How We Can Help: Navigating Compliance, OCR Enforcement, and the High Risk Threat Landscape

October 18, 2016

Watch the Replay

Speakers

Robert Mireles, CIPMSr. Healthcare Privacy Specialist for Managed Privacy Services

FairWarning

Chuck BurbankCISO and Director of

Managed Privacy ServicesFairWarning

Trent Long, CHPManager of Managed

Privacy ServicesFairWarning

Tyler Carlson, CHPLead Privacy Analyst

FairWarning

Agenda• The Unseen Impact of a PHI Breach

• The Mission and Vision of OCR

• What this Year's Resolution Agreements Show the Industry is Still Missing

• OCR Enforcement Activity

• Structuring Your Monitoring Program

• Training and Remediation

• Demonstrable and Actionable Compliance

• Managed Privacy Services

The Unseen Impact of a PHI Breach

Imagine that you are the victim of some sort of incident and wind up in the hospital:

• Now imagine that your information is compromised by the hospital or doctor. How would you feel?

• What if your information was used for identity theft - or worse medical identity theft, and now you are having to fight to receive healthcare and clean up your credit?

• What is your duty as a healthcare organization to your patients?

The Mission and Vision of OCR

• To improve the health and well-being of people across the nation

• To ensure that people have equal access to services from HHS programs without facing unlawful discrimination

• To protect the privacy and security of health information

“Through investigations, voluntary dispute resolution, enforcement, technical assistance, policy development and information services, OCR will protect the civil rights of all individuals…”

View OCR’s Mission and Vision

The Industry is Still Missing the Basics

• A current and thorough Risk Analysis

-6 out of 10 settlements

• A Risk Management plan to address gaps identified in risk assessments

-6 out of 10 settlements

- In September, the ONC released new features to the Security Risk Assessment Tool

• Ongoing privacy and security training

-10 out of 10 settlements

• Up-to-date privacy and security policies

-10 out 10 settlements

Deficiency trends found in this year’s Resolution Agreements

View the Full List of Resolution Agreements

BREAKING NEWS: Released Today - $2.14 Million HIPAA

Settlement Underscores Importance of Managing Security Risk

OCR Enforcement Activity• OCR Phase 2 HIPAA Desk Audits

• Record Numbers of Resolution Agreements

• OCR’s heightened focus:

- HIPAA enforcement

- Insider abuses (Aug. 1, 2016)

- Breaches affecting fewer than 500 individuals (Aug. 18, 2016)

October 13, 2016

“OCR will continue to focus its enforcement efforts and its resources in this area on cases that identify industry-wide noncompliance, where corrective action under HIPAA may be the only remedy…”

- Jocelyn Samuels, Director of HHS Office for Civil Rights

Structuring Your Monitoring Program

FairWarning Managed Privacy Services successfully monitors over 447,000 employees on a daily basis

Blueprint for a successful monitoring program:

• HIPAA, Privacy, Security Certified experts

• Experts in clinical application audit data

• Technology experts

• Day-to-day accountability and audit readiness

This redundancy in expertise eliminates the risk of a single point in failure, such as an unexpected termination.

Training and Remediation

Successful monitoring programs require:

1. Privacy and Security training

2. Appropriate remediation for violations

3. Accountability

Demonstrable & Actionable Compliance• Use an Investigation Tool as a repository for Privacy and Security

Investigations

- Employee Complaints

- Automated Alerts

- Hacking/IT

- Improper Disposal

• Review and document every potential incident

- Make a determination if the access is business related

- Document and close all business related incidents

What if the access is not business related?

Investigations need to capture the following information, at a minimum, for an OCR Breach Report:

• Investigation type

• Description of investigation

• Affected patient count

• Systems accessed

• Type of PHI access

• Current protective measures

• Involved parties

• Occurrence Dates

• Notification Dates

• Resolution follow up actions

• Response Actions

Initiate 4-part risk of compromise assessment (OCR Mandated)

Submit OCR Breach Report

Improved compliance. More time. Less worry.

• Your data, our expertise

• Reduce your compliance workload

• Investigation management

• Create a culture of Privacy & Compliance

Managed Privacy Services

Questions?For more information, please visit:

www.FairWarning.com

Email:Solutions@FairWarning.com