Date post: | 16-Dec-2015 |
Category: |
Documents |
Upload: | lyndsey-kelly |
View: | 221 times |
Download: | 0 times |
© Clearwater Compliance LLC | All Rights Reserved | Clearwater Compliance Proprietary & Confidential
Copyright Notice
1
Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content. For reprint permission and information, please direct your inquiry to [email protected]
© Clearwater Compliance LLC | All Rights Reserved | Clearwater Compliance Proprietary & Confidential
Legal Disclaimer
2
Legal Disclaimer. This information does not constitute legal advice and is for educational purposes only. This information is based on current federal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.
© Clearwater Compliance LLC | All Rights Reserved | Clearwater Compliance Proprietary & Confidential
Ready or Not!
3
© Clearwater Compliance LLC | All Rights Reserved | Clearwater Compliance Proprietary & Confidential4
Bob Chaput, MA, CISSP, CIPP/US, CHP, CHSS615-656-4299 or 800-704-3394
[email protected] Compliance LLC
How to Prepare for the OCR HIPAA Audits or
Investigations
December 16, 2013
© Clearwater Compliance LLC | All Rights Reserved | Clearwater Compliance Proprietary & Confidential
Bob ChaputMA, CISSP, CIPP/US, CHP, CHSS
5
• President – Clearwater Compliance LLC• 30+ years in Business, Operations and Technology• 20+ years in Healthcare• Executive | Educator |Entrepreneur• Global Executive: GE, JNJ, HWAY• Responsible for largest healthcare datasets in world• Numerous Technical Certifications (MCSE, MCSA, etc)• Expertise and Focus: Healthcare, Financial Services, Retail, Legal
• Member: IAPP, ISC2, HIMSS, ISACA, ISSA, HCCA, HCAA, CAHP, ACAP, ACHE, AHIMA, NTC, ACP, SIM, Chambers, Boards
http://www.linkedin.com/in/BobChaput
© Clearwater Compliance LLC | All Rights Reserved | Clearwater Compliance Proprietary & Confidential
About HIPAA-HITECH Compliance
1.We are not attorneys!
2.Omnibus has arrived!
3.Lots of different interpretations!
6
© Clearwater Compliance LLC | All Rights Reserved | Clearwater Compliance Proprietary & Confidential
Big Points & Our Agenda• Omnibus’ Harsh New Math
• Oh NO! – Not an OCR Enforcement Action!
• Seven (7) Things May Get You There
• OCR’s New Motivation• Heads Up – Many Sources of Risk and Liability
• Nine (9) Actions Will Mitigate Risk Now!
7
© Clearwater Compliance LLC | All Rights Reserved | Clearwater Compliance Proprietary & Confidential
Big Points & Our Agenda• Omnibus’ Harsh New Math
• Oh NO! – Not an OCR Enforcement Action!
• Seven (7) Things May Get You There
• OCR’s New Motivation• Heads Up – Many Sources of Risk and Liability
• Nine (9) Actions Will Mitigate Risk Now!
8
© Clearwater Compliance LLC | All Rights Reserved | Clearwater Compliance Proprietary & Confidential
Enforcement: OCR Investigations and Compliance Reviews - 45 CFR §§ 160.306,
160.308, 160.312
Increased Enforcement Don’t Wait Gap Assessments, Risk Analyses, PnPs, Training, etc.
After Omnibus• OCR required to conduct an
investigation or compliance review when a preliminary investigation of the facts indicate a possible violation due to willful neglect (i.e., the third and fourth culpability levels under the civil money penalty provisions).
• Final Rule permits, but does not require, OCR to attempt to resolve by informal means investigations
Before Omnibus• OCR may, but is not
required to, conduct complaint investigations or compliance reviews
• OCR required to attempt to resolve by informal means investigations
© Clearwater Compliance LLC | All Rights Reserved | Clearwater Compliance Proprietary & Confidential
1. Reasonable diligence means the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.
2. Reasonable cause means an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect. NEW!
3. Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.
10
Three Terms to Memorize1
145 CFR 160.401 Definitions
Give Your CEO and Outside Counsel
Something to Work With!
© Clearwater Compliance LLC | All Rights Reserved | Clearwater Compliance Proprietary & Confidential
(C)(ii) Willful Neglect – Not Corrected
$50,000 $1,500,000
Discretion to Use $50K at Any Level CEs & BAs Act Swiftly in Case of Breach
New MathEnforcement: Amount of CMP - 45 CFR § 160.404
Violation Category- Section 1176(a)(1)
Penalty Range for Each Violation
All Such Violations of an Identical Provision in a Calendar Year
(A) Reasonable Diligence (Did Not Know)
$100 - $50,000 $1,500,000
(B) Reasonable Cause $1,000 - $50,000 $1,500,000(C)(i) Willful Neglect – Corrected
$10,000 - $50,000 $1,500,000
© Clearwater Compliance LLC | All Rights Reserved | Clearwater Compliance Proprietary & Confidential
New Math - CMP
12
Assume:• Laptop with 1,000 records is stolen a Covered Entity
and ePHI is impermissibly disclosed / confidentiality and availability are compromised
• OCR investigation found violations:• Impermissible disclosure of PHI (45 CFR §164.502(a))
• Failed to implement safeguards (45 CFR §164.502(a))
• Did not appoint a security official (45 CFR §164.308(a)(2))
• Did not ever complete a risk analysis (45 CFR §164.308(a)(1)(ii)(A))
• Did not undertake risk management by implementing reasonable and appropriate controls (45 CFR §164.308(a)(1)(ii)(B))
• Did not conduct security awareness and training (45 CFR §164.308(a)(5))
• Failed to implement security incident response and reporting policies and procedures (45 CFR §164.308(a)(6))
• Did not do data backup; failed to create exact retrievable copies of ePHI on laptops (45 CFR §164.308(a)(7)(ii)(A))
• Did not address the above violations within 30 days of discovery of the violations
And, organization was found to be in “willful neglect”
© Clearwater Compliance LLC | All Rights Reserved | Clearwater Compliance Proprietary & Confidential 13
New MathCivil Monetary Penalty calculation might be:• Two violation Privacy Rule
(Impermissible disclosure + Safeguards failure)
• Six Security Rule violations listed on previous slide
• 1,000 records * $50,000 per violation = $50,000,000 per violation, capped at $1,500,000 for identical violations during a calendar year $1,500,000 per
• 8 violations * $1,500,000 = $12,000,000
But wait, there’s more!!• Impermissible Disclosure – 1 time
$1.5• Every other violation:
• 2006, 2007, 2008 3 x 7 x $25K =
$0.5• 2009, 2010, 2011, 2012 3 x 7 x $1.5 =
$31.5
$33.5
© Clearwater Compliance LLC | All Rights Reserved | Clearwater Compliance Proprietary & Confidential
Big Points & Our Agenda• Omnibus’ Harsh New Math
• Oh NO! – Not an OCR Enforcement Action!
• Seven (7) Things May Get You There
• OCR’s New Motivation• Heads Up – Many Sources of Risk and Liability
• Nine (9) Actions Will Mitigate Risk Now!
14
© Clearwater Compliance LLC | All Rights Reserved | Clearwater Compliance Proprietary & Confidential
OCR Enforcement Action
15
Seven Things May Get You Here – Avoid Them!!
© Clearwater Compliance LLC | All Rights Reserved | Clearwater Compliance Proprietary & Confidential
Big Points & Our Agenda• Omnibus’ Harsh New Math
• Oh NO! – Not an OCR Enforcement Action!
• Seven (7) Things May Get You There
• OCR’s New Motivation• Heads Up – Many Sources of Risk and Liability
• Nine (9) Actions Will Mitigate Risk Now!
16
© Clearwater Compliance LLC | All Rights Reserved | Clearwater Compliance Proprietary & Confidential
You Do NOT Want an OCR Enforcement Action
17
Therefore, you do not want… 1. Complaint2. Random Audit3. Breach Notice4. SAG HITECH
Action5. FTC Action6. Whistleblower7. State Action (e.g.,
DHS, DMHC)
© Clearwater Compliance LLC | All Rights Reserved | Clearwater Compliance Proprietary & Confidential 18
https://ocrportal.hhs.gov/ocr/cp/complaint_frontpage.jsf
Anyone Can File a Complaint
© Clearwater Compliance LLC | All Rights Reserved | Clearwater Compliance Proprietary & Confidential
Complaints
19
*Through September 2013
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/data/historicalnumbers.htmlhttp://healthitsecurity.com/2013/09/23/ocr-director-leon-rodriguez-previews-hipaa-audit-strategies/
© Clearwater Compliance LLC | All Rights Reserved | Clearwater Compliance Proprietary & Confidential
OCR Compliant Process
20
Complaint
Intake & Review
Investigation
ResolutionOCR finds no violation
OCR voluntary compliance, corrective action, or other agreement
OCR issues formal finding of violation
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/process/index.html
ResolutionThe violation did not occur after April 14, 2003
Entity is not covered by the Privacy Rule
Complaint was not filed within 180 days and an extension was not granted
The incident described in the complaint does not violate the Privacy Rule
Possible Privacy Rule or Security Rule
Violation
DOJPossible Criminal Violation
Accepted by DOJ
Trending to 1,500 Complaints per
Month
© Clearwater Compliance LLC | All Rights Reserved | Clearwater Compliance Proprietary & Confidential21
Some OCR Corrective Action Plans
Corrective Action Plan (CAP) Requirement
$1.2M
AHP
$1.7M
WLP
$400K
ISU
$50K
HONI
$1.5M
MEEI
$2.3M
CVS
$1.0MRite-Aid
$1.5MBCBS
TN
$1.0M
MGH
$100K
PHX
$865K
UCLA
$1.7MAK
DHSS
Establish a Comprehensive Information Security Program x x
Designate an accountable Security Owner x xDevelop Privacy and Security policies and procedures x x x x x x x
Document authorized access to ePHI xDistribute and update policies and procedures x x x x x x x
Document Process for responding to security incidents x x x x x x x x x
Implement training and sanctions for non-compliance x x x x x x xConduct Risk Analysis / Establish Risk Management Process x x x x x x x x x x x xImplement Reasonable Safeguards to control risks x x x x x x x x x xRegularly review records of information system activity xImplement reasonable steps to select service providers x Testing and monitor security controls following changes x x x x x x x xObtain assessments from qualified independent 3rd party x x x x x x x x
Retain required documentation x x x x x x x x x x
$13.5+M
© Clearwater Compliance LLC | All Rights Reserved | Clearwater Compliance Proprietary & Confidential 22
Be Prepared for Audits
© Clearwater Compliance LLC | All Rights Reserved | Clearwater Compliance Proprietary & Confidential23
© Clearwater Compliance LLC | All Rights Reserved | Clearwater Compliance Proprietary & Confidential 24
© Clearwater Compliance LLC | All Rights Reserved | Clearwater Compliance Proprietary & Confidential
Further Enforcement Action
• Audit contract required the contractor to inform the audited entity that “OCR may initiate further compliance enforcement action based on the content and findings of the audit, and that corrective action that cures identified deficiencies may serve to reduce or eliminate potential civil money penalties.”
25
• “…if we uncover, in the course of the audit, major violations or potential violations, we will be dealing with those in the same manner that we would through our formal enforcement process.”
© Clearwater Compliance LLC | All Rights Reserved | Clearwater Compliance Proprietary & Confidential
26
Document Request List
• What has your organization done to minimize gaps in compliance?
http://abouthipaa.com/wp-content/uploads/Documentation_request_list_OCR-audit-notification.pdf
© Clearwater Compliance LLC | All Rights Reserved | Clearwater Compliance Proprietary & Confidential27
Notice… of a Breach
© Clearwater Compliance LLC | All Rights Reserved | Clearwater Compliance Proprietary & Confidential
Breach Notification HighlightsSeptember 2009 through April 1, 2013
28
• Over 64,000 reports involving under 500 individuals• 720 reports involving over 500 individuals; More
than 27.8 million fellow citizens’ PHI breached (exceeds population of the entire state of NY). – 720 reported breaches to HHS by Covered Entities.– 167 Business Associates involved/culpable
• Top 5 Million+ Data Breachers Club:– 4.9 MM - TRICARE Management Activity and BA: SAIC – 4.0 MM – Advocate Medical Group– 1.9MM - Health Net, Inc. of CA and BA: IBM– 1.7MM - NYC Health & Hospitals Corp North Bronx Healthcare Network and
BA GRM Information Management Systems– 1.2MM - AvMed, Inc.
© Clearwater Compliance LLC | All Rights Reserved | Clearwater Compliance Proprietary & Confidential29
SAG Call to Arms… complete with Training
The HITECH Act, Section 13410(e), Improved Enforcement• “…the attorney
general of the State, as parens patriae, may bring a civil action on behalf of such residents of the State…”
© Clearwater Compliance LLC | All Rights Reserved | Clearwater Compliance Proprietary & Confidential
Are You Ready?
30
© Clearwater Compliance LLC | All Rights Reserved | Clearwater Compliance Proprietary & Confidential31
Are You Ready?
© Clearwater Compliance LLC | All Rights Reserved | Clearwater Compliance Proprietary & Confidential
Big Points & Our Agenda• Omnibus’ Harsh New Math
• Oh NO! – Not an OCR Enforcement Action!
• Seven (7) Things May Get You There
• OCR’s New Motivation• Heads Up – Many Sources of Risk and Liability
• Nine (9) Actions Will Mitigate Risk Now!
32
© Clearwater Compliance LLC | All Rights Reserved | Clearwater Compliance Proprietary & Confidential
OCR’s New Motivation?
33http://clearwatercompliance.com/wp-content/uploads/2013/12/OIG-on-OCR-and-HIPAA-Security-Rule-Enforcement.pdf
• Although OCR made available to covered entities guidance that promoted compliance with the Security Rule, it had not assessed the risks, established priorities, or implemented controls for its HITECH requirement to provide for periodic audits of covered entities to ensure their compliance with Security Rule requirements. As a result, OCR had limited assurance that covered entities complied with the Security Rule and missed opportunities to encourage those entities to strengthen their security over ePHI.
• Because OCR did not perform the compliance audits mandated by HITECH, it had limited information about the status of Security Rule compliance at covered entities. Therefore, it had limited assurance that ePHI was secure and might have missed opportunities to motivate covered entities to strengthen ePHI security.
© Clearwater Compliance LLC | All Rights Reserved | Clearwater Compliance Proprietary & Confidential
Big Points & Our Agenda• Omnibus’ Harsh New Math
• Oh NO! – Not an OCR Enforcement Action!
• Seven (7) Things May Get You There
• OCR’s New Motivation• Heads Up – Many Sources of Risk and Liability
• Nine (9) Actions Will Mitigate Risk Now!
34
© Clearwater Compliance LLC | All Rights Reserved | Clearwater Compliance Proprietary & Confidential
Sources of Risk
and Liability
35
© Clearwater Compliance LLC | All Rights Reserved | Clearwater Compliance Proprietary & Confidential
Big Points & Our Agenda• Omnibus’ Harsh New Math
• Oh NO! – Not an OCR Enforcement Action!
• Seven (7) Things May Get You There
• OCR’s New Motivation• Heads Up – Many Sources of Risk and Liability
• Nine (9) Actions Will Mitigate Risk Now!
36
© Clearwater Compliance LLC | All Rights Reserved | Clearwater Compliance Proprietary & Confidential
Set Your Vision
37
Necessary Evil
Operational Necessity
Competitive Advantage
Marketing, Customer Service & Patient Safety Strategy
HIPAA-HITECH Compliance Project
Patient/Member Privacy & Security Program
© Clearwater Compliance LLC | All Rights Reserved | Clearwater Compliance Proprietary & Confidential
Include All Regulations
38
Privacy
Security
Breach
Notification
……
HITECHHIPAA
Breach Notification IFR• 6 pages / 2K words• 4 Standards• 9 Implementation
Specs
Privacy Final Rule• 75 pages / 27K words• 56 Standards• ~ 54 “dense”
Implementation Specs
Security Final Rule• 18 pages / 4.5K words• 22 Standards• ~50 Implementation
Specs
OMNIBUS FINAL RULE
© Clearwater Compliance LLC | All Rights Reserved | Clearwater Compliance Proprietary & Confidential
Policy defines an organization’s values & expected behaviors; establishes “good faith” intent
People must include talented privacy &
security & technical staff, engaged and supportive
management and trained/aware colleagues
following PnPs.
Procedures or processes – documented - provide the actions required to deliver on organization’s values.
Safeguards includes the various families of administrative, physical or
technical security controls (including “guards, guns, and gates”,
encryption, firewalls, anti-malware, intrusion detection, incident
management tools, etc.)
BalancedCompliance
Program
Include All Dimensions
Clearwater Compliance Compass™39
© Clearwater Compliance LLC | All Rights Reserved | Clearwater Compliance Proprietary & Confidential
9 Actions to Take Now
40
4. Complete a HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))
5. Complete a HIPAA Security Evaluation (= compliance assessment) (45 CFR § 164.308(a)(8))
6. Complete Technical Testing of Your Environment (45 CFR § 164.308(a)(8))
7. Implement a Strong, Proactive Business Associate / Management Program (45 CFR §164.502(e) and 45 CFR §164.308(b))
8. Complete Privacy Rule and Breach Rule compliance assessments (45 CFR §164.530 and 45 CFR §164.400)
9. Document and act upon a remediation plan
1. Set Privacy and Security Risk Management & Governance Program in place (45 CFR § 164.308(a)(1))
2. Develop & Implement comprehensive HIPAA Privacy and Security and Breach Notification Policies & Procedures (45 CFR §164.530 and 45 CFR §164.316)
3. Train all Members of Your Workforce (45 CFR §164.530(b) and 45 CFR §164.308(a)(5))
Demonstrate Good Faith Effort!
© Clearwater Compliance LLC | All Rights Reserved | Clearwater Compliance Proprietary & Confidential41
Systematic, Sustainable Programmatic Approach:Reenergize and operationalize your HIPAA-HITECH Compliance Program
Ongoing Support and Guidance
• Re-Inventory PHI & ePHI• Re-Inventory BAs• Re-Assessments • Remediation Plans• Policies & Procedures
Review• Business Associate
Management• Training Update
Think Program, Not Project!
Start Year 1 Year 2• Oversight• Inventory PHI & ePHI• Inventory BAs• Assessments • Remediation Plans• Policies & Procedures• Business Associate Management• Training
• Re-Inventory PHI & ePHI• Re-Inventory BAs• Re-Assessments • Remediation Plans• Policies & Procedures Review• Business Associate Management• Training Update
How to Do It Right
© Clearwater Compliance LLC | All Rights Reserved | Clearwater Compliance Proprietary & Confidential
Clearwater CE Omnibus ReadinessCheck™:
http://clearwatercompliance.com/covered-entity-omnibus-readinesscheck/
42
Two Helpful “Tests”Clearwater BA Omnibus
ReadinessCheck™: http://clearwatercompliance.com/business-associate-omnibus-readinesscheck
/
© Clearwater Compliance LLC | All Rights Reserved | Clearwater Compliance Proprietary & Confidential43
Other Helpful ResourcesRisk Analysis Buyer’s Guide: http://abouthipaa.com/about-hipaa/hipaa-risk-analysis-resources/hipaa-risk-analysis-buyers-
guide-checklist/
Risky Business: How to Conduct a Bona Fide HIPAA Security Risk
Analysis http://clearwatercompliance.com/hipaa-risk-analysis-essentials-lp/
© Clearwater Compliance LLC | All Rights Reserved | Clearwater Compliance Proprietary & Confidential
Bob Chaput, CISSP, CIPP/US
http://www.ClearwaterCompliance.com [email protected]
Phone: 800-704-3394 or 615-656-4299
Clearwater Compliance LLC
44
Contact