Certifications (MCSE, MCSA, etc)• Expertise and Focus: Healthcare, Financial Services, Retail,

Legal• Member: ACAP, CHIME/AEHIS, AHA, IAPP, ISC2, HIMSS, ISSA, ISACA,

HCCA, HCAA, ACHE, AHIMA, NTC, ACP, SIM Chambers, Boardslinkedin.com/in/BobChaput

http://hipaasecurityassessment.com/

http://www.linkedin.com/in/BobChaput


8

Our PassionWe’re excited about what we do because…

…we’re helping organizations improve care by safeguarding the very personal and private healthcare information of millions of fellow Americans…

… And, keeping those same organizations off the Wall of

Shame…!

Pause and Quick PollWhat type of organization do you represent?

CE##

BA##

HYBRID##

Don’t Know##


How many Clearwater Compliance webinars have you attended before?

Pause and Quick Poll


11

Mega Session Objective:

Help you understand and address three very specific AND different HIPAA Security Rule assessment requirements…


12

All Three Are Required!


13

An Important Case Study• OCR is "turning up the gain”• Completing compliance assessments is equally

important to risk analyses even though focus has shifted

• See “Initial Data Request” (my emphasis) starting on page 4 and notice all the requests for “evidence” (“Are you abiding by, practicing, enforcing …”?)

• New Math:+ IF “willful neglect” CMP means

$50,000 per violation = $50,000 x 197,000 individuals [= $9.85B (yes, B!!)]

+ Good news, capped at $1.5 for each regulatory violation

+ For each calendar year in which the violation occurred (N.B., request for all risk analyses performed in last six (6) years.

+ See list of 21 violations estimated 10s of $millions CMP 13

Security Evaluation IS NOT EQUAL TO Risk AnalysisBottom Line Up Front


15

What’s similar?Both are somewhat complex

Both help determine gaps

Both robustly audited in OCR Audit Protocol

Both are important and necessary

Both required by HIPAA Security Final Rule

Both have been required since April 2005

Both need “periodic” updates


Both help you become compliant with the HIPAA Security Rule


16

What’s different?

One is Forest-level; two are Trees/Weeds-level

One is “named” in Meaningful Use Stage I & II & III Objectives

One has specific ‘Final Guidance’ from OCR on how to perform

One has two parts; one has on part

One is compliance-focused; one is exposure-focused

One is an overall compliance assessment; one is a risk assessment

NO OMNIBUS CHANGES – Welcome BAs!


17

Other Helpful Resources:Recorded Webinars at https://clearwatercompliance.com/on-demand-webinars/

o How To Conduct a Bona Fide HIPAA Security Risk Analysis

o How to Conduct the Periodic Security Evaluation Required by HIPAA Security Rule

o What Business Associates Need to Know about HIPAA

Blog Post

HIPAA Audit Tips – Don’t Confuse HIPAA Security Evaluation and Risk Analysis

https://clearwatercompliance.com/on-demand-webinars/

http://abouthipaa.com/hipaa-webinars/how-to-conduct-a-bona-fide-hipaa-security-risk-analysis/

http://abouthipaa.com/hipaa-webinars/on-demand-webinars/how-to-conduct-a-hipaa-security-compliance-self-audit-2/

http://abouthipaa.com/hipaa-webinars/on-demand-webinars/business-associates/what-business-associates-and-subcontractors-need-to-know-about-hipaa-2/

http://abouthipaa.com/hipaa-compliance-guides/hipaa-audit-tips-dont-confuse-hipaa-security-evaluation-and-risk-analysis/


18

03

01

02

Session Objectives

Review specific HIPAA Security Assessment Regulations

Understand Compliance Assessment

Essentials

Learn how to Complete These

Assessments


19

Three Pillars of HIPAA-HITECH Compliance…

HITECH

HIPAA

Privacy Final Rule• 75 pages / 27K words• 56 Standards• 54 Implementation Specs

Security Final Rule• 18 pages / 4.5K words• 22 Standards• 50 Implementation Specs

Breach Notification IFR• 6 pages / 2K words• 4 Standards• 9 Implementation Specs

OMNIBUS FINAL RULE


20

Assessments and Audits Are Central to Compliance• Establishing good policy and

procedures is not enough…• Comprehensive business processes

are not enough…• Deploying leading technology

solutions and systems controls is not enough…

Regular assessments are crucial in establishing and maintaining effective compliance

20


21

How to Do It RightSystematic, Sustainable Programmatic Approach:Reenergize and operationalize your HIPAA-HITECH Compliance Program

Think Program, Not Project!

Not Once and Done!

START

• Oversight• Inventory PHI & ePHI• Inventory BAs• Assessments • Remediation Plans• Policies & Procedures• Business Associate

Management• Training

YEAR 1

• Re-Inventory PHI & ePHI

• Re-Inventory BAs• Re-Assessments • Remediation Plans• Policies & Procedures

Review• Business Associate

Management• Training Update

YEAR 2

• Re-Inventory PHI & ePHI

• Re-Inventory BAs• Re-Assessments • Remediation Plans• Policies & Procedures

Review• Business Associate

Management• Training Update

Ongoing Support and Guidance

21


22

Types of Assessments1. Compliance Assessments (Security Evaluation - Non-Technical, at 45 CFR §164.308(a)(8))

• Where do we stand?• How well are we achieving ongoing compliance?

2. Risk Assessment (Risk Analysis, at 45 CFR §164.308(a)(1)(ii)(A))• What is the exposure to information assets (e.g., ePHI)? • What do we need to do to mitigate risks?

3. Technical Assessments (Security Evaluation – Technical , at 45 CFR §164.308(a)(8))• How effective are the safeguards we have implemented? • Are the safeguards working?

4. Risk-of-Harm Breach Risk Assessment (Breach-related, in HITECH parlance)• Have we caused legal, reputational, etc harm?• Is there low probability of compromise of PHI?

Each Assessment Has Its Role and Proper Time22


23

4. Complete a HIPAA Security Risk Analysis and Risk Management (45 CFR §164.308(a)(1)(ii)(A) and (B))

5. Complete a HIPAA Security Non-Technical Evaluation (= compliance assessment) (45 CFR § 164.308(a)(8))

6. Complete Technical Testing of Your Environment (45 CFR § 164.308(a)(8))

7. Complete Privacy Rule and Breach Notification Rule compliance assessments (45 CFR §164.500 and 45 CFR §164.400)

8. Implement a Strong, Proactive Business Associate / Management Program (45 CFR §164.502(e) and 45 CFR §164.308(b))

9. Assess your current Insurance Coverage (e.g., Cyber Liability, D&O, E&O, P&C)

10. Document and act upon a remediation plan (45 CFR §164.530(c) and 45 CFR §164.306 (a))

1. Set Privacy and Security Risk Management & Governance Program in place (45 CFR § 164.308(a)(1))

2. Develop & Implement comprehensive HIPAA Privacy and Security and Breach Notification Policies & Procedures (45 CFR §164.530 , 45 CFR §164.316 and 45 CFR §164.414)

3. Train all Members of Your Workforce (45 CFR §164.530(b), 45 CFR §164.308(a)(5)) and 45 CFR §164.414)

Derived from OCR Enforcement Actions| Demonstrate Reasonable Diligence

10 Actions to Take Now


24

02

Session Objectives

Review specific HIPAA Security Assessment Regulations


25

45 C.F.R. §164.308(a)(8)Standard: Evaluation. Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an entity's security policies and procedures meet the requirements of this subpart.

Security Evaluation v. Risk Analysis

45 C.F.R. §164.308(a)(1)(i) Standard: Security Management Process(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.(ii) Implementation specifications:

(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

25

http://www.ecfr.gov/cgi-bin/text-idx?SID=5bb7212bb16582292cd5ed176523ec51&mc=true&node=sp45.1.164.c&rgn=div6

http://www.ecfr.gov/cgi-bin/text-idx?SID=5bb7212bb16582292cd5ed176523ec51&mc=true&node=sp45.1.164.c&rgn=div6


26

Three Dimensions of HIPAA Security Business Risk Management

TEST & AUDIT

45 CFR 164.308(a)(1)(ii)(A)Risk Analysis

45 CFR 164.308(a)(8)Non-Technical Compliance

Assessment

45 CFR 164.308(a)(8) & OCR Audit Protocol

Technical Testing & Audits


27

03

Session Objectives

Learn how to Complete These

Assessments


28


TEST & AUDIT



Assessment




29

3 Dimensions of HIPAA Non- Technical Security Evaluationa.k.a. Compliance Gap Assessment a.k.a. Mock Audit

Is it documented?Policies, Procedures and Documentation

Are you doing it?Using, Applying, Practicing, Enforcing

Is it Reasonable and Appropriate?Comply with the implementation specification

1

2

3


30

Reference NIST SP 800-66

• Basis of HIPAA Security Rule• Cross-walks HIPAA Security Rule

to Compendium of NIST Security Framework Documents

http://clearwatercompliance.com/wp-content/uploads/2013/12/NIST_SP-800-66-Revision1.pdf

30





31

Understand and Reference 2012 Audit Program Protocol

Established Performance Criteria(usually Standard or Implementation Spec or Requirement)

Key Activity(usually one or more)

Audit Procedures(usually one or more)

http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html

31





32

The Inevitable for Phase II Audits• OCR’s permanent HIPAA audit program slated to

begin in 2015• ~200 Covered Entities to be selected for desk audits• Equal number or less BAs selected for desk audits• Greater number of on-site audits, but no specific

number given yet.• Only documentation submitted on time is reviewed• All documentation must be current as of the date of

the request• Auditors will not be able to contact the entity for

clarifications or ask for additional information• Critical that documentation accurately reflects the

program

2015 CE Desk Audit Scope• Security—Risk Analysis and risk

management• Breach—Content and timeliness of

breach notifications• Privacy—Notice of Privacy Practices and

Access2015 BA Desk Audit Scope• Security—Risk Analysis and risk

management• Breach—Breach reporting to covered

entities


33

Use Document Request List

Are you prepared to quickly assemble and submit all necessary

policies, procedures and documentation?

33

http://abouthipaa.com/wp-content/uploads/Documentation_request_list_OCR-audit-notification.pdf

http://abouthipaa.com/wp-content/uploads/Documentation_request_list_OCR-audit-notification.pdf



Has Your Organization Completed a HIPAA “Non-technical” Security Evaluation (= compliance assessment) (45 CFR § 164.308(a)(8)) ?


35


TEST & AUDIT



Assessment




36

HIPAA Security Technical Evaluation• External Network Vulnerability Assessment

& Penetration Testing• Internal Network Vulnerability Assessment

& Penetration Testing• Web Application Assessment• Wireless Security Assessment• Security Awareness Assessment• Sensitive Data Discovery Scans

ALL IMPORTANT – AIMED AT DETERMINING EFFICACY AND EFFECTIVENESS OF CONTROLS

36


37

Reference NIST SP 800-53A

“Security control assessments are not about checklists, simple pass-fail results, or generating paperwork to pass inspections or audits—rather, security controls assessments are the principal vehicle used to verify that the implementers and operators of information systems are meeting their stated security goals and objectives. Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations, is written to facilitate security control assessments conducted within an effective risk management framework.”

http://clearwatercompliance.com/wp-content/uploads/2014/01/NIST-SP800-53A-rev1-final_Guide_for_Assessing_the_Security_Controls_in_Federal_Information_Systems_and_Organizations-Building_Effective_SAPs.pdf

37





38

Reference NIST SP 800-115• Basis of Technical Evaluations

• Pen Testing• Vulnerability Scans• Post Testing Activities

http://clearwatercompliance.com/wp-content/uploads/2013/12/SP800-115-Technical-Guide-to-Information-Security-Testing-and-Assessment.pdf

http://clearwatercompliance.com/wp-content/uploads/2013/12/SP800-115-Technical-Guide-to-Information-Security-Testing-and-Assessment.pdf



Has Your Organization Completed the Technical Evaluation (=Testing) of Your Environment (45 CFR § 164.308(a)(8))?


40


TEST & AUDIT



Assessment


Technical Testing & Audit


41

2. What are all the ways in which the confidentiality, integrity or availability of ePHI might be compromised?

Risk Analysis

Identify, Rate and Prioritize All Risks

1. What is our exposure of our information assets (e.g. ePHI)?

41


VULNERABILITY

Thinking Like a Risk AnalystTHREAT (Actor)

Security Risk exists when and only when….

IMPACT (LOSS OF OR HARM to ASSETS)

MUST HAVE A “TRIPLE” TO HAVE RISK =

ASSET – THREAT –VULNERABILITY!


43

Risk Analysis IS:

…the process of identifying, prioritizing, and estimating risks

to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, …, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses,

and considers mitigations provided by security controls planned or in place1.

1NIST SP800-30


44

Controls Help Address Vulnerabilities

Controls• Policies & Procedures

• Training & Awareness• Cable lock down• Strong passwords

• Encryption• Remote wipe• Data Backup

Threat Source• Burglar who may steal

Laptop with ePHI

Vulnerabilities• Device is portable• Weak password• ePHI is not encrypted• ePHI is not backed up

Threat Action• Steal Laptop

Information Asset• Laptop with ePHI

44


45

…from HHS/OCR Final GuidanceRegardless of the risk analysis methodology employed…1. Scope of the Analysis - all ePHI that an organization creates, receives, maintains, or transmits must be included in the risk analysis.

(45 C.F.R. § 164.306(a)).

2. Data Collection - The data on ePHI gathered using these methods must be documented. (See 45 C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.316 (b)(1).)

3. Identify and Document Potential Threats and Vulnerabilities - Organizations must identify and document reasonably anticipated threats to ePHI. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A) and 164.316(b)(1)(ii).)

4. Assess Current Security Measures - Organizations should assess and document the security measures an entity uses to safeguard ePHI. (See 45 C.F.R. §§ 164.306(b)(1), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)

5. Determine the Likelihood of Threat Occurrence - The Security Rule requires organizations to take into account the likelihood of potential risks to ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)

6. Determine the Potential Impact of Threat Occurrence - The Rule also requires consideration of the “criticality,” or impact, of potential risks to confidentiality, integrity, and availability of ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)

7. Determine the Level of Risk - The level of risk could be determined, for example, by analyzing the values assigned to the likelihood of threat occurrence and resulting impact of threat occurrence. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)

8. Finalize Documentation - The Security Rule requires the risk analysis to be documented but does not require a specific format. (See 45 C.F.R. §164.316(b)(1).)

9. Periodic Review and Updates to the Risk Assessment - The risk analysis process should be ongoing. In order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed. (45 C.F.R. §§164.306(e) and 164.316(b)(2)(iii).)

45

http://abouthipaa.com/about-hipaa/resources/

http://abouthipaa.com/about-hipaa/resources/


46

Determine Likelihood and ImpactAsset Threat Source / Action Vulnerability Likelihood Impact

Laptop Burglar steals laptop No encryption High (5) High (5)

Laptop Burglar steals laptop Weak passwords High (5) High (5)

Laptop Burglar steals laptop No tracking High (5) High (5)

Laptop “Shoulder Surfer” views No privacy screen Low (1) Medium (3)

Laptop Careless User Drops No data backup Medium (3) High (5)

Laptop Lightning Strike hits home No surge protection Low (1) High (5)

etc


47

Risk Management GuidanceGuidance on Risk Analysis Requirements under the HIPAA Security Rule Final

• NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments• NIST SP800-34 Contingency Planning Guide for Federal Information Systems• NIST SP800-37, Guide for Applying the Risk Management Framework to Federal

Information Systems: A Security Life Cycle Approach• NIST SP800-39-final_Managing Information Security Risk• NIST SP800-53 Revision 3 Final, Recommended controls for Federal Information

Systems and Organizations• NIST SP800-53A, Rev 1, Guide for Assessing the Security Controls in Federal

Information Systems and Organizations: Building Effective Security Assessment Plans

47

http://abouthipaa.com/wp-content/uploads/OCR_Risk-Analysis_Final_guidance.pdf

http://abouthipaa.com/wp-content/uploads/SP800-30-Rev1_Guide_for_Conducting_Risk_Assessments_09-2012.pdf

http://abouthipaa.com/wp-content/uploads/SP800-34-rev1errata-Nov11-2010_ContingencyPlanningGuideforFederalInformationSystems.pdf

http://abouthipaa.com/wp-content/uploads/SP800-37-rev1-final_-Guide_for_Applying_the_Risk_Management_Framework_to_Federal_Information_Systems-A_Security_Life_Cycle_Approach.pdf

http://abouthipaa.com/wp-content/uploads/SP800-39-final.pdf

http://abouthipaa.com/wp-content/uploads/10.-NIST-SP800-53-rev3-final_updated-errata_05-01-2010.pdf

http://abouthipaa.com/wp-content/uploads/sp800-53A-rev1-final_Guide_for_Assessing_the_Security_Controls_in_Federal_Information_Systems_and_Organizations-Building_Effective_Security_Assessment_Plans.pdf


48

What a Real Risk Analysis Looks Like


49

Risk Rating Report – Most Critical Output



Has Your Organization Completed a HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))?


51

Not a Once & Done

“9. Please submit a copy of XYZ Hospital’s most recent risk analysis, as well as a copy of all risk analyses performed for or by copy XYZ Hospital within the past 6 years pursuant to 45 C.F.R. §164.308(a)(l)(ii)(A). If no risk analysis has been performed, please state so.


52


TEST & AUDIT



Assessment


Technical Testing & Audit


53

What’s similar?Both are somewhat complex

Both help determine gaps

Both robustly audited in OCR Audit Protocol

Both are important and necessary

Both required by HIPAA Security Final Rule

Both have been required since April 2005



Both help you become compliant with the HIPAA Security Rule


54

What’s different?

One is Forest-level; two are Trees/Weeds-level

One is “named” in Meaningful Use Stage I Objectives

One has specific ‘Final Guidance’ from OCR on how to perform

One has two parts; one has on part

One is compliance-focused; one is exposure-focused

One is an overall compliance assessment; one is a risk assessment

Security Evaluation IS NOT EQUAL TO Risk Analysis


55

Three Industry-Leading SaaS Solutions…

… to address all HIPAA regulatory requirements

IRM | Privacy™ - Clearwater’s HIPAA Privacy and Breach Notification Assessment Software

IRM | Security™ - Clearwater’s HIPAA Security Assessment Software

IRM | Analysis™ - Clearwater’s Risk Analysis Software


56

Clearwater WorkShop™ Process

• Analyze Findings • Document Observations• Develop Recommendations• Present and Sign Off

Written Report

• Plan / Gather / Schedule• Read Ahead / Review Materials• Provide SaaS Subscription/Train• Administer Surveys

Preparation

• Facilitate & Discover• Educate & Equip• Evaluate & Advise• Gather & Populate SaaS

Onsite Discovery/Assessment

Software SubscriptionPlus WorkShop™• 2.5-hours training for as many staff as

you wish• Ongoing technical support• IRM | Analysis™ - 2 or 3-year

subscription, paid annually.• Ongoing software updates.• Ongoing Community engagement.• Professional consulting services to

complete the risk analysis process, end-to-end.

• Risk Analysis Report with Findings, Observations and Recommendations.

• Fully-populated IRM | Analysis™ software application.

Our goal at Clearwater is to help your organization become as self-sufficient as you would like to be, as quickly as you would like to be.

01

02

03


57

The Clearwater Engagement Model

Clearwater teaches Customer how to perform gap assessments and risk analyses AND to measure information risk management maturity levels to establish continuous process improvement.

“We do it with you” “We train you to do it”

Proven Engagement Model - Used 100s of Times

“We do it for you”

Clearwater provides content, strategy, leadership, tools, software and resources to complete program evaluations, policies, procedures, gap assessments, risk analyses, risk response, etc. Customer reviews recommendations.

Clearwater and Customer teams perform gap assessments and risk analyses, validate findings, observations and recommendations, prioritize remediation items and develop recommendations.

Customer’s RoleClearwater’s Role


58

Summary and Next Steps1. Assess the Forest First, Then Get Into the Trees/Weeds

1. Stay Business Risk Management and Patient/Member/Customer-Focused

2. Not ‘once and done’!

3. Large or Small: Get Help (Tools, Experts, etc)

…Simply Makes Good Business Sense…


59

Download white papers

Risky Business: How to Conduct a Bona Fide HIPAA

Security Risk Analysishttp://clearwatercompliance.com/hipaa-risk-analysis-

essentials-lp/

59

http://clearwatercompliance.com/hipaa-risk-analysis-essentials-lp/





60

Educational Opportunities


61

Clearwater HIPAA Compliance and Information Risk Management BootCamp™

Take Your HIPAA Privacy and Security Program to a Better

Place, Faster …

Earn CPE Credits!

Join us for our next virtual, web-based event…Three, 3hr sessions: • August 6th, 13th, 20th 2015

http://clearwatercompliance.com/bootcamps/

Designed for busy professionals, the Clearwater Information Risk Management BootCamp™ distills into one action-packed day, the critical information you need to know about the HIPAA Privacy and Security Final Rules and the HITECH Breach Notification Rule.

http://ClearwaterCompliance.com/bootcamps/


62

Other Upcoming Clearwater Events

May 21,2015Bob Chaput is

speaking!Audit World 2015, New Orleans, LA

May 26,2015Complimentary

WebinarBona Fide Risk

Analysis & Risk Management

May 28,2015Complimentary Web

EventBlue Ribbon Panel:

Information Risk Management

Essentials

June 4, 2015How to Calculate the

Cost of a Data Breach and How to Get the Budget for Your HIPAA-HITECH

Compliance Program

Visit ClearwaterCompliance.com for more info!


63

Resources

Register For Upcoming Live HIPAA-HITECH Webinars at:

https://clearwatercompliance.com/live-educational-webinars/

https://clearwatercompliance.com/live-educational-webinars/


64

Bob Chaput, MA, CISSP, HCISPP, CRISC, CIPP/US

https://www.clearwatercompliance.com

[email protected]

Phone: 800-704-3394 or 615-656-4299

linkedin.com/in/BobChaput

Exit Survey, Please

http://www.clearwatercompliance.com/

mailto:[email protected]

http://www.linkedin.com/in/BobChaput


65

American Hospital Association Exclusive Endorsement

Health Care Information Privacy, Security, Compliance and Risk Management Solutions from Clearwater Compliance LLC have earned the exclusive endorsement of the American Hospital Association.

“In line with our mission to foster operational excellence in hospitals and health care systems, we collaborate with hospital leaders to identify key challenges the health care field faces. After conducting the proprietary AHA Signature Due Diligence Process™, we award the exclusive AHA Endorsement to the solution that stands out from other candidates in best enabling hospitals to surmount an operational challenge.”

- AHA


WWW.CLEARWATERCOMPLIANCE.COM

(800) 704-3394http://www.linkedin.com/in/bobchaput/

@clearwaterhipaa

ClearwaterCompliance

Thank You!