Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content. For reprint permission and information, please direct your inquiry to [email protected]
Legal Disclaimer. This information does not constitute legal advice and is for educational purposes only. This information is based on current federal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.
• President – Clearwater Compliance LLC• 30+ years in Business, Operations and Technology• 20+ years in Healthcare• Executive | Educator |Entrepreneur• Global Executive: GE, JNJ, HWAY• Responsible for largest healthcare datasets in world• Numerous Technical Certifications (MCSE, MCSA, etc)• Expertise and Focus: Healthcare, Financial Services, Retail, Legal
Increased Enforcement Don’t Wait Gap Assessments, Risk Analyses, PnPs, Training, etc.
After Omnibus• OCR required to conduct an
investigation or compliance review when a preliminary investigation of the facts indicate a possible violation due to willful neglect (i.e., the third and fourth culpability levels under the civil money penalty provisions).
• Final Rule permits, but does not require, OCR to attempt to resolve by informal means investigations
Before Omnibus• OCR may, but is not
required to, conduct complaint investigations or compliance reviews
• OCR required to attempt to resolve by informal means investigations
1. Reasonable diligence means the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.
2. Reasonable cause means an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect. NEW!
3. Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.
New MathCivil Monetary Penalty calculation might be:• Two violation Privacy Rule
(Impermissible disclosure + Safeguards failure)
• Six Security Rule violations listed on previous slide
• 1,000 records * $50,000 per violation = $50,000,000 per violation, capped at $1,500,000 for identical violations during a calendar year $1,500,000 per
• 8 violations * $1,500,000 = $12,000,000
But wait, there’s more!!• Impermissible Disclosure – 1 time
Establish a Comprehensive Information Security Program x x
Designate an accountable Security Owner x xDevelop Privacy and Security policies and procedures x x x x x x x
Document authorized access to ePHI xDistribute and update policies and procedures x x x x x x x
Document Process for responding to security incidents x x x x x x x x x
Implement training and sanctions for non-compliance x x x x x x xConduct Risk Analysis / Establish Risk Management Process x x x x x x x x x x x xImplement Reasonable Safeguards to control risks x x x x x x x x x xRegularly review records of information system activity xImplement reasonable steps to select service providers x Testing and monitor security controls following changes x x x x x x x xObtain assessments from qualified independent 3rd party x x x x x x x x
• Audit contract required the contractor to inform the audited entity that “OCR may initiate further compliance enforcement action based on the content and findings of the audit, and that corrective action that cures identified deficiencies may serve to reduce or eliminate potential civil money penalties.”
25
• “…if we uncover, in the course of the audit, major violations or potential violations, we will be dealing with those in the same manner that we would through our formal enforcement process.”
Breach Notification HighlightsSeptember 2009 through April 1, 2013
28
• Over 64,000 reports involving under 500 individuals• 720 reports involving over 500 individuals; More
than 27.8 million fellow citizens’ PHI breached (exceeds population of the entire state of NY). – 720 reported breaches to HHS by Covered Entities.– 167 Business Associates involved/culpable
• Top 5 Million+ Data Breachers Club:– 4.9 MM - TRICARE Management Activity and BA: SAIC – 4.0 MM – Advocate Medical Group– 1.9MM - Health Net, Inc. of CA and BA: IBM– 1.7MM - NYC Health & Hospitals Corp North Bronx Healthcare Network and
BA GRM Information Management Systems– 1.2MM - AvMed, Inc.
• Although OCR made available to covered entities guidance that promoted compliance with the Security Rule, it had not assessed the risks, established priorities, or implemented controls for its HITECH requirement to provide for periodic audits of covered entities to ensure their compliance with Security Rule requirements. As a result, OCR had limited assurance that covered entities complied with the Security Rule and missed opportunities to encourage those entities to strengthen their security over ePHI.
• Because OCR did not perform the compliance audits mandated by HITECH, it had limited information about the status of Security Rule compliance at covered entities. Therefore, it had limited assurance that ePHI was secure and might have missed opportunities to motivate covered entities to strengthen ePHI security.
