legal disclaimer - clearwater · 2016-06-30 · 2015 & 2016. exclusive. industry resource...

© Clearwater Compliance | All Rights Reserved

1

Legal Disclaimer

The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.

This information does not constitute legal advice and is for educational purposes only. This information is based on currentfederal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than thefederal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND RECOMMENDATIONS PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE.

Copyright NoticeAll materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.


2

What Business Associates Need toKnow About HIPAA

June 30, 2016Bob Chaput, MA, CISSP, HCISPP, CRISC, CIPP/US

615-656-4299 or [email protected]


3

MA, CISSP, HCISPP, CRISC, CIPP/US

Bob Chaput

• CEO & Founder – Clearwater Compliance LLC• 35+ years in Business, Operations and Technology• 25+ years in Healthcare• Executive | Educator |Entrepreneur• Global Healthcare Executive: GE, JNJ, HWAY• Responsible for largest healthcare datasets in world• Industry Expertise and Focus: Healthcare Covered Entities

and Business Associates• Member: ACAP, CHIME/AEHIS, CAHP, IAPP, ISC2, HIMSS, ISSA,

ISACA, HCCA• CHIME Foundation Member• AEHIS Advisory Board Member

http://www.linkedin.com/in/BobChaput

http://hipaasecurityassessment.com/



4

Our Passion

We’re excited about what we do because…

…we’re helping organizations improve patient safety and the quality of care by safeguarding the very personal and private healthcare information of millions of fellow Americans…

… And, keeping those same organizations off the Wall of

Shame…!


5

Awards and Recognition

2015 & 2016

Exclusive

Industry Resource Provider

Software Used by NSA/CAEs

Sole Source Provider

#11 – 2015 & 2016


6

Clearwater’s Outstanding Net Promoter Score1

Strong Customer Satisfaction Drives Strong and Lasting Relationships

• Net Promoter Scores are a quick topline view of how businesses are performing2

• Strong Customer Satisfaction creates partnership opportunities and a win-win relationship

1 Net Promoter Industry Benchmarks2 Industry Leaders Net Promoter Scores

http://insurancenewsnet.com/oarticle/2014/03/10/satmetrix-releases-2014-net-promoter-industry-benchmarks-a-471724.html


7

Some Ground Rules1. Slide materials

A. Check “Download” area on GoToWebinar Control panel to copy/paste link and download materials

2. Questions in “Question Area” on GTW Control Panel

3. In case of technical issues, check “Chat Area”

4. All Attendees are in Listen Only Mode5. Please complete Exit Survey, when you

leave session6. Recorded version and final slides within 48

hours


8

We are not attorneys! Engage Competent Counsel

The Omnibus has arrived!Welcome Aboard, BAs!

Lots of different interpretations! Please, Ask Lots of Questions!

But FIRST!


9

Questions Provided in Advance1. What are the high risk areas for HIPAA according to the new rulings?2. Want to understand exactly what a BA is and what they need to do for my office/SRA.3. What are the employee training requirements for business associates?4. Should Business Associates provide the Covered Entity with select policies/procedures if not

requested?5. Is a covered entity required to include BAs as part of their risk analysis in terms of

Meaningful Use Program?6. What are the critical audit elements to ensure Covered Entities are monitoring Business

Associates compliance with the final rule7. If we become HITRUST Certified, will that meet all our HIPAA and security requirements?8. Whether there is an exception to the prohibition of releasing private information,

including discharge, for adult children?9. I am supporting an office with 2 doctors and 4 employees. Us in the Little Leagues need

help with budgetary constraints in mind.10. BAAs11. Any suggestions on how to audit our business associates to make sure they are

following the same HIPAA rules?


10

Engage with customers and business partners directly on compliance requirements

Find resources to assist CEs, BAs and Subcontractors in managing partner relationships

Calculate the higher penalties and non-compliance fines

Communicate your commitment to privacy and security of all PHI

Clarify your current Privacy, Security and Breach Notification requirements under the Final Rule

Clarify requirements to do business with one another

Explain the significant increases in enforcement

Resources will be provided at the end of the session and all registrants will receive a copy of all slide materials

Learning Outcomes… Be Able to:


11

Pause and Quick Poll

What type of organization do you represent?

Hospital / Health System##

BA##

HYBRID## Don’t

Know##

Other CE##


12


How would you rate your HIPAA-HITECH expertise?

What’s HIPAA?

I’m getting there! Experienced

Let me teach next time!


13

Accretive Health Case Study Bad things can happen

to good companies


14

MN SAG Suit$2.5M MN SAG

Settlement

CompromiseAccretive employee’s laptop

computer, containing 20 million pieces of information

on 23,000 patients, was stolen from the employee’s car

July 2011

1/19/20127/31/2012

CEO Replaced

4/2/2013

COOReplaced

4/13/2013

Class ActionSuit

6/12/2013

CFOReplaced

8/26/2013

$14M ClassSettlement

9/27/2013

FTC Settle

12/21/2013

170 JobsCut

1/2014

De-ListedNYSE

3/14/2014Accretive Share Price & Story


15

Agenda

1. Business Associates / Sub-Business Associates2. Security Rule3. Privacy Rule4. Breach Notification Rule5. Enforcement6. Timing7. Next Actions for BAs and Resources to Assist


16

Bottom Line Up Front

1. Comply with the entire HIPAA Security Rule2. Comply with a specific section of the HIPAA Breach Notification Rule3. Comply with all applicable sections of the HIPAA Privacy Rule “mileage will vary greatly…”

HITECH Omnibus:• “Game-changer”• Healthcare industry woefully unprepared• Many business associates, even less so• Largest and most consequential federal expansion• Significantly more Business Associates• Substantially increases the magnitude of HIPAA enforcement risk and liability• “Call to Arms” for Business Associates…

Security Opinions (e.g., SSAE Soc2) or “Certifications” (e.g., HITRUST) Have ABSOLUTELY NOTHING to do with HIPAA

Compliance


17

Applicability

Security

Privacy

OmnibusFinal Rule … Drove Big Changes for Business Associates


18

HITECH

HIPAA

Privacy Final Rule• 75 pages / 27K words• 56 Standards• 54 Implementation Specs

Security Final Rule• 18 pages / 4.5K words• 22 Standards• 50 Implementation Specs

Breach Notification 6 pages / 2K words• 4 Standards• 9 Implementation Specs

OMNIBUS FINAL RULE

Three Pillars of HIPAA-HITECH Compliance…


19

First Healthcare Risk Manager

“First, Do No Harm.”

- Hippocrates, 4th Century, B.C.E.- OR

- Auguste François Chomel (1788–1858) Parisian pathologist and clinician

- OR- ???

At the End of the Day, HIPAA Privacy, Security & Breach Notification Rules Are About Preventing

Harm from New Threat Sources


20

Privacy & Security

1. Management2. Notice3. Choice & Consent4. Collection5. Use, Retention & Disposal6. Access7. Disclosure to 3rd Parties8. Security for Privacy9. Quality10. Monitoring & Enforcement

Controls Safeguards

Privacy (GAPP)

ConfidentialityIntegrity

Availability

Security Program without Privacy Program; Converse is Not True

Security


21

HIPAA-HITECH Entities

• Covered Entity– Health care providers (that conduct e-

transactions), health plans, health care clearinghouses

• Business Associate– Entity that uses or discloses PHI on behalf of a

CE– Create, receive, maintain or transmit PHI on

behalf of a CE•Subcontractor (or Agent?) Sub Business Associate

– A person or entity to whom a BA delegates a function, activity, or service, otherthan in the capacity of a member of the workforce of such BA.


160.103 Definition Business associate:A BA creates, receives, maintains, or transmits PHI on behalf of a CEBusiness Associate Not a Business Associate

CE to CE if involves treatment

Entities acting on their own behalf

Entities whose functions or services do notinvolve use or disclosureConduits with random or infrequent access

Researchers if with authorization or as a lifted data set

Between OHCA participantsGovernment Agency determining eligibility orenrollment in government health plan

Plan Sponsor to a Group Health Plan

A BA creates, receives, maintains, or transmits PHI on behalf of a CEBusiness Associate Not a Business Associate

Vendor providing Health Care Operations services

CPA firm whose accounting services involve accessto PHI

Attorney whose legal services involve access to PHI

Consultants performing utilization or qualityimprovement reviews

Associations conducting and sharing comparative quality analysis

Health Information Organization

E-Prescribing Gateway

CE can be a BA of another CE

Vendor providing Health Care Operations services

CPA firm whose accounting services involve access to PHI

Attorney whose legal services involve access to PHI

Consultants performing utilization or quality improvement reviews

Associations conducting and sharing comparative quality analysis

Health Information Organization

E-Prescribing Gateway

CE can be a BA of another CE

CE to CE if involves treatment

Entities acting on their own behalf

Entities whose functions or services do not involve use or disclosure

Conduits with random or infrequent access

Researchers if with authorization or as a limited data set

Between OHCA participants

Government Agency determining eligibility or enrollment in government health plan

Plan Sponsor to a Group Health Plan


23

• Call Center Software firm• Document Imaging company• Claims Scrubbing Company• Cloud-Storage Provider• Data Analytics Company• Pharmaceutical/ Medical Device

Companies• Contract Research Organizations• Data Transmission (HIE)• Data Storage / Data Back-up• Health Information Organizations (HIOs)• Data Recovery Services• Software as a Service (SaaS) Offerings• On-Line Diagnostic Services• Mobile Devices• Web Portals – Physicians• Web Portals – Consumers

• Pharmacy Benefits Managers• Third Party Administrators• Benefit Administrators• Claims Review /Utilization• Banks providing lockbox services• Billing Processors• Business Process Outsourcing• Revenue Cycle Companies• Payment Agencies• Collection Agencies• Hospital Discharge Care Support• Disease Management Companies• Wellness Companies• Fulfillment Companies• Health Risk Assessment

Organizations• Independent Insurance Agents/

Brokers

• CPA firm• Medical transcriptionists• Consultants• Auditors• Accreditation Firms• Application Trouble-Shooters• Law firms• Biometric Companies• Phlebotomists• Software vendors• App Development

Contractors• File / Data Storage company• Clearinghouses• Web portal company• Medicare HCC Coding

Company

A Couple Business Associates


24

“Famous” BAs


25

Anthem as a BA to Affiliated Health Plans

• TPA and insurance issuer services to ~42 other BCBS (BlueCard) and Group Health Plans

• ~40 million (50%) were members of affiliated health plans

• Names, birth dates, ID numbers, social security numbers, home addresses, phone numbers, email addresses, and employment information

• Result: identity theft, stolen income tax refunds, credit card charges

• Cases have now been consolidated into a single, consolidated complaint – still pending in the Northern District of California

Big doesn’t mean Safe


26

As Reported on HHS “Wall of Shame” – As Of 6/23/2016

BAs have been responsible for only 19% of the number of breaches

That 19% accounted for 41% of the # of breached records

BAs Need to Manage Compliance and Security Risks!


27

Hospital

HIPAA-HITECHCoveredEntity

Business Associate 2


……

Sub-BA 3


Sub-BA 1

Sub-BA 2

Outside IT

Data AnalyticsEHR Contractor

Outside Law FirmBilling

Portal Provider Data Analytics firm

Regulations Create Chain of Trust… doesn’t end…

HIPAA Chain Of Trust


28

• September 23, 2013 OR• If a compliant contract was in place

– prior to January 25, 2013 and not renewed between March 26 and September 23, 2013,

• then September 22, 2014 or the date it is renewed or modified whichever is earlier

Business Associate Agreements Compliance Date


29

Security Rule BA Contract Requirements

(2) Implementation specifications (Required).(i) Business associate contracts. The contract must provide that thebusiness associate will …(ii) Other arrangements. The covered entity is in compliance with paragraph (a)(1) of this section if it has another arrangement in placethat meets the requirements of §164.504(e)(3).(iii) Business associate contracts with subcontractors. Therequirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this section

§164.314 Organizational requirements.(a)(1) Standard: Business associate contracts or other arrangements. The contract or other arrangement required by§164.308(b)(3) must meet the requirements of paragraph (a)(2)(i), (a)(2)(ii), or (a)(2)(iii) of this section, as applicable.


30

Privacy Rule BA Contract Requirements§164.504(e)

1. Establish the permitted and required uses and disclosures of PHI by the business associate.2. Provide that the business associate will:

• Not use or further disclose PHI other than as permitted or required by the contract or by law;• Use appropriate safeguards and comply with the Security Rule with respect to electronic PHI;• Report to the CE any use or disclosure of the information not provided for by its contract, including breaches of

unsecured protected health information;• Ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the BA agree to these same

restrictions and conditions;• Make PHI available for Individual rights of access; amendment (including incorporating amendments) and

accounting of disclosures• To the extent the BA is to carry out a CE’s obligation, comply with the Privacy Rule regulations that apply to the

covered entity• Make practices and records relating to the use and disclosure of PHI received from, or created or received by the BA

available to the Secretary for determining the CE’s compliance with the Privacy Rule;• At termination of the contract return or destroy all PHI created or received from/ by the BA. If such return or

destruction is not feasible, extend the protections of the contract to the information.

3. Authorize termination of the contract by the CE, if the BA has violated a material term of the contract (A) Terminate the contract or arrangement, if feasible; or if termination is not feasible, reported the problem to the Secretary.


31

CE shall notify BA of:1. Any limitation(s) in the NPP that may affect

BA’s use or disclosure

2. Any changes in, or revocation of, the permission by an individual to use or disclose PHI that may affect BA use or disclosure

3. Any restriction on the use or disclosure of PHI that CE has agreed to or is required (restrictions and/or confidential communications), that may affect BA’suse or disclosure.

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html

Optional Contract Provisions to Inform BAs of Privacy Practices and Restrictions



32

• Time of Notification after Discovery• Indemnification• Cyber Insurance• Limitation of Liability• Carve-outs for Negligence• Allocation of Responsibility Depending

on Fault

Other Legal Considerations (good business practice)


33

• Implementing BAAs with any downstreamsubcontractors

• “…knew of a pattern of activity or practice of a subcontractor that constituted a materialbreach or violation” must cure or terminate

SAMPLE BUSINESS ASSOCIATE AGREEMENT PROVISIONS(Published January 25, 2013)


BA Contracts



34

Agenda



35

Regulatory “Field Trip”Part 164Part 160

Omnibus Final Rule Big Changes in 160

& 164

http://www.ecfr.gov/cgi-bin/text-idx?c=ecfr&sid=16609cfc04f0ec2dcffd5625ac8ecd8f&tpl=/ecfrbrowse/Title45/45cfr160_main_02.tpl

https://clearwatercompliance.com/wp-content/uploads/2013-01073_OminbusFinalRule_FederalRegister.pdf

http://www.ecfr.gov/cgi-bin/text-idx?c=ecfr&sid=16609cfc04f0ec2dcffd5625ac8ecd8f&tpl=/ecfrbrowse/Title45/45cfr164_main_02.tpl

https://clearwatercompliance.com/wp-content/uploads/2013-01073_OminbusFinalRule_FederalRegister.pdf


36

The Security Rule

Administrative Safeguards

Physical Safeguards

Technical Safeguards

Organizational Requirements

Policies & Procedures

Only ePHI


37

Policy defines an organization’s values & expected behaviors; establishes “good faith” intent

People must include talented privacy & security & technical staff, engaged and supportive management and trained/aware colleagues following PnPs.

Procedures or processes –documented - provide the actions

required to deliver on organization’s values.

Safeguards includes the various families of administrative,

physical or technical security controls (e.g. encryption, firewalls, anti-malware, intrusion

detection, incident management tools, etc.)

Balanced Compliance Program

Clearwater Compliance Compass™

Policy Procedures

People Safeguards


38

The Security Rule22 Standards and 50+ Implementation Specifications:

Not all requirements are created equal.

Get Risk Analysis

Done; then do Risk

Management



Has Your Organization Completed a HIPAA “Non-technical” Security Evaluation (= compliance assessment) (45 CFR § 164.308(a)(8)) ?



Has Your Organization Completed the Technical Evaluation (=Testing) of Your Environment (45 CFR § 164.308(a)(8))?



Has Your Organization Completed a HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))?


42

Agenda



43

The Privacy Rule

Uses and Disclosures

Notice of Privacy Practices

Organizational Requirements

Administrative Requirements

All PHI, including ePHI

Individual Rights


44

Privacy RuleBusiness associates are directly liable for:1. Impermissible uses and disclosures - §164.502(a)(3)2. Failure to provide breach notification to the covered entity - §164.410.3. Failure to provide access to a copy of ePHI to either the covered entity,

the individual, or the individual’s designee –164.502(a)(4)(ii).4. Failure to disclose PHI where required by the Secretary to investigate or

determine the business associate’s compliance with the HIPAA Rules - §164.502(a)(4)(i).

5. Failure to follow Minimum Necessary standard when using or disclosing PHI § 164.514(d).

6. Failure to provide an accounting of disclosures - 76 Fed. Reg. 31426 (May 31, 2011).

May Be Just the Beginning


45

BA Privacy Requirements… Vary!

Find and Work With Experts!


46

Agenda



47

The Breach Notification Rule

Administrative Requirements

Breach Notification

Burden of Proof

All PHI, including ePHI


48

• Regulatory presumption that any acquisition,access, use or disclosure of PHI in violation ofthe Privacy Rule is a breach

• “Low Probability of Compromise Assessment”• Burden of Proof for CE

• …demonstrates that there is a low probability thatthe protected health information has been compromised based on a risk assessment

• Burden of Proof for BA• …all notifications have been made

More Reportable Breaches - More Pressure on CEs and BAs

Before Omnibus After Omnibus• “Harm Standard”• “Secured PHI”• “Assessment of Significant Risk"

• …compromises the security or privacy of the protected healthinformation means poses a significantrisk of financial, reputational, or otherharm to the individual.

• Four Exceptions

• Now, Three Exceptions

Definition of Breach - 45 CFR § 164.402


49

Agenda



50

Why is This Woman Smiling?• New Civil Monetary Penalty System• Monies Back to OCR Coffers• State AGs Jurisdiction• HITECH-mandated OCR Audits• Wider Net• Breach Notification Rule• “Wall of Shame”• Increased Complaints

• CMS MU Audits• Possible FCA Actions• Possible FTC Actions

Jocelyn Samuels Director – HHS’ Office for

Civil Rights

Help from…


51

• Investigations & Monetary Penalties are mandatory for violations involving "willful neglect“

• Collected penalties back to OCR for enforcement

• Penalty monies back to harmed individuals… soon?

More Penalties | Audits ►More Enforcement

Before Omnibus After Omnibus• No more than $100 for each •violation or $25,000 for all identical violations of the same provision

• CE could bar the Secretary'simposition of a civil moneypenalty by demonstrating that itdid not know that it violated the

New Civil Money Penalty (CMP) System –Tiered

• Discretion to use up to $50K per violation at each tier• No more “did not know” affirmative defense

HIPAA rules.

Before Omnibus After Omnibus

Enforcement: Amount of CMP - § 160.404


53

New Audit Protocol is Here• “Still validating contact information”• “Definitely this summer”• “A total of between 200 and 250

organizations - including both covered entities and business associates 10-25 ‘full scale’ onsite audits” http://www.healthcareinfosecurity.com/interviews/ocrs-deven-mcgraw-on-hipaa-audit-preparation-i-3178

• "We've done a lot of work to try to make it much more comprehensive”• "For example, time and again we see that entities are not doing a

security risk assessment that are enterprise-wide ... that take into account all the electronic protected health information that is in their environments.”

May 18, 2016 Interview

http://www.healthcareinfosecurity.com/interviews/ocrs-deven-mcgraw-on-hipaa-audit-preparation-i-3178

http://www.healthcareinfosecurity.com/interviews/ocrs-deven-mcgraw-on-hipaa-audit-preparation-i-3178


54

Phase 2 OCR Audits• Only documentation submitted on time is reviewed• All documentation must be current as of the date of

the request• Auditors will not be able to contact the entity for

clarifications or ask for additional information• Critical that documentation accurately reflects the

program• OCR wants a diverse pool of CEs and BAs to audit –

varying size, geographical location, what they do etc…

2016 Covered Entity Desk Audit Scope• Security—Risk Analysis and risk

management• Breach—Content and timeliness of breach

notifications• Privacy—Notice of Privacy Practices and

Access2016 Business Associate Desk Audit Scope• Security—Risk Analysis and risk

management• Breach—Breach reporting to covered entitiesOne Shot! | Fast Turn-Around

Best Be Super Ready


55

Initial Phase 2 Audit Selection Process

Email from OCROCR is sending emails to various covered entities and business associates determining who is the primary contact – some emails provide 5 days to respond, others 14 days.

Pre-Audit Questionnaire Once contact information obtained, a CE or BA receives a questionnaire designed to gather data about size, type and operations of potential auditees. The goal – auditing a broad range of candidates. 30 days to respond.

Audit Notification Letter If chosen from the pool of candidates, selected CEs and BAs will receive an audit notification letter. Currently desktop audits. Respond to letter within 10 business days.

Phase Two of OCR’s HIPAA audit program is currently underway.


56

Increased Enforcement ► Don’t Wait ►Gap Assessments, Risk Analyses, PnPs, Training, Sanctions etc.

After Omnibus• OCR required to conduct an investigation or

compliance review when a preliminaryinvestigation of the facts indicate a possible violation due to willful neglect (i.e., the third andfourth culpability levels under the civil moneypenalty provisions).

• Final Rule permits, but does not require, OCR toattempt to resolve by informal meansinvestigations

Before Omnibus

Enforcement: OCR Investigations and Compliance

• OCR may, but is not required to, conduct complaint investigations or compliance reviews

• OCR required to attempt toresolve by informal meansinvestigations


57

Three Terms To Memorize1

1. Reasonable diligence means the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.

2. Reasonable cause means an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect. NEW!

3. Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.

145 CFR 160.401 Definitions

Give Your CEO and Outside Counsel Something to Work

With!


58

(C)(ii) Willful Neglect – Not Corrected

$50,000 $1,500,000

Discretion to Use $50K at Any Level CEs & BAs Act Swiftly in Case of Breach

Enforcement: Amount Of CMP - 45 CFR § 160.404

Violation Category- Section 1176(a)(1)

Penalty Range for Each Violation

All Such Violations of an Identical Provision in a

Calendar Year

(A) Reasonable Diligence (Did Not Know)

$100 - $50,000 $1,500,000

(B) Reasonable Cause $1,000 - $50,000 $1,500,000(C)(i) Willful Neglect – Corrected $10,000 - $50,000 $1,500,000


59

New Math - CMP

• OCR investigation found violations:1. Impermissible disclosure of PHI (45 CFR §164.502(a))

2. Failed to implement safeguards (45 CFR §164.530(c))

3. Did not ever complete a risk analysis (45 CFR §164.308(a)(1)(ii)(A))

4. Did not undertake risk management by implementing reasonable and appropriate controls (45 CFR §164.308(a)(1)(ii)(B))

5. Did not do data backup; failed to create exact retrievable copies of ePHI on laptops (45 CFR §164.308(a)(7)(ii)(A))

• Did not address the above violations within 30 days of discovery of the violations

59

And, assume, organization was found to be in “willful neglect”

Assume:• Laptop with 1,000 records is stolen from a Covered Entity

and ePHI is impermissibly disclosed … and confidentiality and availability are compromised


60

New Math

Civil Monetary Penalty calculation might be:• Two Privacy Rule violations (Impermissible

disclosure + Safeguards failure)

• Three Security Rule violations listed on previous slide

• 1,000 records * $50,000 per violation = $50,000,000 per violation, capped at $1,500,000 for identical violations during a calendar year $1,500,000

• 5 violations * $1,500,000 = $7,500,000

But wait, there’s more!!• Impermissible Disclosure – 1 time = $1.5• Every other violation:• 2010 – 2015 6 yrs x 4 x $1.5 = $36.0

$37.5M


61

New Texas HB 300 Penalties

Check Laws in All Jurisdictions In Which You Operate

• Tier 1 (Committed Negligently)– $5,000 each violation

• Tier 2 (Committed Knowingly or Intentionally)– $25,000 each violation

• Tier 3 (Committed intentionally and PHI is used forfinancial gain)– $250,000 each violation

• Annual Maximum (Pattern or Practice)– Not to Exceed $1.5 million, per year


62

Agenda



63

Omnibus Timing• January 17, 2013 Release• January 25, 2013 Publication• March 26, 2013 Effective Date• September 23, 2013 Compliance Date

Business Associate Agreements: Compliance Dates• September 23, 2013 OR• If a compliant contract was in place

‒ prior to January 25, 2013 and not renewed between March 26,2013 and September 23, 2013,

‒ then that prior contract or other arrangement shall be deemedcompliant until September 22, 2014 or the date it is renewed ormodified on or after September 23, 2013, whichever is earlier


64

Agenda



65

10-Point HIPAA Compliance & Cyber Risk Mitigation Program

Set privacy and security risk management & governance

program in place(45 CFR § 164.308(a)(1))

Develop & implement HIPAA privacy, security, and breach notification policies

& procedures(45 CFR §164.530 and 45 CFR §164.316)

Train all members of your workforce

(45 CFR §164.530(b) and 45 CFR §164.308(a)(5))

Complete a HIPAA security risk analysis

(45 CFR §164.308(a)(1)(ii)(A))

Complete a HIPAA security evaluation (e.g. “compliance

assessment”) (45 CFR § 164.308(a)(8))

Complete technical testing of your environment

(45 CFR § 164.308(a)(8))

Implement a strong, proactive Business Associate

management program(45 CFR §164.502(e) and 45 CFR

§164.308(b))

Complete Privacy Rule and Breach Rule compliance

assessments (45 CFR §164.530 and 45 CFR §164.400)

Assess your current insurance coverage (e.g.

cyber liability, D&O, P&C)Document and act upon a

remediation plan(45 CFR §164.530(c) and 45 CFR §164.306

(a))

S

P

1 2 3 4 5

6 7 8 9 10

Derived from OCR Enforcement Actions| Demonstrate Reasonable Diligence


66

10-Point Strategic HIPAA Compliance & Cyber Risk

Assessment™• Undertake the most complete,

intelligent & cost-effective, strategic process on the market

• Receive a customized, actionablestrategic plan designed to strengthenyour information risk managementpertaining to all PHI

• Create a roadmap to lead your organization to complete compliance andinformation risk management with ALLaspects of HIPAA, the HITECH Act, and theHIPAA Omnibus Final Rule


67

In Summary …Observations: 1. It’s not just about a BAA; it’s about Federal Regulations2. “Heaviest lifting” is typically around Security Rule 3. BAs have obligations, “upstream” and “downstream” 4. Penalties for non-compliance may be serious (Accretive

case study)5. Don’t Fall For SOC2 Opinions or HITRUST Certifications They Don’t Help with Compliance / They Don’t Help With Security

Recommendations: 1. Take Stock of Exactly Where You Are Today:

1. Complete core Security Rule assessment requirements show good faith effort OR

2. Engage Independent 3rd Party Experts to Assess Your Overall Program

2. Read the Regulations Inside-Out or Find Experts Who Know Them

3. Determine What Your Specific Requirements Are Related To The Privacy Rule – Possibly Trickiest!


68

Other Upcoming Clearwater Events

Visit ClearwaterCompliance.com for more info!

July 7, 2016 Complimentary

WebinarHow to Conduct a NIST-based Risk Assessment to

Comply with HIPAA & Other Regulations


WebinarHIPAA 101


WebinarOCR’s Phase 2 Audits

and How Best to Prepare

July 21, 2016Complimentary

WebinarThe Critical

Difference: HIPAA Security Evaluation v HIPAA Security Risk

Analysis

http://www.clearwatercompliance.com/


69

AHA Solutions Signature Learning Series™

Register Now: http://ow.ly/b0cX301LkDb

+

OCR’s Phase 2 HIPAA Security Audits and How Best to PrepareLearn how to prepare for Phase 2 OCR audits — direct from experts on OCR audit preparedness and a former OCR HIPAA

investigator.

This webinar is only available to AHA members.

Virtual Web Based Training Wednesday, July 27th, 2016

12:00-1:00 CDT

http://ow.ly/b0cX301LkDb

http://aehis.org/


70

Clearwater HIPAA and Cybersecurity BootCamp™

Take Your HIPAA Privacy and Security Program to a Better

Place, Faster …

Earn up to 10.8 CPE Credits!

http://clearwatercompliance.com/bootcamps/

Designed for busy professionals, the Clearwater HIPAA and Cybersecurity BootCamp™ distills into one action-packed day, the critical information you need to know about the HIPAA Privacy and Security Final Rules and the HITECH Breach Notification Rule.

Join us for our next virtual, web-based events…Three, 3hr sessions:

• August 4th, 11th, 18th - 2016• November 3rd, 10th, 17th – 2016• February 9th, 16th, 23rd - 2017 • May 4th, 11th, 18th - 2017




71

Complimentary HIPAA Risk Analysis Review

https://clearwatercompliance.com/hipaa-risk-analysis-review/

https://clearwatercompliance.com/hipaa-risk-analysis-review/


72

Why You Should Consider Clearwater

Clearwater Compliance – A Better, Brighter Idea!

Highly Reference-able Hospital / Health System Customer Base, with Exclusive AHA Endorsement

Commercially Competitive Professional Services Fees

Proven Experience in Large Complex Healthcare

Environments

Independent, Objective Advisory Services with

No Vendor Ties

Deep Experience with 30+ Organizations Audited by

OCR, CMS & OIG

Business Risk Management focus While Achieving Regulatory Compliance

Seasoned, Credentialed Professionals in Healthcare Privacy, Security, Compliance & Information Risk Management

Significant Post Breach Experience and Partner Network


73

Questions Provided in Advance1. What are the high risk areas for HIPAA according to the new rulings?2. Want to understand exactly what a BA is and what they need to do for my office/SRA?3. What are the employee training requirements for business associates?4. Should Business Associates provide the Covered Entity with select policies/procedures if not

requested?5. Is a covered entity required to include BAs as part of their risk analysis in terms of

Meaningful Use Program?6. What are the critical audit elements to ensure Covered Entities are monitoring Business

Associates compliance with the final rule7. If we become HITRUST Certified, will that meet all our HIPAA and security requirements?8. Whether there is an exception to the prohibition of releasing private information,

including discharge, for adult children?9. I am supporting an office with 2 doctors and 4 employees. Us in the Little Leagues need

help with budgetary constraints in mind.10. BAAs11. Any suggestions on how to audit our business associates to make sure they are

following the same HIPAA rules?


74

Bob Chaput, MA, CISSP, HCISPP, CRISC, CIPP/US

https://www.clearwatercompliance.com

[email protected]

Phone: 800-704-3394 or 615-656-4299

linkedin.com/in/BobChaput

Exit Survey, Please

http://www.clearwatercompliance.com/

mailto:[email protected]



75

WWW.CLEARWATERCOMPLIANCE.COM

(800) 704-3394 http://www.linkedin.com/in/bobchaput/

@clearwaterhipaa

ClearwaterCompliance

Clearwater Compliance

Thank You!


76

What About HITRUST versus NIST?References / Articles for Your Own Due Diligence

• HITRUST or High Risk? The Health Information Trust Alliance’s Common Security

• An Open Letter to the HITRUST Alliance (PartI) (Part II) (Part III)

• HITRUST Breaches Lay the Welcome Mat for Hackers and Paydirt

• Should Business Associates Be HiTrust Certified?

• HITRUST, CSF and Mandatory Certification

• A Simpler and Better Alternative to the HITRUST Mandate For Third Party Risk Management In Healthcare

• 20+ Due Diligence Questions about the HITRUST Certification

• Research HITRUST Board companies on: HHS Wall of Shame ProPublica’s HIPAAHelper Privacy Violations, Breaches and Complaints page

We have never seen the OCR ever ask for Security Opinions (e.g., SSAE SOC2) or “HITRUST Certifications”

As of mid-May 2016, HITRUST Alliance Board Members’ ten (10) organizations have 26 listings on

the HHS Wall of Shame, with responsibility for 122MM of

156MM records [79%]) and 852 mentions on ProPublica’s HIPAAHelper web site for

complaints / breaches. Three organizations are in the HIPAAHelper "Top 10”.

http://www.rsaconference.com/blogs/hitrust-or-high-risk-the-health-information

https://www.linkedin.com/pulse/open-letter-hitrust-alliance-kamal-govindaswamy-cissp-cipp-us-ccsp

https://www.linkedin.com/pulse/open-letter-hitrust-alliance-part-ii-govindaswamy-cissp-cipp-us-ccsp

https://www.linkedin.com/pulse/open-letter-hitrust-alliance-part-iii-kamal

http://www.hipaaone.com/hitrust-breaches-lay-the-welcome-mat-for-hackers/

http://www.govinfosecurity.com/should-bas-be-hitrust-certified-a-8366

https://www.linkedin.com/pulse/hitrust-csf-mandatory-certification-heather-havens

https://goo.gl/QmkEl0

https://www.linkedin.com/pulse/simpler-better-alternative-hitrust-mandate-third-risk-kamal

https://goo.gl/QmkEl0

https://clearwatercompliance.com/blog/20-due-diligence-questions-about-the-hitrust-certification/

https://hitrustalliance.net/about-us/board-directors/

https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

https://projects.propublica.org/hipaa/


77

“It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an

external organization does not preclude HHS from subsequently finding a security violation.”

HHS FAQ on 3rd Party Certifications

Are we required to “certify” our organization’s compliance with the standards of the Security Rule?

http://www.hhs.gov/hipaa/for-professionals/faq/2003/are-we-required-to-certify-our-organizations-compliance-with-the-standards/index.html

Answer:No, there is no standard or implementation specification that requires a covered entity to “certify” compliance. The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that establishes the extent to which an entity’s security policies and procedures meet the security requirements. The evaluation can be performed internally by the covered entity or by an external organization that provides evaluations or “certification” services. A covered entity may make the business decision to have an external organization perform these types of services.



legal disclaimer - clearwater · 2016-06-30 · 2015 & 2016. exclusive. industry resource...

Documents