© 2010-11 Clearwater Compliance LLC | All Rights Reserved
1
Stages of Behavior Change1 The Transtheoretical Model (TTM) of Behavior Change assesses an individual's readiness to act on a new healthier behavior, and provides strategies, or processes of change to guide the individual through the stages of change to Action and Maintenance.
1Prochaska and DiClemente
Action
Pre-Contemplation
Ignorance
Maintenance
Preparation
Where is your organization on its
HIPAA-HITECH compliance
journey?
Contemplation
Denial
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
How to Revitalize Your HIPAA-HITECH
Compliance Program
WEBINAR
…Welcome to …
2
Bob Chaput 615-656-4299 or 800-704-3394 [email protected] Clearwater Compliance LLC
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Bob Chaput CISSP, MA, CHP, CHSS, MCSE
3
• President – Clearwater Compliance LLC • 30+ years in Business, Operations and Technology • 20+ years in Healthcare • Executive | Educator |Entrepreneur • Global Executive: GE, JNJ, HWAY • Responsible for largest healthcare datasets in world • Numerous Technical Certifications (MCSE, MCSA, etc) • Expertise and Focus: Healthcare, Financial Services, Legal
• Member: HIMSS, ISSA, HCCA, ACHE, AHIMA, NTC, ACP, Chambers, Boards
http://www.linkedin.com/in/BobChaput
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Our Passion
4
… And, keeping those same
organizations off the Wall of
Shame…!
…we’re helping
organizations
safeguard the very
personal and
private healthcare
information of
millions of fellow
Americans…
We’re excited about
what we do
because…
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
About HIPAA-HITECH Compliance
1. We are not attorneys!
2. HIPAA and HITECH is dynamic!
3. Lots of different interpretations!
So there!
5
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Answer Page!
• Adult Education!
• Here’s How to
Revitalize Your
HIPAA-HITECH
Compliance
Program
6
How to Revitalize Your HIPAA-HITECH Compliance Program
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
1. Understand the Problem
2. Review Recent Cases, Data and Facts
3. Actions You Can Take Now!
Session Objectives
7
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
What’s The Big Deal?
• 1Street cost for a stolen Record • Medical:$50 vs SSN:$1
• 1Payout for identity theft • Medical:$20,000 vs Regular: $2,000
• 1Medical records can be
exploited 4x longer • Credit cards can be cancelled; medical
records can’t
8 1RSA Report on Cybercrime and the Healthcare Industry
Medical Record Abuse
consequences Prescription Fraud
Embarrassment
Financial Fraud
Personal Data Resale
Blackmail / Extortion
Medical Claims Fraud
Job loss / reputational
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
What’s The Big Deal - $$$
• A clerk in a medical clinic in Florida hospital stole the
medical IDs of 1,100 patients and sold them. The
numbers were subsequently used to bill Medicare for
$2.8 million in false claims1
9
1McKay, Jim. “Identity Theft Steals Millions from Government Health Programs.” GovTech.com. 12 Feb. 2008. Web. 6 6 Sept. 2011
http://www.govtech.com/security/Identity-Theft-Steals-Millions-from-Government.html
2Brodkin, Jon. “ChoicePoint Details Data Breach Lessons.” PCWorld. 11 June 2007. Web. 7 Sept. 2011
http://www.pcworld.com/article/132795/choicepoint_details_data_breach_lessons.html
• In 2005, the records of 163,000 consumers were compromised after criminals
pretending to be legitimate ChoicePoint customers sought details about
individuals listed in the company's database of personal information.
ChoicePoint agreed to pay $10 million in civil penalties and $5 million for
consumer redress2.
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Here’s The Big Deal
10
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Three Pillars of HIPAA-HITECH Compliance…
11
Pri
vacy
Sec
uri
ty
Data
Bre
ach
Noti
fica
tio
n
… …
HITECH
HIPAA
Breach Notification IFR • 6 pages / 2K words • 4 Standards • 9 Implementation
Specs
Privacy Final Rule • 75 pages / 27K words • 56 Standards • ~ 60 “dense”
Implementation Specs
Security Final Rule • 18 pages / 4.5K words • 22 Standards • ~50 Implementation
Specs
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Key Learnings of Successful Organizations HIPAA-HITECH Compliance
I. It’s a matter of Business
Risk Management, not an
“IT problem”
II. It must be a Program, not
a Project
III. It requires unique skills, knowledge and experience
IV. Four “must have” key ingredients are Policies,
Procedures, People and Technology
V. Achieving Compliance is complex and stressful
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
The Problem
HIPAA HITECH
Compliance Is Hard!
Revenues and assets are at risk
Reputations are being damaged
Enforcement is on the upswing
Penalties are up dramatically
Class action lawsuits abound
Regulations are complex and
changing
Few organizations have skills, knowledge and experience to establish solid programs and
manage risks proactively
Few Nurture And Maintain Their Programs As
Required By Regulation
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Why Should You Care?
1. It’s the law… HIPAA & HITECH!
14
3. The KPMG / OCR Auditors are
coming
2. Your stakeholders trust and expect
you to do this
4. Your reputation depends on it!
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
1. Understand the Problem
2. Review Data, Facts & Recent Cases
3. Actions You Can Take Now!
Session Objectives
15
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Health Information Technology for Economic and Clinical Health Act
HITECH = Hey It’s Time to End your Compliance Holiday
16
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
The HITECH Act
THREE absolute “game changers”:
1) More Enforcement
2) Bigger fines
3) Wider Net Cast
17
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
New Civil Monetary Penalty System
• Tier 1 (Accidental)
– $100 each violation
– Up to $25,000 for identical violations, per year
• Tier 2 (Not Willful Neglect, but Not Accidental)
– $1000 each violation
– Up to $100,000 for identical violations, per year
• Tier 3 (Willful Neglect, but Corrected)
– $10,000 each violation
– Up to $250,000 for identical violations, per year
• Tier 4 (Willful Neglect, Not Corrected)
– $50,000 each violation
– Up to $1.5 million, per year 18
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
PS – Don’t Forget Criminal Penalties
Congress also established criminal penalties for certain actions…
• Up to $50,000 and one year in prison for certain offenses such as knowingly obtaining PHI
• Up to $100,000 and up to five years in prison if the offenses are committed under false pretenses
• Up to $250,000 and up to 10 years in prison if the offenses are committed with the intent to sell, transfer, or use protected health information for commercial advantage, personal gain, or malicious harm.
19
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Wall of Shame
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
20
01/11/2012 •380 CEs
•83 Named BAs
~18.0M Individuals Or State of FL
1. Wyoming
2. District of Columbia
3. Vermont
4. North Dakota
5. Alaska
6. South Dakota
7. Delaware
8. Montana
9. Rhode Island
10. Hawaii
11. Maine
12. New Hampshire
13. Idaho
14. Nebraska
15. West Virginia
16. New Mexico
17.9M
© 2010-11 Clearwater Compliance LLC | All Rights Reserved 21
Quick OCR / KPMG HIPAA Audit Update – 1st 20 Audits
Covered Entity
Type Level 1 Level 2 Level 3 Level 4 Total
Health plans 2 3 1 2 8
Health care
providers 2 2 2 4 10
Health care
clearinghouses 1 1 0 0 2
Total 5 6 3 6 20
Health Plans Medicaid 1
SCHIP 1
Group Health Plans 3
Health Insurance Issuer 3
Total 8
Health Care Providers Allopathic & Osteopathic
Physicians 3
Hospitals 3
Laboratories 1
Dental 1
Nursing and Custodial
Facilities 1
Pharmacy 1
Total 10
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Some Recent Legal Actions
• Sutter Health Hit With $1B Class-Action Lawsuit
• Patient files $20M lawsuit against Stanford Hospital
• TRICARE Health Management Sued for $4.9B
• UCLA Health System Enters into $865K Resolution Agreement & CAP with OCR
• Cignet Health Fined for Violation of HIPAA Privacy Rule: $4.3M
• MGH entering into a resolution agreement; includes a $1 million settlement
• Court Approves VT Attorney General HIPAA Settlement With Health Insurer
22 Enforcement is on the upswing…
• AvMed Health sued over 'one of the largest medical breaches in history‘
• Health Net keeps paying for its data breach in 2009… $625K and counting
• WellPoint's notification delay following data breach brings action by Attorney General's office
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
1. Understand the Problem
2. Review Data, Facts & Recent Cases
3. Actions You Can Take Now!
Session Objectives
23
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
3. Complete a HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))
4. Develop comprehensive HIPAA Privacy and Security and
Breach Notification Policies & Procedures (45 CFR §164.530 and 45 CFR
§164.316)
5. Complete a Privacy Rule compliance assessment (45 CFR §164.530)
6. Document and act upon a corrective action plan
6 Actions to Take Now
24
1. Stand Up Your Privacy and
Security Risk Management &
Governance Program (45 CFR § 164.308(a)(1))
2. Complete a HIPAA Security
Evaluation (45 CFR § 164.308(a)(8))
Use the Regulations as Checklists!
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
25
Example – HIPAA Security Roadmap
HIPAA Security
Operations
HIPAA Security
Management Process
HIPAA Security
Evaluation
45 CFR164.308(a)(8)
45 CFR 164.308(a)(1)(ii)(D)
45 CFR 164.308(a)(1)
Preliminary Remediation
Plan
45 CFR 164.308(a)(1)(ii)(B)
HIPAA Security
Policies & Procedures
HIPAA
Security Risk
Analysis
45 CFR 164.308(a)(1)(ii)(A)
Information System Activity Review
Business Associate
Management Plan
45 CFR Parts 160, 164 Subpart D
45 CFR 164.316(a)
Data Breach Notification
Plan
45 CFR164.308(a)(8) 45 CFR 164.308(a)(5)(i)
HIPAA Training & Awareness
45 CFR 164.308(a)(1)(ii)(B)
HIPAA Security Risk Management
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Security Evaluation vs. Risk Analysis
Exposure-focused Trees/Weeds
Both Are Important and Necessary Compliance Roadmap
HIPAA Security Final Rule “taxonomy”
• 5 major areas
• 22 Standards
• 53 Implementation Specifications
Where do you stand?
Compliance-focused Forest
26
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Why do a Security Assessment?
1. Prepare for Mandatory Audits
2. Receive an Objective, Independent 3rd Party Review
3. Build Solid Educational Foundation
4. Meet 45 CFR 164.308(a)(8) - Evaluation
5. Jump – Start Overall Security Compliance Program
6. Develop / Execute Preliminary Remediation Plan
27 Demonstrate Good Faith Effort
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Quick Demo
28
https://www.hipaasecurityassessment.com
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
1. Serves as Assessment Wizard and
Advisory Guide
2. Auto-creates Remediation Plan and
Provides Management Tool
29
http://HIPAASecurityAssessment.com
Why Use Clearwater Security Assessment Tool?
3. Dynamically Updates Executive Dashboard
4. Established Baseline Score for Progress Monitoring
5. Serves as “Living Compliance Manual” and
6. Creates “Single Source of the Truth” and Document
Repository
7. Establishes Step 1 in Roadmap to Compliance
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
High Value – High Impact
HIPAA-HITECH Compliance WorkShop™
I. PREPARATION A. Plan / Gather B. Read Ahead C. Complete QuickScreen™
30
II. ONSITE ASSESSMENT A. Facilitate B. Educate C. Evaluate
III. WRITTEN REPORT A. Findings B. Observations C. Recommendations
½ Day
½ Day
1 Day
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Managed Compliance Services Action Results Problem
31
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Summary and Next Steps
32
• Don’t Panic! Don’t Freeze!
• Assess the Forest First, Then Get
Into the Trees/Weeds
• Engage Executives and Leaders
• Stay Business Risk Management-
Focused
• Large or Small: Get Help (Tools,
Experts, etc) and Consider an
Independent, Objective Assessment
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
AboutHIPAA.com Resources
“On Demand” HIPAA HITECH RESOURCES, IF NEEDED:
1. http://AboutHIPAA.com/about-hipaa/resources/
2. http://AboutHIPAA.com/webinars/ 33
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Clearwater HIPAA Audit Prep BootCampTM
One-Day February 9, 2012, Atlanta, GA
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
35
Jim Mathis, JD, CHC, CHP
Healthcare Industry Attorney
HIPAA Consultant
Bob Chaput, CISSP, CHP, CHSS, MCSE
CEO
Clearwater Compliance
Expert Instructors
Adam Greene, JD
Partner
Davis Wright Tremaine LLP
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
Bob Chaput, CISSP
http://www.ClearwaterCompliance.com [email protected]
Phone: 800-704-3394 or 615-656-4299
Clearwater Compliance LLC
36
Contact
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
“The WorkShop™ process made a very complicated process and subject matter simple. The ToolKit™ itself was excellent and precipitated exactly the right discussion we needed to have.” – outside Legal Counsel, national research consortium
"The HIPAA Security Assessment ToolKit™ and
WorkShop™ are a comprehensive approach that effectively guided our organization’s performance against HIPAA-HITECH Security requirements.” -- SVP and Chief Compliance, national hospice organization
What Our Customers Say…
37
“… The WorkShop™ process expedited assessment of gaps in our HIPAA Security Compliance program, began to address risk mitigation tasks within a matter of days and… the ‘ToolKit’ was a sound investment for the company, and I can't think of a better framework upon which to launch compliance efforts.” – VP & CIO, national care management organization
“…the process of going through the self-assessment WorkShop™ was a great shared
learning experience and teambuilding exercise. In retrospect, I can't think of a better or more efficient way to get started than to use the HIPAA Security Assessment ToolKit.“ – CIO, national kidney dialysis center firm
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
What’s The Big Deal?
…cost of clinical fraud for each victim was roughly
3.5 times greater than the costs incurred in
financial fraud…1
…Fraud resulting from medical identity theft takes
two forms:2
• Physician identification numbers that are stolen
and used to bill for services
• Patient identification information stolen and
used to obtain services or to bill for services
victims inadvertently could be treated based on
someone else's medical history and who might,
as a result, have a difficult time rebuilding their
medical files.
38
1Ponemon Institute, “Second Annual Survey on Medical Identity Theft.” (2011)
2“Identity Theft Steals Millions from Government Health Programs” by Jim McKay, Justice and Public Safety Editor,
Government Technology http://www.govtech.com/security/Identity-Theft-Steals-Millions-from-Government.html
© 2010-11 Clearwater Compliance LLC | All Rights Reserved 39
"Whatsoever things I see or hear concerning the life of men, in my attendance on the sick or even apart therefrom, which ought not to be noised abroad, I will keep silence thereon, counting such things to be as sacred as secrets."
- Hippocratic Oath, 4th Century, B.C.E.
Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance
First HIPAA Privacy-Security Officer
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
What’s The Big Deal?
40
• Based on a recent Ponemon Institute study, the
average cost per lost healthcare record was
projected to be $282 per record in 2008, or
nearly $3MM for a breach of 10,000 records
• A recent study found that over the past six
years, data breaches have cost organizations
well in excess of $155 billion1. These losses
do not even include actual losses sustained
by the victims of the breach, but account for
only the organizations' costs.
1“Beware of Costly Data Breaches” by William B. Baker, Kathleen A. Kirby &247 Amy E. Worlton, Sept 2011/Mass Media Headlines
http://www.wileyrein.com/publications.cfm?sp=articles&newsletter=5&id=7505&&elq_mid=16002&elq_cid=1094517#page=1
© 2010-11 Clearwater Compliance LLC | All Rights Reserved
ePHI & Security
41
What if my Protected
Health Information is
not complete, up-to-
date and accurate?
What if my Protected
Health Information is
shared? With whom?
How?
What if my Protected
Health Information is not
there when it is needed?
PHI
Privacy & security are
essential part of
healthcare vision