© 2010-12 Clearwater Compliance LLC | All Rights Reserved © 2010-11 Clearwater Compliance LLC | All Rights Reserved

How to Conduct a Meaningful Use / HIPAA

Security Risk Analysis

WEBINAR

…Welcome to …

1

Bob Chaput, CISSP, CHP, CHSS, MCSE 615-656-4299 or 800-704-3394 bob.chaput@ClearwaterCompliance.com Clearwater Compliance LLC

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Bob Chaput CISSP, MA, CHP, CHSS, MCSE

2

• President – Clearwater Compliance LLC • 30+ years in Business, Operations and Technology • 20+ years in Healthcare • Executive | Educator |Entrepreneur • Global Executive: GE, JNJ, HWAY • Responsible for largest healthcare datasets in world • Numerous Technical Certifications (MCSE, MCSA, etc) • Expertise and Focus: Healthcare, Financial Services, Legal

• Member: HIMSS, ISSA, HCCA, ACHE, AHIMA, NTC, ACP, Chambers, Boards

http://www.linkedin.com/in/BobChaput

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

3. Complete a HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))

4. Develop comprehensive HIPAA Privacy and Security and

Breach Notification Policies & Procedures (45 CFR §164.530 and 45 CFR

§164.316)

5. Complete a Privacy Rule compliance assessment (45 CFR §164.530)

6. Document and act upon a corrective action plan

6 Actions to Take Now

3

1. Stand Up Your Privacy and

Security Risk Management &

Governance Program (45 CFR § 164.308(a)(1))

2. Complete a HIPAA Security

Evaluation (45 CFR § 164.308(a)(8))

Use the Regulations as Checklists!

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

About HIPAA-HITECH Compliance

1. We are not attorneys!

2. HIPAA and HITECH is dynamic!

3. Lots of different interpretations!

So there!

4

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

The 2012 HIPAA Audits: Will the Past Predict the Future?

5

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Get Smart!

“On Demand” HIPAA HITECH RESOURCES, IF NEEDED:

1. http://AboutHIPAA.com/about-hipaa/resources/

2. http://AboutHIPAA.com/webinars/on-demand-webinars/

6

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Clearwater HIPAA Audit Prep BootCampTM

One-Day February 9, 2012, Atlanta, GA

© 2010-12 Clearwater Compliance LLC | All Rights Reserved 8

Jim Mathis, JD, CHC, CHP

Healthcare Industry Attorney

HIPAA Consultant

Bob Chaput, CISSP, CHP, CHSS, MCSE

CEO

Clearwater Compliance

Expert Instructors

Adam Greene, JD

Partner

Davis Wright Tremaine LLP

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Session Objectives

1. Understand Risk Analysis

Essentials

2. Review HHS/OCR Final

Guidance

3. Learn how to Complete a Risk

Analysis

9

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Why Should You Care? 1. It’s the law… HIPAA & HITECH!

10

3. The KPMG / OCR Auditors are

coming

2. Your stakeholders trust and expect

you to do this

4. Your reputation depends on it!

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Some Recent Legal Actions • Sutter Health Hit With $1B Class-Action Lawsuit

• Patient files $20M lawsuit against Stanford Hospital

• TRICARE Health Management Sued for $4.9B

• UCLA Health System Enters into $865K Resolution Agreement & CAP with OCR

• Cignet Health Fined for Violation of HIPAA Privacy Rule: $4.3M

• MGH entering into a resolution agreement; includes a $1 million settlement

• Court Approves VT Attorney General HIPAA Settlement With Health Insurer

11 Enforcement is on the upswing…

• AvMed Health sued over 'one of the largest medical breaches in history‘

• Health Net keeps paying for its data breach in 2009… $625K and counting

• WellPoint's notification delay following data breach brings action by Attorney General's office

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Wall of Shame

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

12

01/11/2012 •380 CEs

•83 Named BAs

~18.0M Individuals Or State of FL

1. Wyoming

2. District of Columbia

3. Vermont

4. North Dakota

5. Alaska

6. South Dakota

7. Delaware

8. Montana

9. Rhode Island

10. Hawaii

11. Maine

12. New Hampshire

13. Idaho

14. Nebraska

15. West Virginia

16. New Mexico

17.9M

© 2010-12 Clearwater Compliance LLC | All Rights Reserved 13

OCR Compliance Expectations…

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Stage 1 Meaningful Use (MU)

MU = Money Up

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

EP Meaningful Use - Core Eligible Professionals 15 Core Objectives 1. Computerized provider order entry (CPOE)

2. E-Prescribing (eRx)

3. Report ambulatory clinical quality measures to CMS/States

4. Implement one clinical decision support rule

5. Provide patients with an electronic copy of their health information, upon request

6. Provide clinical summaries for patients for each office visit

7. Drug-drug and drug-allergy interaction checks

8. Record demographics

9. Maintain an up-to-date problem list of current and active diagnoses

10. Maintain active medication list

11. Maintain active medication allergy list

12. Record and chart changes in vital signs

13. Record smoking status for patients 13 years or older

14. Capability to exchange key clinical information among providers of care and patient-authorized entities electronically

15. Protect electronic health information

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

EH & CAH Meaningful Use EHs and CAHs 14 Core Objectives 1. Use CPOE for medication orders directly entered by any licensed healthcare professional who

can enter orders into the medical record per State, local, and professional guidelines.

2. Implement drug-drug and drug-allergy interaction checks.

3. Maintain an up-to-date problem list of current and active diagnoses

4. Maintain active medication list.

5. Maintain active medication allergy list.

6. Record specific set of demographics

7. Record and chart specific changes in the certain vital

8. Record smoking for patients 13 years old or older

9. Report hospital clinical quality measures to CMS or, in the case of Medicaid eligible hospitals, the States.

10. Implement one clinical decision support rule related to a high priority hospital condition along with the ability to track compliance with that rule.

11. Provide patients with an electronic copy of their health information (including diagnostic test results, problem list, medication lists, medication allergies, discharge summary, procedures), upon request.

12. Provide patients with an electronic copy of their discharge instructions at time of discharge, upon request.

13. Capability to exchange key clinical information (for example, problem list, medication list, medication allergies, and diagnostic test results), among providers of care and patient authorized entities electronically.

14.Protect electronic health information

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Session Objectives

1. Understand Risk Analysis

Essentials

2. Review HHS/OCR Final

Guidance

3. Learn how to Complete a Risk

Analysis

17

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Types of Assessments 1. Compliance Assessments (Security Evaluation, in

HIPAA parlance)

– Where do we stand?

– How well are we achieving ongoing compliance?

2. Risk Assessment (Risk Analysis, in HIPAA parlance)

– What is our exposure to information assets (e.g., PHI)?

– What do we need to do to mitigate risks?

3. Risk-of-Harm Assessment (Breach-related, in HITECH parlance)

– Have we caused legal, reputational, etc harm?

– What notifications are required?

Each Assessment Has Its Role and Proper Time 18

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Security Evaluation v. Risk Analysis 45 C.F.R. §164.308(a)(8)

Standard: Evaluation. Perform a periodic technical and non-technical

evaluation, based initially upon the standards implemented under this rule

and subsequently, in response to environmental or operational changes

affecting the security of electronic protected health information, which

establishes the extent to which an entity's security policies and

procedures meet the requirements of this subpart.

19

45 C.F.R. §164.308(a)(1)(i) Standard: Security Management Process

(1)(i) Standard: Security management process. Implement policies and

procedures to prevent, detect, contain, and correct security violations.

(ii) Implementation specifications:

(A) Risk analysis (Required). Conduct an accurate and thorough

assessment of the potential risks and vulnerabilities to the

confidentiality, integrity, and availability of electronic protected health

information held by the covered entity.

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

20

Compliance Roadmap

HIPAA Security

Operations

HIPAA Security

Management Process

HIPAA Security

Evaluation

45 CFR164.308(a)(8)

45 CFR 164.308(a)(1)(ii)(D)

45 CFR 164.308(a)(1)

Preliminary Remediation

Plan

45 CFR 164.308(a)(1)(ii)(B)

HIPAA Security

Policies & Procedures

HIPAA

Security Risk

Analysis

45 CFR 164.308(a)(1)(ii)(A)

Information System Activity Review

Business Associate

Management Plan

45 CFR Parts 160,

164 Subpart D

45 CFR 164.316(a)

Data Breach Notification

Plan

45 CFR164.308(a)(8) 45 CFR 164.308(a)(5)(i)

HIPAA Training & Awareness

45 CFR 164.308(a)(1)(ii)(B)

HIPAA Security Risk Management

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

2 Dimensions of HIPAA Security Risk Analysis

1. What is our exposure

of our information

assets (e.g., ePHI)?

21

2. What do we need to do

to mitigate risks?

A Risk Analysis Addresses Both

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Risk = Impact * Likelihood

What is Risk?

Goal = Understand What Risks Exist and Into What Category They Fall

22

Overall Risk Value

Impact

HIGH Medium High Critical

MEDIUM Low Medium High

LOW Low Low Medium

LOW MEDIUM HIGH

Likelihood

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

1. Lack of strong password

2. Lack of personal firewall

3. Lack of data backup

4. Lack of policies

5. Failure to follow policies

6. Lack of training

7. Lack of encryption on laptops with ePHI…

8. …and on and on …

Vulnerabilities

NIST Special Publication (SP) 800-30 as “[a] flaw or weakness in system security

procedures, design, implementation, or internal controls that could be exercised

(accidentally triggered or intentionally exploited) and result in a security breach or

a violation of the system’s security policy.” 23

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

1. Human

• Viruses, malware, theft, accidental

2. Natural

• Tornado, Hurricane, Earthquake, etc.

3. Environmental

• Power failures, pollution, chemicals, and liquid leakage

Threats

… An adapted definition of threat, from NIST SP 800-30, is “[t]he potential

for a person or thing to exercise (accidentally trigger or intentionally

exploit) a specific vulnerability.” 24

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Risks • Financial

• Political

• Legal

• Regulatory

• Operational impact

• Reputational

Threats Trigger Vulnerabilities…

Threat • Laptop with ePHI

can be stolen

Vulnerabilities • No strong password

• ePHI is not encrypted

• No ability to destroy data

• Laptop is not backed up

25

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Session Objectives

1. Understand Risk Analysis

Essentials

2. Review HHS/OCR Final

Guidance

3. How to Complete a Risk Analysis

26

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Regardless of the risk analysis methodology employed… 1. Scope of the Analysis - all ePHI that an organization creates, receives, maintains, or transmits

must be included in the risk analysis. (45 C.F.R. § 164.306(a)).

2. Data Collection - The data on ePHI gathered using these methods must be documented. (See 45

C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.316 (b)(1).)

3. Identify and Document Potential Threats and Vulnerabilities - Organizations must identify and document reasonably anticipated threats to ePHI. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A) and 164.316(b)(1)(ii).)

…from HHS/OCR Final Guidance

4. Assess Current Security Measures - Organizations should assess and document the security measures an entity

uses to safeguard ePHI. (See 45 C.F.R. §§ 164.306(b)(1), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)

5. Determine the Likelihood of Threat Occurrence - The Security Rule requires organizations to take into

account the likelihood of potential risks to ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)

6. Determine the Potential Impact of Threat Occurrence - The Rule also requires consideration of the

“criticality,” or impact, of potential risks to confidentiality, integrity, and availability of ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)

7. Determine the Level of Risk - The level of risk could be determined, for example, by analyzing the values assigned to

the likelihood of threat occurrence and resulting impact of threat occurrence. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)

8. Finalize Documentation - The Security Rule requires the risk analysis to be documented but does not require a specific

format. (See 45 C.F.R. § 164.316(b)(1).)

9. Periodic Review and Updates to the Risk Assessment - The risk analysis process should be ongoing. In

order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed. (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii).)

27

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Session Objectives

1. Understand Risk Analysis

Essentials

2. Review HHS/OCR Final

Guidance

3. Learn how to Complete a Risk

Analysis

28

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Risk Analysis Process

29

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Step-by-Step: Inventory

1.1 Inventory information assets that create, receive, maintain and transmit ePHI

1.2 Document their present security controls and criticality of the applications and their data

30

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Step-by-Step: Inventory

• Information Asset / Application / Database Name Containing ePHI

• Information Asset Owner

• Description of Information Asset / Application / Database Name Containing ePHI

• Location of ePHI

• ePHI Data Source

• ePHI Data Sharing

• Business Processes Supported

• Asset Importance to Business

• Estimated Number of Records

• Planned Risk Analysis Completion

Data elements captured should help inform and

guide the risk analysis steps that follow…

31

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Inventory & Controls

32

• Brainstorm known current security

controls in place or reference NIST

SP800-53 for “sanity check”

• Later, when evaluating each risk and

threat against your information

asset, you will consider what

controls you have already

implemented…

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Step-by-Step: Risk Determination

2.1 Identify threats in the environment

2.2 Identify vulnerabilities that threats could attack

2.3 Describe the risks based on threats and vulnerabilities

2.4 Determine the likelihood of the risk

2.5 Determine the severity of the impact

2.6 Determine and summarize the risk level 33

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Describe Risks

34

• Describe the Risks – consider all

possible risks to the Asset being

analyzed in the context of known

vulnerabilities and common security

threats. Create a separate row for

each Risk to the Asset being

analyzed. …

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Determine Likelihood

35

Score The Likelihood:

• 0 = Risk/threat does not apply to this

ePHI/application/database.

• 1 = Rare – The event would only occur under

exceptional circumstances.

• 2 = Unlikely – The event could occur at some time,

but probably will not.

• 3 = Moderate – The event should occur at some

time.

• 4 = Likely – The event will probably occur at some

time.

• 5 = Almost Certain – The event is expected to occur

in most circumstances.

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Determine Impact

36

Think Business Risks… • Financial • Political • Legal • Regulatory • Operational impact • Reputational

…Score The Impact: 0 = Threat is not applicable

1 = Insignificant

2 = Minor

3 = Moderate

4 = Major

5 = Disastrous

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Summarize Risk

37

Use Quantitative or Qualitative Approach to Summarize Risk

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Step-by-Step: Risk Remediation

3.1 Recommend risk mitigation strategies for each risk

3.2 Implement applicable controls to mitigate risk

3.3 Determine residual likelihood that a threat could attack a vulnerability

3.4 Analyze the residual severity of the impact

3.5 Determine and report residual risk to senior management

38

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Remediate Risk

39

Consider Possible Actions Plan to implement additional reasonable and appropriate Safeguards

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Determine Residual Risk

40

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Step-by-Step: Documentation

4.1 Generate HIPAA Risk Analysis Executive Summary

4.2 Monitor changes in the environment, information systems, and security technology

4.3 Update the risk analyses; and implement any other controls

41

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Documentation

42

Prepare documentation appropriate to your organization and which meets HIPAA Security Rule Requirements…

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Steps to Complete A HIPAA Meaningful Use Risk Analysis

43

1. Form a Cross-Functional Task Force

2. Set Business Risk Management

Goals

3. Get Educated – Learn the

Requirements and the Consequences

4. Build / Buy a Risk Analysis Software Tool Based on the

HHS/OCR Final Guidance

5. Set a Scoring Methodology

6. Complete the HIPAA Risk Analysis Methodology

7. Document Control Gaps

8. Make Risk Mitigation Decisions

9. Prioritize Work Plans based on Risks

10. Execute Risk Mitigation Plan

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

1. Health and Human Services – Office of Civil Rights, “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”, (http://abouthipaa.com/wp-content/uploads/OCR_Risk-Analysis_Final_guidance.pdf)

2. National Institute of Standards and Technology (NIST) Special Publication 800-30, "Risk Management Guide for Information Technology Systems" (http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf)

3. National Institute of Standards and Technology (NIST) Special Publication 800-33, " Underlying Technical Models for Information Technology Security" (http://csrc.nist.gov/publications/nistpubs/800-33/sp800-33.pdf)

4. National Institute of Standards and Technology (NIST) Special Publication 800-66 Revision 1, "A Resource Guide for Implementing The HIPAA Security Rule" (http://csrc.nist.gov/publications/PubsSPs.html)

44

HIPAA Security Risk Analysis Resources

5. National Institute of Standards and Technology (NIST) Special Publication 800-14, “Generally Accepted Principles and Practices for Securing Information Technology Systems” (http://csrc.nist.gov/publications/nistpubs/800-14/Planguide.PDF)

6. National Institute of Standards and Technology (NIST) Special Publication 800-26, “Security Self-Assessment Guide for Information Technology Systems” (http://csrc.nist.gov/publications/nistpubs/800-26/Planguide.PDF)

7. National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 3 Final, "Recommended controls for Federal Information Systems and Organizations" (http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf)

8. Notice of Public Rulemaking (NPRM) – “Modifications to HIPAA Privacy, Security and Enforcement Rules under The Health Information Technology for Economic and Clinical Health Act (HITECH)” (http://hipaasecurityassessment.com/wp-content/uploads/2010/07/Modifications-to-the-HIPAA-Privacy-Security-and-Enforcement-Rules-under-HITECH.pdf)

9. “HIPAA Security Final Rule” (http://abouthipaa.com/wp-content/uploads/HIPAA_Security_Final_Rule1.pdf)

© 2010-12 Clearwater Compliance LLC | All Rights Reserved 45

How Our Methodology Compares

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Contemplation … Choices

46

IF STRICTLY FOCUSED ON RISK

ANALYSIS AND MU MONEY…

1. Do-it-Yourself HIPAA Security Risk

Analysis™

2. Facilitated Do-it-Yourself HIPAA

Security Risk Analysis WorkShop™ -

Onsite

3. Have Someone Do It Meaningful Use

Risk Analysis for Medical Practices™ -

Remote

IF INTERESTED IN BROADER

COMPLIANCE HELP…

4. Managed Compliance Services

Clearwater Managed Compliance

Services™

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

What You Receive – HIPAA Security Risk Analysis ToolKit™ • HIPAA Security Risk Analysis and Risk Management Methodology with

Detailed Step-by-Step Instructions • Comprehensive HIPAA Security Risk Analysis Excel Workbook Tool™,

HIPAA Compliance Software • HIPAA-HITECH Security Compliance Roadmap™ • Comprehensive HIPAA Security Glossary of Terms, included with Excel

Tool™ • Executive Summary – Risk Analysis template • HHS/OCR Final Guidance on Risk Analysis • NIST Special Publications \ • 60 minutes of complimentary email, telephone or web-meeting support • Very Latest Updates on HITECH Act and NPRM Changes

47

HIPAA Security Risk Analysis ToolKit™ More Information at:

Clearwater HIPAA Security Risk Analysis™

Comprehensive digital download navigation tool…

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Risk Analysis ToolKit™ - Offer

“Do-It-Yourselfers” May Purchase the ToolKit™ and

Receive a Discount

Click Here to Purchase: Clearwater HIPAA Security Risk

Analysis™

48

Regularly $987.00

Enter WEBINAR0125 as Promotion Code to receive

$100 Discount to $887.00 for Complete

ToolKit™

Purchase by January 31, 2011

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

High Value – High Impact Risk Analysis WorkShop™ Process

I. PREPARATION A. Plan / Gather B. Read Ahead C. Complete QuickScreen™

49

II. ONSITE SESSION A. Facilitate B. Educate C. Evaluate

III. CONSULTATION A. E-mail B. Telephone C. Web Meetings

1 Day

½ Day

1 Day

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

“Remote” Meaningful Use Risk Analysis for Medical Practices™

I. Practice completes user-friendly web-based Clearwater Smart Questionnaire™

50

II. Consultant facilitates phone call / web meeting follow-up to data additional and/or more specific details

III. Consultant develops and delivers HIPAA Security Risk Analysis Report

© 2010-12 Clearwater Compliance LLC | All Rights Reserved 51

Value – Added Pricing

Model Based on Number of

Practitioners: Designed for Small Medical Practices

with under 50 Practitioners

Focused on / limited to EMR-EHR

“Remote” Meaningful Use Risk Analysis for Medical Practices™

Practitioners 1st 2nd-3rd 4th - 10th 11th - 20th Over 21

$800 $400 $200 $150 Quote

Based on Number of Practioners in Practice

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Managed Compliance Services™

52

• Two-Year Program

• Systematic, Sustainable

Programmatic Approach…

• Under Clearwater Leadership and

Guidance…

• Covers HIPAA Privacy, Security &

Breach Notification

Ongoing Support and Guidance

• Re-Assessments

• Corrective Action Plans

• Policies & Procedures Refresh

• Training

Start Year 1 Year 2 • Oversight Council

• Assessments

• Corrective Action Plans

• Policies & Procedures

• Training

• Re-Assessments

• Corrective Action Plans

• Policies & Procedures Refresh

• Business Associate Management

• Training

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Register Now! … at: http://abouthipaa.com/webinars/

upcoming-live-webinars/

53

Upcoming HIPAA HITECH Webinars

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Summary and Next Steps

54

• Risk Analysis is a Critical, Foundational Step

• Consider Assessing the Forest as Well

• Completing a Risk Analysis is key to meeting

Meaningful Use Requirements…

• But, is not your only requirement…

• Stay Business Risk Management-Focused

• Don’t Call The Geek Squad

• Large or Small: Get Help (Tools, Experts, etc)

• Consider tools and templates

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Bob Chaput, CISSP

http://www.ClearwaterCompliance.com bob.chaput@ClearwaterCompliance.com

Phone: 800-704-3394 or 615-656-4299

Clearwater Compliance LLC

55

Contact

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Additional Information

56

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Why Now? – What We’re Hearing

“Our business partners (health plans) are demanding we become compliant…” – large

national care management company (BA)

“We did work on Privacy, but have no idea where to begin with Security” – 6-Physician Pediatric

Practice (CE)

“We want to proactively market our services by leveraging our HIPAA compliance status …” -- large regional fulfillment house (BA)

“With all the recent changes and meaningful use requirements, we need to make sure we meet all The HITECH Act requirements …” – large family medicine group practice (CE)

“We need to have a way to quickly take stock of where we are and then put in place a dashboard to measure and assure our compliance progress…” – national research

consortium (BA)

“We need to complete HIPAA-HITECH due diligence on a potential acquisition and need a gap analysis done quickly and efficiently…” – seniors care management company (BA)

57

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

“The WorkShop™ process made a very complicated process and subject matter simple. The ToolKit™ itself was excellent and precipitated exactly the right discussion we needed to have.” – outside Legal Counsel, national research consortium

"The HIPAA Security Assessment ToolKit™ and WorkShop™ are a

comprehensive approach that effectively guided our organization’s performance against HIPAA-HITECH Security requirements.” -- SVP and Chief Compliance, national hospice organization

What Our Customers Say…

58

“… The WorkShop™ process expedited assessment of gaps in our HIPAA Security Compliance program, began to address risk mitigation tasks within a matter of days and… the ‘ToolKit’ was a sound investment for the company, and I can't think of a better framework upon which to launch compliance efforts.” – VP & CIO, national care management organization

“…the process of going through the self-assessment WorkShop™ was a great shared learning experience

and teambuilding exercise. In retrospect, I can't think of a better or more efficient way to get started than to use the HIPAA Security Assessment ToolKit.“ – CIO, national kidney dialysis center firm

“…this HIPAA Security Assessment Toolkit is worth its weight in gold. If we had to spend our time and

resources creating this spreadsheet, we would never complete our compliance program on time…” — Director, Quality Assurance & Regulatory Affairs