Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
© Clearwater Compliance | All Rights Reserved
1
Legal Disclaimer
The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.
This information does not constitute legal advice and is for educational purposes only. This information is based on currentfederal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than thefederal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND RECOMMENDATIONS PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE.
Copyright NoticeAll materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.
© Clearwater Compliance | All Rights Reserved
2
What Business Associates Need toKnow About HIPAA
June 30, 2016Bob Chaput, MA, CISSP, HCISPP, CRISC, CIPP/US
615-656-4299 or [email protected]
© Clearwater Compliance | All Rights Reserved
3
MA, CISSP, HCISPP, CRISC, CIPP/US
Bob Chaput
• CEO & Founder – Clearwater Compliance LLC• 35+ years in Business, Operations and Technology• 25+ years in Healthcare• Executive | Educator |Entrepreneur• Global Healthcare Executive: GE, JNJ, HWAY• Responsible for largest healthcare datasets in world• Industry Expertise and Focus: Healthcare Covered Entities
and Business Associates• Member: ACAP, CHIME/AEHIS, CAHP, IAPP, ISC2, HIMSS, ISSA,
ISACA, HCCA• CHIME Foundation Member• AEHIS Advisory Board Member
http://www.linkedin.com/in/BobChaput
© Clearwater Compliance | All Rights Reserved
4
Our Passion
We’re excited about what we do because…
…we’re helping organizations improve patient safety and the quality of care by safeguarding the very personal and private healthcare information of millions of fellow Americans…
… And, keeping those same organizations off the Wall of
Shame…!
© Clearwater Compliance | All Rights Reserved
5
Awards and Recognition
2015 & 2016
Exclusive
Industry Resource Provider
Software Used by NSA/CAEs
Sole Source Provider
#11 – 2015 & 2016
© Clearwater Compliance | All Rights Reserved
6
Clearwater’s Outstanding Net Promoter Score1
Strong Customer Satisfaction Drives Strong and Lasting Relationships
• Net Promoter Scores are a quick topline view of how businesses are performing2
• Strong Customer Satisfaction creates partnership opportunities and a win-win relationship
1 Net Promoter Industry Benchmarks2 Industry Leaders Net Promoter Scores
© Clearwater Compliance | All Rights Reserved
7
Some Ground Rules1. Slide materials
A. Check “Download” area on GoToWebinar Control panel to copy/paste link and download materials
2. Questions in “Question Area” on GTW Control Panel
3. In case of technical issues, check “Chat Area”
4. All Attendees are in Listen Only Mode5. Please complete Exit Survey, when you
leave session6. Recorded version and final slides within 48
hours
© Clearwater Compliance | All Rights Reserved
8
We are not attorneys! Engage Competent Counsel
The Omnibus has arrived!Welcome Aboard, BAs!
Lots of different interpretations! Please, Ask Lots of Questions!
But FIRST!
© Clearwater Compliance | All Rights Reserved
9
Questions Provided in Advance1. What are the high risk areas for HIPAA according to the new rulings?2. Want to understand exactly what a BA is and what they need to do for my office/SRA.3. What are the employee training requirements for business associates?4. Should Business Associates provide the Covered Entity with select policies/procedures if not
requested?5. Is a covered entity required to include BAs as part of their risk analysis in terms of
Meaningful Use Program?6. What are the critical audit elements to ensure Covered Entities are monitoring Business
Associates compliance with the final rule7. If we become HITRUST Certified, will that meet all our HIPAA and security requirements?8. Whether there is an exception to the prohibition of releasing private information,
including discharge, for adult children?9. I am supporting an office with 2 doctors and 4 employees. Us in the Little Leagues need
help with budgetary constraints in mind.10. BAAs11. Any suggestions on how to audit our business associates to make sure they are
following the same HIPAA rules?
© Clearwater Compliance | All Rights Reserved
10
Engage with customers and business partners directly on compliance requirements
Find resources to assist CEs, BAs and Subcontractors in managing partner relationships
Calculate the higher penalties and non-compliance fines
Communicate your commitment to privacy and security of all PHI
Clarify your current Privacy, Security and Breach Notification requirements under the Final Rule
Clarify requirements to do business with one another
Explain the significant increases in enforcement
Resources will be provided at the end of the session and all registrants will receive a copy of all slide materials
Learning Outcomes… Be Able to:
© Clearwater Compliance | All Rights Reserved
11
Pause and Quick Poll
What type of organization do you represent?
Hospital / Health System##
BA##
HYBRID## Don’t
Know##
Other CE##
© Clearwater Compliance | All Rights Reserved
12
Pause and Quick Poll
How would you rate your HIPAA-HITECH expertise?
What’s HIPAA?
I’m getting there! Experienced
Let me teach next time!
© Clearwater Compliance | All Rights Reserved
13
Accretive Health Case Study Bad things can happen
to good companies
© Clearwater Compliance | All Rights Reserved
14
MN SAG Suit$2.5M MN SAG
Settlement
CompromiseAccretive employee’s laptop
computer, containing 20 million pieces of information
on 23,000 patients, was stolen from the employee’s car
July 2011
1/19/20127/31/2012
CEO Replaced
4/2/2013
COOReplaced
4/13/2013
Class ActionSuit
6/12/2013
CFOReplaced
8/26/2013
$14M ClassSettlement
9/27/2013
FTC Settle
12/21/2013
170 JobsCut
1/2014
De-ListedNYSE
3/14/2014Accretive Share Price & Story
© Clearwater Compliance | All Rights Reserved
15
Agenda
1. Business Associates / Sub-Business Associates2. Security Rule3. Privacy Rule4. Breach Notification Rule5. Enforcement6. Timing7. Next Actions for BAs and Resources to Assist
© Clearwater Compliance | All Rights Reserved
16
Bottom Line Up Front
1. Comply with the entire HIPAA Security Rule2. Comply with a specific section of the HIPAA Breach Notification Rule3. Comply with all applicable sections of the HIPAA Privacy Rule “mileage will vary greatly…”
HITECH Omnibus:• “Game-changer”• Healthcare industry woefully unprepared• Many business associates, even less so• Largest and most consequential federal expansion• Significantly more Business Associates• Substantially increases the magnitude of HIPAA enforcement risk and liability• “Call to Arms” for Business Associates…
Security Opinions (e.g., SSAE Soc2) or “Certifications” (e.g., HITRUST) Have ABSOLUTELY NOTHING to do with HIPAA
Compliance
© Clearwater Compliance | All Rights Reserved
17
Applicability
Security
Privacy
OmnibusFinal Rule … Drove Big Changes for Business Associates
© Clearwater Compliance | All Rights Reserved
18
HITECH
HIPAA
Privacy Final Rule• 75 pages / 27K words• 56 Standards• 54 Implementation Specs
Security Final Rule• 18 pages / 4.5K words• 22 Standards• 50 Implementation Specs
Breach Notification 6 pages / 2K words• 4 Standards• 9 Implementation Specs
OMNIBUS FINAL RULE
Three Pillars of HIPAA-HITECH Compliance…
© Clearwater Compliance | All Rights Reserved
19
First Healthcare Risk Manager
“First, Do No Harm.”
- Hippocrates, 4th Century, B.C.E.- OR
- Auguste François Chomel (1788–1858) Parisian pathologist and clinician
- OR- ???
At the End of the Day, HIPAA Privacy, Security & Breach Notification Rules Are About Preventing
Harm from New Threat Sources
© Clearwater Compliance | All Rights Reserved
20
Privacy & Security
1. Management2. Notice3. Choice & Consent4. Collection5. Use, Retention & Disposal6. Access7. Disclosure to 3rd Parties8. Security for Privacy9. Quality10. Monitoring & Enforcement
Controls Safeguards
Privacy (GAPP)
ConfidentialityIntegrity
Availability
Security Program without Privacy Program; Converse is Not True
Security
© Clearwater Compliance | All Rights Reserved
21
HIPAA-HITECH Entities
• Covered Entity– Health care providers (that conduct e-
transactions), health plans, health care clearinghouses
• Business Associate– Entity that uses or discloses PHI on behalf of a
CE– Create, receive, maintain or transmit PHI on
behalf of a CE•Subcontractor (or Agent?) Sub Business Associate
– A person or entity to whom a BA delegates a function, activity, or service, otherthan in the capacity of a member of the workforce of such BA.
© Clearwater Compliance | All Rights Reserved
160.103 Definition Business associate:A BA creates, receives, maintains, or transmits PHI on behalf of a CEBusiness Associate Not a Business Associate
CE to CE if involves treatment
Entities acting on their own behalf
Entities whose functions or services do notinvolve use or disclosureConduits with random or infrequent access
Researchers if with authorization or as a lifted data set
Between OHCA participantsGovernment Agency determining eligibility orenrollment in government health plan
Plan Sponsor to a Group Health Plan
A BA creates, receives, maintains, or transmits PHI on behalf of a CEBusiness Associate Not a Business Associate
Vendor providing Health Care Operations services
CPA firm whose accounting services involve accessto PHI
Attorney whose legal services involve access to PHI
Consultants performing utilization or qualityimprovement reviews
Associations conducting and sharing comparative quality analysis
Health Information Organization
E-Prescribing Gateway
CE can be a BA of another CE
Vendor providing Health Care Operations services
CPA firm whose accounting services involve access to PHI
Attorney whose legal services involve access to PHI
Consultants performing utilization or quality improvement reviews
Associations conducting and sharing comparative quality analysis
Health Information Organization
E-Prescribing Gateway
CE can be a BA of another CE
CE to CE if involves treatment
Entities acting on their own behalf
Entities whose functions or services do not involve use or disclosure
Conduits with random or infrequent access
Researchers if with authorization or as a limited data set
Between OHCA participants
Government Agency determining eligibility or enrollment in government health plan
Plan Sponsor to a Group Health Plan
© Clearwater Compliance | All Rights Reserved
23
• Call Center Software firm• Document Imaging company• Claims Scrubbing Company• Cloud-Storage Provider• Data Analytics Company• Pharmaceutical/ Medical Device
Companies• Contract Research Organizations• Data Transmission (HIE)• Data Storage / Data Back-up• Health Information Organizations (HIOs)• Data Recovery Services• Software as a Service (SaaS) Offerings• On-Line Diagnostic Services• Mobile Devices• Web Portals – Physicians• Web Portals – Consumers
• Pharmacy Benefits Managers• Third Party Administrators• Benefit Administrators• Claims Review /Utilization• Banks providing lockbox services• Billing Processors• Business Process Outsourcing• Revenue Cycle Companies• Payment Agencies• Collection Agencies• Hospital Discharge Care Support• Disease Management Companies• Wellness Companies• Fulfillment Companies• Health Risk Assessment
Organizations• Independent Insurance Agents/
Brokers
• CPA firm• Medical transcriptionists• Consultants• Auditors• Accreditation Firms• Application Trouble-Shooters• Law firms• Biometric Companies• Phlebotomists• Software vendors• App Development
Contractors• File / Data Storage company• Clearinghouses• Web portal company• Medicare HCC Coding
Company
A Couple Business Associates
© Clearwater Compliance | All Rights Reserved
24
“Famous” BAs
© Clearwater Compliance | All Rights Reserved
25
Anthem as a BA to Affiliated Health Plans
• TPA and insurance issuer services to ~42 other BCBS (BlueCard) and Group Health Plans
• ~40 million (50%) were members of affiliated health plans
• Names, birth dates, ID numbers, social security numbers, home addresses, phone numbers, email addresses, and employment information
• Result: identity theft, stolen income tax refunds, credit card charges
• Cases have now been consolidated into a single, consolidated complaint – still pending in the Northern District of California
Big doesn’t mean Safe
© Clearwater Compliance | All Rights Reserved
26
As Reported on HHS “Wall of Shame” – As Of 6/23/2016
BAs have been responsible for only 19% of the number of breaches
That 19% accounted for 41% of the # of breached records
BAs Need to Manage Compliance and Security Risks!
© Clearwater Compliance | All Rights Reserved
27
Hospital
HIPAA-HITECHCoveredEntity
Business Associate 2
Business Associate 3
……
Sub-BA 3
Business Associate 1
Sub-BA 1
Sub-BA 2
Outside IT
Data AnalyticsEHR Contractor
Outside Law FirmBilling
Portal Provider Data Analytics firm
Regulations Create Chain of Trust… doesn’t end…
HIPAA Chain Of Trust
© Clearwater Compliance | All Rights Reserved
28
• September 23, 2013 OR• If a compliant contract was in place
– prior to January 25, 2013 and not renewed between March 26 and September 23, 2013,
• then September 22, 2014 or the date it is renewed or modified whichever is earlier
Business Associate Agreements Compliance Date
© Clearwater Compliance | All Rights Reserved
29
Security Rule BA Contract Requirements
(2) Implementation specifications (Required).(i) Business associate contracts. The contract must provide that thebusiness associate will …(ii) Other arrangements. The covered entity is in compliance with paragraph (a)(1) of this section if it has another arrangement in placethat meets the requirements of §164.504(e)(3).(iii) Business associate contracts with subcontractors. Therequirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this section
§164.314 Organizational requirements.(a)(1) Standard: Business associate contracts or other arrangements. The contract or other arrangement required by§164.308(b)(3) must meet the requirements of paragraph (a)(2)(i), (a)(2)(ii), or (a)(2)(iii) of this section, as applicable.
© Clearwater Compliance | All Rights Reserved
30
Privacy Rule BA Contract Requirements§164.504(e)
1. Establish the permitted and required uses and disclosures of PHI by the business associate.2. Provide that the business associate will:
• Not use or further disclose PHI other than as permitted or required by the contract or by law;• Use appropriate safeguards and comply with the Security Rule with respect to electronic PHI;• Report to the CE any use or disclosure of the information not provided for by its contract, including breaches of
unsecured protected health information;• Ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the BA agree to these same
restrictions and conditions;• Make PHI available for Individual rights of access; amendment (including incorporating amendments) and
accounting of disclosures• To the extent the BA is to carry out a CE’s obligation, comply with the Privacy Rule regulations that apply to the
covered entity• Make practices and records relating to the use and disclosure of PHI received from, or created or received by the BA
available to the Secretary for determining the CE’s compliance with the Privacy Rule;• At termination of the contract return or destroy all PHI created or received from/ by the BA. If such return or
destruction is not feasible, extend the protections of the contract to the information.
3. Authorize termination of the contract by the CE, if the BA has violated a material term of the contract (A) Terminate the contract or arrangement, if feasible; or if termination is not feasible, reported the problem to the Secretary.
© Clearwater Compliance | All Rights Reserved
31
CE shall notify BA of:1. Any limitation(s) in the NPP that may affect
BA’s use or disclosure
2. Any changes in, or revocation of, the permission by an individual to use or disclose PHI that may affect BA use or disclosure
3. Any restriction on the use or disclosure of PHI that CE has agreed to or is required (restrictions and/or confidential communications), that may affect BA’suse or disclosure.
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html
Optional Contract Provisions to Inform BAs of Privacy Practices and Restrictions
© Clearwater Compliance | All Rights Reserved
32
• Time of Notification after Discovery• Indemnification• Cyber Insurance• Limitation of Liability• Carve-outs for Negligence• Allocation of Responsibility Depending
on Fault
Other Legal Considerations (good business practice)
© Clearwater Compliance | All Rights Reserved
33
• Implementing BAAs with any downstreamsubcontractors
• “…knew of a pattern of activity or practice of a subcontractor that constituted a materialbreach or violation” must cure or terminate
SAMPLE BUSINESS ASSOCIATE AGREEMENT PROVISIONS(Published January 25, 2013)
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html
BA Contracts
© Clearwater Compliance | All Rights Reserved
34
Agenda
1. Business Associates / Sub-Business Associates2. Security Rule3. Privacy Rule4. Breach Notification Rule5. Enforcement6. Timing7. Next Actions for BAs and Resources to Assist
© Clearwater Compliance | All Rights Reserved
35
Regulatory “Field Trip”Part 164Part 160
Omnibus Final Rule Big Changes in 160
& 164
© Clearwater Compliance | All Rights Reserved
36
The Security Rule
Administrative Safeguards
Physical Safeguards
Technical Safeguards
Organizational Requirements
Policies & Procedures
Only ePHI
© Clearwater Compliance | All Rights Reserved
37
Policy defines an organization’s values & expected behaviors; establishes “good faith” intent
People must include talented privacy & security & technical staff, engaged and supportive management and trained/aware colleagues following PnPs.
Procedures or processes –documented - provide the actions
required to deliver on organization’s values.
Safeguards includes the various families of administrative,
physical or technical security controls (e.g. encryption, firewalls, anti-malware, intrusion
detection, incident management tools, etc.)
Balanced Compliance Program
Clearwater Compliance Compass™
Policy Procedures
People Safeguards
© Clearwater Compliance | All Rights Reserved
38
The Security Rule22 Standards and 50+ Implementation Specifications:
Not all requirements are created equal.
Get Risk Analysis
Done; then do Risk
Management
© Clearwater Compliance | All Rights Reserved
Pause and Quick Poll
Has Your Organization Completed a HIPAA “Non-technical” Security Evaluation (= compliance assessment) (45 CFR § 164.308(a)(8)) ?
© Clearwater Compliance | All Rights Reserved
Pause and Quick Poll
Has Your Organization Completed the Technical Evaluation (=Testing) of Your Environment (45 CFR § 164.308(a)(8))?
© Clearwater Compliance | All Rights Reserved
Pause and Quick Poll
Has Your Organization Completed a HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))?
© Clearwater Compliance | All Rights Reserved
42
Agenda
1. Business Associates / Sub-Business Associates2. Security Rule3. Privacy Rule4. Breach Notification Rule5. Enforcement6. Timing7. Next Actions for BAs and Resources to Assist
© Clearwater Compliance | All Rights Reserved
43
The Privacy Rule
Uses and Disclosures
Notice of Privacy Practices
Organizational Requirements
Administrative Requirements
All PHI, including ePHI
Individual Rights
© Clearwater Compliance | All Rights Reserved
44
Privacy RuleBusiness associates are directly liable for:1. Impermissible uses and disclosures - §164.502(a)(3)2. Failure to provide breach notification to the covered entity - §164.410.3. Failure to provide access to a copy of ePHI to either the covered entity,
the individual, or the individual’s designee –164.502(a)(4)(ii).4. Failure to disclose PHI where required by the Secretary to investigate or
determine the business associate’s compliance with the HIPAA Rules - §164.502(a)(4)(i).
5. Failure to follow Minimum Necessary standard when using or disclosing PHI § 164.514(d).
6. Failure to provide an accounting of disclosures - 76 Fed. Reg. 31426 (May 31, 2011).
May Be Just the Beginning
© Clearwater Compliance | All Rights Reserved
45
BA Privacy Requirements… Vary!
Find and Work With Experts!
© Clearwater Compliance | All Rights Reserved
46
Agenda
1. Business Associates / Sub-Business Associates2. Security Rule3. Privacy Rule4. Breach Notification Rule5. Enforcement6. Timing7. Next Actions for BAs and Resources to Assist
© Clearwater Compliance | All Rights Reserved
47
The Breach Notification Rule
Administrative Requirements
Breach Notification
Burden of Proof
All PHI, including ePHI
© Clearwater Compliance | All Rights Reserved
48
• Regulatory presumption that any acquisition,access, use or disclosure of PHI in violation ofthe Privacy Rule is a breach
• “Low Probability of Compromise Assessment”• Burden of Proof for CE
• …demonstrates that there is a low probability thatthe protected health information has been compromised based on a risk assessment
• Burden of Proof for BA• …all notifications have been made
More Reportable Breaches - More Pressure on CEs and BAs
Before Omnibus After Omnibus• “Harm Standard”• “Secured PHI”• “Assessment of Significant Risk"
• …compromises the security or privacy of the protected healthinformation means poses a significantrisk of financial, reputational, or otherharm to the individual.
• Four Exceptions
• Now, Three Exceptions
Definition of Breach - 45 CFR § 164.402
© Clearwater Compliance | All Rights Reserved
49
Agenda
1. Business Associates / Sub-Business Associates2. Security Rule3. Privacy Rule4. Breach Notification Rule5. Enforcement6. Timing7. Next Actions for BAs and Resources to Assist
© Clearwater Compliance | All Rights Reserved
50
Why is This Woman Smiling?• New Civil Monetary Penalty System• Monies Back to OCR Coffers• State AGs Jurisdiction• HITECH-mandated OCR Audits• Wider Net• Breach Notification Rule• “Wall of Shame”• Increased Complaints
• CMS MU Audits• Possible FCA Actions• Possible FTC Actions
Jocelyn Samuels Director – HHS’ Office for
Civil Rights
Help from…
© Clearwater Compliance | All Rights Reserved
51
• Investigations & Monetary Penalties are mandatory for violations involving "willful neglect“
• Collected penalties back to OCR for enforcement
• Penalty monies back to harmed individuals… soon?
More Penalties | Audits ►More Enforcement
Before Omnibus After Omnibus• No more than $100 for each •violation or $25,000 for all identical violations of the same provision
• CE could bar the Secretary'simposition of a civil moneypenalty by demonstrating that itdid not know that it violated the
New Civil Money Penalty (CMP) System –Tiered
• Discretion to use up to $50K per violation at each tier• No more “did not know” affirmative defense
HIPAA rules.
Before Omnibus After Omnibus
Enforcement: Amount of CMP - § 160.404
© Clearwater Compliance | All Rights Reserved
53
New Audit Protocol is Here• “Still validating contact information”• “Definitely this summer”• “A total of between 200 and 250
organizations - including both covered entities and business associates 10-25 ‘full scale’ onsite audits” http://www.healthcareinfosecurity.com/interviews/ocrs-deven-mcgraw-on-hipaa-audit-preparation-i-3178
• "We've done a lot of work to try to make it much more comprehensive”• "For example, time and again we see that entities are not doing a
security risk assessment that are enterprise-wide ... that take into account all the electronic protected health information that is in their environments.”
May 18, 2016 Interview
© Clearwater Compliance | All Rights Reserved
54
Phase 2 OCR Audits• Only documentation submitted on time is reviewed• All documentation must be current as of the date of
the request• Auditors will not be able to contact the entity for
clarifications or ask for additional information• Critical that documentation accurately reflects the
program• OCR wants a diverse pool of CEs and BAs to audit –
varying size, geographical location, what they do etc…
2016 Covered Entity Desk Audit Scope• Security—Risk Analysis and risk
management• Breach—Content and timeliness of breach
notifications• Privacy—Notice of Privacy Practices and
Access2016 Business Associate Desk Audit Scope• Security—Risk Analysis and risk
management• Breach—Breach reporting to covered entitiesOne Shot! | Fast Turn-Around
Best Be Super Ready
© Clearwater Compliance | All Rights Reserved
55
Initial Phase 2 Audit Selection Process
Email from OCROCR is sending emails to various covered entities and business associates determining who is the primary contact – some emails provide 5 days to respond, others 14 days.
Pre-Audit Questionnaire Once contact information obtained, a CE or BA receives a questionnaire designed to gather data about size, type and operations of potential auditees. The goal – auditing a broad range of candidates. 30 days to respond.
Audit Notification Letter If chosen from the pool of candidates, selected CEs and BAs will receive an audit notification letter. Currently desktop audits. Respond to letter within 10 business days.
Phase Two of OCR’s HIPAA audit program is currently underway.
© Clearwater Compliance | All Rights Reserved
56
Increased Enforcement ► Don’t Wait ►Gap Assessments, Risk Analyses, PnPs, Training, Sanctions etc.
After Omnibus• OCR required to conduct an investigation or
compliance review when a preliminaryinvestigation of the facts indicate a possible violation due to willful neglect (i.e., the third andfourth culpability levels under the civil moneypenalty provisions).
• Final Rule permits, but does not require, OCR toattempt to resolve by informal meansinvestigations
Before Omnibus
Enforcement: OCR Investigations and Compliance
• OCR may, but is not required to, conduct complaint investigations or compliance reviews
• OCR required to attempt toresolve by informal meansinvestigations
© Clearwater Compliance | All Rights Reserved
57
Three Terms To Memorize1
1. Reasonable diligence means the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.
2. Reasonable cause means an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect. NEW!
3. Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.
145 CFR 160.401 Definitions
Give Your CEO and Outside Counsel Something to Work
With!
© Clearwater Compliance | All Rights Reserved
58
(C)(ii) Willful Neglect – Not Corrected
$50,000 $1,500,000
Discretion to Use $50K at Any Level CEs & BAs Act Swiftly in Case of Breach
Enforcement: Amount Of CMP - 45 CFR § 160.404
Violation Category- Section 1176(a)(1)
Penalty Range for Each Violation
All Such Violations of an Identical Provision in a
Calendar Year
(A) Reasonable Diligence (Did Not Know)
$100 - $50,000 $1,500,000
(B) Reasonable Cause $1,000 - $50,000 $1,500,000(C)(i) Willful Neglect – Corrected $10,000 - $50,000 $1,500,000
© Clearwater Compliance | All Rights Reserved
59
New Math - CMP
• OCR investigation found violations:1. Impermissible disclosure of PHI (45 CFR §164.502(a))
2. Failed to implement safeguards (45 CFR §164.530(c))
3. Did not ever complete a risk analysis (45 CFR §164.308(a)(1)(ii)(A))
4. Did not undertake risk management by implementing reasonable and appropriate controls (45 CFR §164.308(a)(1)(ii)(B))
5. Did not do data backup; failed to create exact retrievable copies of ePHI on laptops (45 CFR §164.308(a)(7)(ii)(A))
• Did not address the above violations within 30 days of discovery of the violations
59
And, assume, organization was found to be in “willful neglect”
Assume:• Laptop with 1,000 records is stolen from a Covered Entity
and ePHI is impermissibly disclosed … and confidentiality and availability are compromised
© Clearwater Compliance | All Rights Reserved
60
New Math
Civil Monetary Penalty calculation might be:• Two Privacy Rule violations (Impermissible
disclosure + Safeguards failure)
• Three Security Rule violations listed on previous slide
• 1,000 records * $50,000 per violation = $50,000,000 per violation, capped at $1,500,000 for identical violations during a calendar year $1,500,000
• 5 violations * $1,500,000 = $7,500,000
But wait, there’s more!!• Impermissible Disclosure – 1 time = $1.5• Every other violation:• 2010 – 2015 6 yrs x 4 x $1.5 = $36.0
$37.5M
© Clearwater Compliance | All Rights Reserved
61
New Texas HB 300 Penalties
Check Laws in All Jurisdictions In Which You Operate
• Tier 1 (Committed Negligently)– $5,000 each violation
• Tier 2 (Committed Knowingly or Intentionally)– $25,000 each violation
• Tier 3 (Committed intentionally and PHI is used forfinancial gain)– $250,000 each violation
• Annual Maximum (Pattern or Practice)– Not to Exceed $1.5 million, per year
© Clearwater Compliance | All Rights Reserved
62
Agenda
1. Business Associates / Sub-Business Associates2. Security Rule3. Privacy Rule4. Breach Notification Rule5. Enforcement6. Timing7. Next Actions for BAs and Resources to Assist
© Clearwater Compliance | All Rights Reserved
63
Omnibus Timing• January 17, 2013 Release• January 25, 2013 Publication• March 26, 2013 Effective Date• September 23, 2013 Compliance Date
Business Associate Agreements: Compliance Dates• September 23, 2013 OR• If a compliant contract was in place
‒ prior to January 25, 2013 and not renewed between March 26,2013 and September 23, 2013,
‒ then that prior contract or other arrangement shall be deemedcompliant until September 22, 2014 or the date it is renewed ormodified on or after September 23, 2013, whichever is earlier
© Clearwater Compliance | All Rights Reserved
64
Agenda
1. Business Associates / Sub-Business Associates2. Security Rule3. Privacy Rule4. Breach Notification Rule5. Enforcement6. Timing7. Next Actions for BAs and Resources to Assist
© Clearwater Compliance | All Rights Reserved
65
10-Point HIPAA Compliance & Cyber Risk Mitigation Program
Set privacy and security risk management & governance
program in place(45 CFR § 164.308(a)(1))
Develop & implement HIPAA privacy, security, and breach notification policies
& procedures(45 CFR §164.530 and 45 CFR §164.316)
Train all members of your workforce
(45 CFR §164.530(b) and 45 CFR §164.308(a)(5))
Complete a HIPAA security risk analysis
(45 CFR §164.308(a)(1)(ii)(A))
Complete a HIPAA security evaluation (e.g. “compliance
assessment”) (45 CFR § 164.308(a)(8))
Complete technical testing of your environment
(45 CFR § 164.308(a)(8))
Implement a strong, proactive Business Associate
management program(45 CFR §164.502(e) and 45 CFR
§164.308(b))
Complete Privacy Rule and Breach Rule compliance
assessments (45 CFR §164.530 and 45 CFR §164.400)
Assess your current insurance coverage (e.g.
cyber liability, D&O, P&C)Document and act upon a
remediation plan(45 CFR §164.530(c) and 45 CFR §164.306
(a))
S
P
1 2 3 4 5
6 7 8 9 10
Derived from OCR Enforcement Actions| Demonstrate Reasonable Diligence
© Clearwater Compliance | All Rights Reserved
66
10-Point Strategic HIPAA Compliance & Cyber Risk
Assessment™• Undertake the most complete,
intelligent & cost-effective, strategic process on the market
• Receive a customized, actionablestrategic plan designed to strengthenyour information risk managementpertaining to all PHI
• Create a roadmap to lead your organization to complete compliance andinformation risk management with ALLaspects of HIPAA, the HITECH Act, and theHIPAA Omnibus Final Rule
© Clearwater Compliance | All Rights Reserved
67
In Summary …Observations: 1. It’s not just about a BAA; it’s about Federal Regulations2. “Heaviest lifting” is typically around Security Rule 3. BAs have obligations, “upstream” and “downstream” 4. Penalties for non-compliance may be serious (Accretive
case study)5. Don’t Fall For SOC2 Opinions or HITRUST Certifications They Don’t Help with Compliance / They Don’t Help With Security
Recommendations: 1. Take Stock of Exactly Where You Are Today:
1. Complete core Security Rule assessment requirements show good faith effort OR
2. Engage Independent 3rd Party Experts to Assess Your Overall Program
2. Read the Regulations Inside-Out or Find Experts Who Know Them
3. Determine What Your Specific Requirements Are Related To The Privacy Rule – Possibly Trickiest!
© Clearwater Compliance | All Rights Reserved
68
Other Upcoming Clearwater Events
Visit ClearwaterCompliance.com for more info!
July 7, 2016 Complimentary
WebinarHow to Conduct a NIST-based Risk Assessment to
Comply with HIPAA & Other Regulations
July 28, 2106 Complimentary
WebinarHIPAA 101
July 14, 2106 Complimentary
WebinarOCR’s Phase 2 Audits
and How Best to Prepare
July 21, 2016Complimentary
WebinarThe Critical
Difference: HIPAA Security Evaluation v HIPAA Security Risk
Analysis
© Clearwater Compliance | All Rights Reserved
69
AHA Solutions Signature Learning Series™
Register Now: http://ow.ly/b0cX301LkDb
+
OCR’s Phase 2 HIPAA Security Audits and How Best to PrepareLearn how to prepare for Phase 2 OCR audits — direct from experts on OCR audit preparedness and a former OCR HIPAA
investigator.
This webinar is only available to AHA members.
Virtual Web Based Training Wednesday, July 27th, 2016
12:00-1:00 CDT
© Clearwater Compliance | All Rights Reserved
70
Clearwater HIPAA and Cybersecurity BootCamp™
Take Your HIPAA Privacy and Security Program to a Better
Place, Faster …
Earn up to 10.8 CPE Credits!
http://clearwatercompliance.com/bootcamps/
Designed for busy professionals, the Clearwater HIPAA and Cybersecurity BootCamp™ distills into one action-packed day, the critical information you need to know about the HIPAA Privacy and Security Final Rules and the HITECH Breach Notification Rule.
Join us for our next virtual, web-based events…Three, 3hr sessions:
• August 4th, 11th, 18th - 2016• November 3rd, 10th, 17th – 2016• February 9th, 16th, 23rd - 2017 • May 4th, 11th, 18th - 2017
© Clearwater Compliance | All Rights Reserved
71
Complimentary HIPAA Risk Analysis Review
https://clearwatercompliance.com/hipaa-risk-analysis-review/
© Clearwater Compliance | All Rights Reserved
72
Why You Should Consider Clearwater
Clearwater Compliance – A Better, Brighter Idea!
Highly Reference-able Hospital / Health System Customer Base, with Exclusive AHA Endorsement
Commercially Competitive Professional Services Fees
Proven Experience in Large Complex Healthcare
Environments
Independent, Objective Advisory Services with
No Vendor Ties
Deep Experience with 30+ Organizations Audited by
OCR, CMS & OIG
Business Risk Management focus While Achieving Regulatory Compliance
Seasoned, Credentialed Professionals in Healthcare Privacy, Security, Compliance & Information Risk Management
Significant Post Breach Experience and Partner Network
© Clearwater Compliance | All Rights Reserved
73
Questions Provided in Advance1. What are the high risk areas for HIPAA according to the new rulings?2. Want to understand exactly what a BA is and what they need to do for my office/SRA?3. What are the employee training requirements for business associates?4. Should Business Associates provide the Covered Entity with select policies/procedures if not
requested?5. Is a covered entity required to include BAs as part of their risk analysis in terms of
Meaningful Use Program?6. What are the critical audit elements to ensure Covered Entities are monitoring Business
Associates compliance with the final rule7. If we become HITRUST Certified, will that meet all our HIPAA and security requirements?8. Whether there is an exception to the prohibition of releasing private information,
including discharge, for adult children?9. I am supporting an office with 2 doctors and 4 employees. Us in the Little Leagues need
help with budgetary constraints in mind.10. BAAs11. Any suggestions on how to audit our business associates to make sure they are
following the same HIPAA rules?
© Clearwater Compliance | All Rights Reserved
74
Bob Chaput, MA, CISSP, HCISPP, CRISC, CIPP/US
https://www.clearwatercompliance.com
Phone: 800-704-3394 or 615-656-4299
linkedin.com/in/BobChaput
Exit Survey, Please
© Clearwater Compliance | All Rights Reserved
75
WWW.CLEARWATERCOMPLIANCE.COM
(800) 704-3394 http://www.linkedin.com/in/bobchaput/
@clearwaterhipaa
ClearwaterCompliance
Clearwater Compliance
Thank You!
© Clearwater Compliance | All Rights Reserved
76
What About HITRUST versus NIST?References / Articles for Your Own Due Diligence
• HITRUST or High Risk? The Health Information Trust Alliance’s Common Security
• An Open Letter to the HITRUST Alliance (PartI) (Part II) (Part III)
• HITRUST Breaches Lay the Welcome Mat for Hackers and Paydirt
• Should Business Associates Be HiTrust Certified?
• HITRUST, CSF and Mandatory Certification
• A Simpler and Better Alternative to the HITRUST Mandate For Third Party Risk Management In Healthcare
• 20+ Due Diligence Questions about the HITRUST Certification
• Research HITRUST Board companies on: HHS Wall of Shame ProPublica’s HIPAAHelper Privacy Violations, Breaches and Complaints page
We have never seen the OCR ever ask for Security Opinions (e.g., SSAE SOC2) or “HITRUST Certifications”
As of mid-May 2016, HITRUST Alliance Board Members’ ten (10) organizations have 26 listings on
the HHS Wall of Shame, with responsibility for 122MM of
156MM records [79%]) and 852 mentions on ProPublica’s HIPAAHelper web site for
complaints / breaches. Three organizations are in the HIPAAHelper "Top 10”.
© Clearwater Compliance | All Rights Reserved
77
“It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an
external organization does not preclude HHS from subsequently finding a security violation.”
HHS FAQ on 3rd Party Certifications
Are we required to “certify” our organization’s compliance with the standards of the Security Rule?
http://www.hhs.gov/hipaa/for-professionals/faq/2003/are-we-required-to-certify-our-organizations-compliance-with-the-standards/index.html
Answer:No, there is no standard or implementation specification that requires a covered entity to “certify” compliance. The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that establishes the extent to which an entity’s security policies and procedures meet the security requirements. The evaluation can be performed internally by the covered entity or by an external organization that provides evaluations or “certification” services. A covered entity may make the business decision to have an external organization perform these types of services.
© Clearwater Compliance | All Rights Reserved 78