May 15, 2015
The Critical Difference - HIPAA Security Compliance Evaluation vs. HIPAA Security Risk Analysis
© Clearwater Compliance | All Rights Reserved
2
Copyright NoticeCopyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.
For reprint permission and information, please direct your inquiry to [email protected]
© Clearwater Compliance | All Rights Reserved
3
Legal DisclaimerLegal Disclaimer. This information does not constitute legal advice and is for educational purposes only. This information is based on current federal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.
© Clearwater Compliance | All Rights Reserved
4
Clearwater Information Risk Management Life Cycle1
1Adopted from NIST SP800-39
© Clearwater Compliance | All Rights Reserved
5
Some Ground Rules…1. Slide materials
A.Check “Chat” or “Question” area on GoToWebinar Control panel to copy/paste link and download materials
2. Questions in “Question Area” on GTW Control Panel
3. In case of technical issues, check “Chat Area”4. All Attendees are in Listen Only Mode5. Please complete Exit Survey, when you leave
session6. Recorded version and final slides within 48
hours
© Clearwater Compliance | All Rights Reserved
6
We are not attorneys!
The Omnibus has arrived!
Lots of different interpretations!
About HIPAA-HITECH Compliance
© Clearwater Compliance | All Rights Reserved
7
Bob Chaput, MA, CISSP, HCISPP, CRISC, CIPP/US • President – Clearwater Compliance LLC• 35+ years in Business, Operations and Technology• 25+ years in Healthcare• Executive | Educator |Entrepreneur• Global Executive: GE, JNJ, HWAY• Responsible for largest healthcare datasets in world• Numerous Technical Certifications (MCSE, MCSA, etc)• Expertise and Focus: Healthcare, Financial Services, Retail,
Legal• Member: ACAP, CHIME/AEHIS, AHA, IAPP, ISC2, HIMSS, ISSA, ISACA,
HCCA, HCAA, ACHE, AHIMA, NTC, ACP, SIM Chambers, Boardslinkedin.com/in/BobChaput
© Clearwater Compliance | All Rights Reserved
8
Our PassionWe’re excited about what we do because…
…we’re helping organizations improve care by safeguarding the very personal and private healthcare information of millions of fellow Americans…
… And, keeping those same organizations off the Wall of
Shame…!
Pause and Quick PollWhat type of organization do you represent?
CE##
BA##
HYBRID##
Don’t Know##
© Clearwater Compliance | All Rights Reserved
How many Clearwater Compliance webinars have you attended before?
Pause and Quick Poll
© Clearwater Compliance | All Rights Reserved
11
Mega Session Objective:
Help you understand and address three very specific AND different HIPAA Security Rule assessment requirements…
© Clearwater Compliance | All Rights Reserved
12
All Three Are Required!
© Clearwater Compliance | All Rights Reserved
13
An Important Case Study• OCR is "turning up the gain”• Completing compliance assessments is equally
important to risk analyses even though focus has shifted
• See “Initial Data Request” (my emphasis) starting on page 4 and notice all the requests for “evidence” (“Are you abiding by, practicing, enforcing …”?)
• New Math:+ IF “willful neglect” CMP means
$50,000 per violation = $50,000 x 197,000 individuals [= $9.85B (yes, B!!)]
+ Good news, capped at $1.5 for each regulatory violation
+ For each calendar year in which the violation occurred (N.B., request for all risk analyses performed in last six (6) years.
+ See list of 21 violations estimated 10s of $millions CMP 13
Security Evaluation IS NOT EQUAL TO Risk AnalysisBottom Line Up Front
© Clearwater Compliance | All Rights Reserved
15
What’s similar?Both are somewhat complex
Both help determine gaps
Both robustly audited in OCR Audit Protocol
Both are important and necessary
Both required by HIPAA Security Final Rule
Both have been required since April 2005
Both need “periodic” updates
Both need “periodic” updates
Both help you become compliant with the HIPAA Security Rule
© Clearwater Compliance | All Rights Reserved
16
What’s different?
One is Forest-level; two are Trees/Weeds-level
One is “named” in Meaningful Use Stage I & II & III Objectives
One has specific ‘Final Guidance’ from OCR on how to perform
One has two parts; one has on part
One is compliance-focused; one is exposure-focused
One is an overall compliance assessment; one is a risk assessment
NO OMNIBUS CHANGES – Welcome BAs!
© Clearwater Compliance | All Rights Reserved
17
Other Helpful Resources:Recorded Webinars at https://clearwatercompliance.com/on-demand-webinars/
o How To Conduct a Bona Fide HIPAA Security Risk Analysis
o How to Conduct the Periodic Security Evaluation Required by HIPAA Security Rule
o What Business Associates Need to Know about HIPAA
Blog Post
HIPAA Audit Tips – Don’t Confuse HIPAA Security Evaluation and Risk Analysis
© Clearwater Compliance | All Rights Reserved
18
03
01
02
Session Objectives
Review specific HIPAA Security Assessment Regulations
Understand Compliance Assessment
Essentials
Learn how to Complete These
Assessments
© Clearwater Compliance | All Rights Reserved
19
Three Pillars of HIPAA-HITECH Compliance…
HITECH
HIPAA
Privacy Final Rule• 75 pages / 27K words• 56 Standards• 54 Implementation Specs
Security Final Rule• 18 pages / 4.5K words• 22 Standards• 50 Implementation Specs
Breach Notification IFR• 6 pages / 2K words• 4 Standards• 9 Implementation Specs
OMNIBUS FINAL RULE
© Clearwater Compliance | All Rights Reserved
20
Assessments and Audits Are Central to Compliance• Establishing good policy and
procedures is not enough…• Comprehensive business processes
are not enough…• Deploying leading technology
solutions and systems controls is not enough…
Regular assessments are crucial in establishing and maintaining effective compliance
20
© Clearwater Compliance | All Rights Reserved
21
How to Do It RightSystematic, Sustainable Programmatic Approach:Reenergize and operationalize your HIPAA-HITECH Compliance Program
Think Program, Not Project!
Not Once and Done!
START
• Oversight• Inventory PHI & ePHI• Inventory BAs• Assessments • Remediation Plans• Policies & Procedures• Business Associate
Management• Training
YEAR 1
• Re-Inventory PHI & ePHI
• Re-Inventory BAs• Re-Assessments • Remediation Plans• Policies & Procedures
Review• Business Associate
Management• Training Update
YEAR 2
• Re-Inventory PHI & ePHI
• Re-Inventory BAs• Re-Assessments • Remediation Plans• Policies & Procedures
Review• Business Associate
Management• Training Update
Ongoing Support and Guidance
21
© Clearwater Compliance | All Rights Reserved
22
Types of Assessments1. Compliance Assessments (Security Evaluation - Non-Technical, at 45 CFR §164.308(a)(8))
• Where do we stand?• How well are we achieving ongoing compliance?
2. Risk Assessment (Risk Analysis, at 45 CFR §164.308(a)(1)(ii)(A))• What is the exposure to information assets (e.g., ePHI)? • What do we need to do to mitigate risks?
3. Technical Assessments (Security Evaluation – Technical , at 45 CFR §164.308(a)(8))• How effective are the safeguards we have implemented? • Are the safeguards working?
4. Risk-of-Harm Breach Risk Assessment (Breach-related, in HITECH parlance)• Have we caused legal, reputational, etc harm?• Is there low probability of compromise of PHI?
Each Assessment Has Its Role and Proper Time22
© Clearwater Compliance | All Rights Reserved
23
4. Complete a HIPAA Security Risk Analysis and Risk Management (45 CFR §164.308(a)(1)(ii)(A) and (B))
5. Complete a HIPAA Security Non-Technical Evaluation (= compliance assessment) (45 CFR § 164.308(a)(8))
6. Complete Technical Testing of Your Environment (45 CFR § 164.308(a)(8))
7. Complete Privacy Rule and Breach Notification Rule compliance assessments (45 CFR §164.500 and 45 CFR §164.400)
8. Implement a Strong, Proactive Business Associate / Management Program (45 CFR §164.502(e) and 45 CFR §164.308(b))
9. Assess your current Insurance Coverage (e.g., Cyber Liability, D&O, E&O, P&C)
10. Document and act upon a remediation plan (45 CFR §164.530(c) and 45 CFR §164.306 (a))
1. Set Privacy and Security Risk Management & Governance Program in place (45 CFR § 164.308(a)(1))
2. Develop & Implement comprehensive HIPAA Privacy and Security and Breach Notification Policies & Procedures (45 CFR §164.530 , 45 CFR §164.316 and 45 CFR §164.414)
3. Train all Members of Your Workforce (45 CFR §164.530(b), 45 CFR §164.308(a)(5)) and 45 CFR §164.414)
Derived from OCR Enforcement Actions| Demonstrate Reasonable Diligence
10 Actions to Take Now
© Clearwater Compliance | All Rights Reserved
24
02
Session Objectives
Review specific HIPAA Security Assessment Regulations
© Clearwater Compliance | All Rights Reserved
25
45 C.F.R. §164.308(a)(8)Standard: Evaluation. Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an entity's security policies and procedures meet the requirements of this subpart.
Security Evaluation v. Risk Analysis
45 C.F.R. §164.308(a)(1)(i) Standard: Security Management Process(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.(ii) Implementation specifications:
(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
25
© Clearwater Compliance | All Rights Reserved
26
Three Dimensions of HIPAA Security Business Risk Management
TEST & AUDIT
45 CFR 164.308(a)(1)(ii)(A)Risk Analysis
45 CFR 164.308(a)(8)Non-Technical Compliance
Assessment
45 CFR 164.308(a)(8) & OCR Audit Protocol
Technical Testing & Audits
© Clearwater Compliance | All Rights Reserved
27
03
Session Objectives
Learn how to Complete These
Assessments
© Clearwater Compliance | All Rights Reserved
28
Three Dimensions of HIPAA Security Business Risk Management
TEST & AUDIT
45 CFR 164.308(a)(1)(ii)(A)Risk Analysis
45 CFR 164.308(a)(8)Non-Technical Compliance
Assessment
45 CFR 164.308(a)(8) & OCR Audit Protocol
Technical Testing & Audits
© Clearwater Compliance | All Rights Reserved
29
3 Dimensions of HIPAA Non- Technical Security Evaluationa.k.a. Compliance Gap Assessment a.k.a. Mock Audit
Is it documented?Policies, Procedures and Documentation
Are you doing it?Using, Applying, Practicing, Enforcing
Is it Reasonable and Appropriate?Comply with the implementation specification
1
2
3
© Clearwater Compliance | All Rights Reserved
30
Reference NIST SP 800-66
• Basis of HIPAA Security Rule• Cross-walks HIPAA Security Rule
to Compendium of NIST Security Framework Documents
http://clearwatercompliance.com/wp-content/uploads/2013/12/NIST_SP-800-66-Revision1.pdf
30
© Clearwater Compliance | All Rights Reserved
31
Understand and Reference 2012 Audit Program Protocol
Established Performance Criteria(usually Standard or Implementation Spec or Requirement)
Key Activity(usually one or more)
Audit Procedures(usually one or more)
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html
31
© Clearwater Compliance | All Rights Reserved
32
The Inevitable for Phase II Audits• OCR’s permanent HIPAA audit program slated to
begin in 2015• ~200 Covered Entities to be selected for desk audits• Equal number or less BAs selected for desk audits• Greater number of on-site audits, but no specific
number given yet.• Only documentation submitted on time is reviewed• All documentation must be current as of the date of
the request• Auditors will not be able to contact the entity for
clarifications or ask for additional information• Critical that documentation accurately reflects the
program
2015 CE Desk Audit Scope• Security—Risk Analysis and risk
management• Breach—Content and timeliness of
breach notifications• Privacy—Notice of Privacy Practices and
Access2015 BA Desk Audit Scope• Security—Risk Analysis and risk
management• Breach—Breach reporting to covered
entities
© Clearwater Compliance | All Rights Reserved
33
Use Document Request List
Are you prepared to quickly assemble and submit all necessary
policies, procedures and documentation?
33
© Clearwater Compliance | All Rights Reserved
Pause and Quick Poll
Has Your Organization Completed a HIPAA “Non-technical” Security Evaluation (= compliance assessment) (45 CFR § 164.308(a)(8)) ?
© Clearwater Compliance | All Rights Reserved
35
Three Dimensions of HIPAA Security Business Risk Management
TEST & AUDIT
45 CFR 164.308(a)(1)(ii)(A)Risk Analysis
45 CFR 164.308(a)(8)Non-Technical Compliance
Assessment
45 CFR 164.308(a)(8) & OCR Audit Protocol
Technical Testing & Audits
© Clearwater Compliance | All Rights Reserved
36
HIPAA Security Technical Evaluation• External Network Vulnerability Assessment
& Penetration Testing• Internal Network Vulnerability Assessment
& Penetration Testing• Web Application Assessment• Wireless Security Assessment• Security Awareness Assessment• Sensitive Data Discovery Scans
ALL IMPORTANT – AIMED AT DETERMINING EFFICACY AND EFFECTIVENESS OF CONTROLS
36
© Clearwater Compliance | All Rights Reserved
37
Reference NIST SP 800-53A
“Security control assessments are not about checklists, simple pass-fail results, or generating paperwork to pass inspections or audits—rather, security controls assessments are the principal vehicle used to verify that the implementers and operators of information systems are meeting their stated security goals and objectives. Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations, is written to facilitate security control assessments conducted within an effective risk management framework.”
http://clearwatercompliance.com/wp-content/uploads/2014/01/NIST-SP800-53A-rev1-final_Guide_for_Assessing_the_Security_Controls_in_Federal_Information_Systems_and_Organizations-Building_Effective_SAPs.pdf
37
© Clearwater Compliance | All Rights Reserved
38
Reference NIST SP 800-115• Basis of Technical Evaluations
• Pen Testing• Vulnerability Scans• Post Testing Activities
http://clearwatercompliance.com/wp-content/uploads/2013/12/SP800-115-Technical-Guide-to-Information-Security-Testing-and-Assessment.pdf
© Clearwater Compliance | All Rights Reserved
Pause and Quick Poll
Has Your Organization Completed the Technical Evaluation (=Testing) of Your Environment (45 CFR § 164.308(a)(8))?
© Clearwater Compliance | All Rights Reserved
40
Three Dimensions of HIPAA Security Business Risk Management
TEST & AUDIT
45 CFR 164.308(a)(1)(ii)(A)Risk Analysis
45 CFR 164.308(a)(8)Non-Technical Compliance
Assessment
45 CFR 164.308(a)(8) & OCR Audit Protocol
Technical Testing & Audit
© Clearwater Compliance | All Rights Reserved
41
2. What are all the ways in which the confidentiality, integrity or availability of ePHI might be compromised?
Risk Analysis
Identify, Rate and Prioritize All Risks
1. What is our exposure of our information assets (e.g. ePHI)?
41
© Clearwater Compliance | All Rights Reserved
VULNERABILITY
Thinking Like a Risk AnalystTHREAT (Actor)
Security Risk exists when and only when….
IMPACT (LOSS OF OR HARM to ASSETS)
MUST HAVE A “TRIPLE” TO HAVE RISK =
ASSET – THREAT –VULNERABILITY!
© Clearwater Compliance | All Rights Reserved
43
Risk Analysis IS:
…the process of identifying, prioritizing, and estimating risks
to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, …, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses,
and considers mitigations provided by security controls planned or in place1.
1NIST SP800-30
© Clearwater Compliance | All Rights Reserved
44
Controls Help Address Vulnerabilities
Controls• Policies & Procedures
• Training & Awareness• Cable lock down• Strong passwords
• Encryption• Remote wipe• Data Backup
Threat Source• Burglar who may steal
Laptop with ePHI
Vulnerabilities• Device is portable• Weak password• ePHI is not encrypted• ePHI is not backed up
Threat Action• Steal Laptop
Information Asset• Laptop with ePHI
44
© Clearwater Compliance | All Rights Reserved
45
…from HHS/OCR Final GuidanceRegardless of the risk analysis methodology employed…1. Scope of the Analysis - all ePHI that an organization creates, receives, maintains, or transmits must be included in the risk analysis.
(45 C.F.R. § 164.306(a)).
2. Data Collection - The data on ePHI gathered using these methods must be documented. (See 45 C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.316 (b)(1).)
3. Identify and Document Potential Threats and Vulnerabilities - Organizations must identify and document reasonably anticipated threats to ePHI. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A) and 164.316(b)(1)(ii).)
4. Assess Current Security Measures - Organizations should assess and document the security measures an entity uses to safeguard ePHI. (See 45 C.F.R. §§ 164.306(b)(1), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)
5. Determine the Likelihood of Threat Occurrence - The Security Rule requires organizations to take into account the likelihood of potential risks to ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)
6. Determine the Potential Impact of Threat Occurrence - The Rule also requires consideration of the “criticality,” or impact, of potential risks to confidentiality, integrity, and availability of ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)
7. Determine the Level of Risk - The level of risk could be determined, for example, by analyzing the values assigned to the likelihood of threat occurrence and resulting impact of threat occurrence. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)
8. Finalize Documentation - The Security Rule requires the risk analysis to be documented but does not require a specific format. (See 45 C.F.R. §164.316(b)(1).)
9. Periodic Review and Updates to the Risk Assessment - The risk analysis process should be ongoing. In order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed. (45 C.F.R. §§164.306(e) and 164.316(b)(2)(iii).)
45
© Clearwater Compliance | All Rights Reserved
46
Determine Likelihood and ImpactAsset Threat Source / Action Vulnerability Likelihood Impact
Laptop Burglar steals laptop No encryption High (5) High (5)
Laptop Burglar steals laptop Weak passwords High (5) High (5)
Laptop Burglar steals laptop No tracking High (5) High (5)
Laptop “Shoulder Surfer” views No privacy screen Low (1) Medium (3)
Laptop Careless User Drops No data backup Medium (3) High (5)
Laptop Lightning Strike hits home No surge protection Low (1) High (5)
etc
© Clearwater Compliance | All Rights Reserved
47
Risk Management GuidanceGuidance on Risk Analysis Requirements under the HIPAA Security Rule Final
• NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments• NIST SP800-34 Contingency Planning Guide for Federal Information Systems• NIST SP800-37, Guide for Applying the Risk Management Framework to Federal
Information Systems: A Security Life Cycle Approach• NIST SP800-39-final_Managing Information Security Risk• NIST SP800-53 Revision 3 Final, Recommended controls for Federal Information
Systems and Organizations• NIST SP800-53A, Rev 1, Guide for Assessing the Security Controls in Federal
Information Systems and Organizations: Building Effective Security Assessment Plans
47
© Clearwater Compliance | All Rights Reserved
48
What a Real Risk Analysis Looks Like
© Clearwater Compliance | All Rights Reserved
49
Risk Rating Report – Most Critical Output
© Clearwater Compliance | All Rights Reserved
Pause and Quick Poll
Has Your Organization Completed a HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))?
© Clearwater Compliance | All Rights Reserved
51
Not a Once & Done
“9. Please submit a copy of XYZ Hospital’s most recent risk analysis, as well as a copy of all risk analyses performed for or by copy XYZ Hospital within the past 6 years pursuant to 45 C.F.R. §164.308(a)(l)(ii)(A). If no risk analysis has been performed, please state so.
© Clearwater Compliance | All Rights Reserved
52
Three Dimensions of HIPAA Security Business Risk Management
TEST & AUDIT
45 CFR 164.308(a)(1)(ii)(A)Risk Analysis
45 CFR 164.308(a)(8)Non-Technical Compliance
Assessment
45 CFR 164.308(a)(8) & OCR Audit Protocol
Technical Testing & Audit
© Clearwater Compliance | All Rights Reserved
53
What’s similar?Both are somewhat complex
Both help determine gaps
Both robustly audited in OCR Audit Protocol
Both are important and necessary
Both required by HIPAA Security Final Rule
Both have been required since April 2005
Both need “periodic” updates
Both need “periodic” updates
Both help you become compliant with the HIPAA Security Rule
© Clearwater Compliance | All Rights Reserved
54
What’s different?
One is Forest-level; two are Trees/Weeds-level
One is “named” in Meaningful Use Stage I Objectives
One has specific ‘Final Guidance’ from OCR on how to perform
One has two parts; one has on part
One is compliance-focused; one is exposure-focused
One is an overall compliance assessment; one is a risk assessment
Security Evaluation IS NOT EQUAL TO Risk Analysis
© Clearwater Compliance | All Rights Reserved
55
Three Industry-Leading SaaS Solutions…
… to address all HIPAA regulatory requirements
IRM | Privacy™ - Clearwater’s HIPAA Privacy and Breach Notification Assessment Software
IRM | Security™ - Clearwater’s HIPAA Security Assessment Software
IRM | Analysis™ - Clearwater’s Risk Analysis Software
© Clearwater Compliance | All Rights Reserved
56
Clearwater WorkShop™ Process
• Analyze Findings • Document Observations• Develop Recommendations• Present and Sign Off
Written Report
• Plan / Gather / Schedule• Read Ahead / Review Materials• Provide SaaS Subscription/Train• Administer Surveys
Preparation
• Facilitate & Discover• Educate & Equip• Evaluate & Advise• Gather & Populate SaaS
Onsite Discovery/Assessment
Software SubscriptionPlus WorkShop™• 2.5-hours training for as many staff as
you wish• Ongoing technical support• IRM | Analysis™ - 2 or 3-year
subscription, paid annually.• Ongoing software updates.• Ongoing Community engagement.• Professional consulting services to
complete the risk analysis process, end-to-end.
• Risk Analysis Report with Findings, Observations and Recommendations.
• Fully-populated IRM | Analysis™ software application.
Our goal at Clearwater is to help your organization become as self-sufficient as you would like to be, as quickly as you would like to be.
01
02
03
© Clearwater Compliance | All Rights Reserved
57
The Clearwater Engagement Model
Clearwater teaches Customer how to perform gap assessments and risk analyses AND to measure information risk management maturity levels to establish continuous process improvement.
“We do it with you” “We train you to do it”
Proven Engagement Model - Used 100s of Times
“We do it for you”
Clearwater provides content, strategy, leadership, tools, software and resources to complete program evaluations, policies, procedures, gap assessments, risk analyses, risk response, etc. Customer reviews recommendations.
Clearwater and Customer teams perform gap assessments and risk analyses, validate findings, observations and recommendations, prioritize remediation items and develop recommendations.
Customer’s RoleClearwater’s Role
© Clearwater Compliance | All Rights Reserved
58
Summary and Next Steps1. Assess the Forest First, Then Get Into the Trees/Weeds
1. Stay Business Risk Management and Patient/Member/Customer-Focused
2. Not ‘once and done’!
3. Large or Small: Get Help (Tools, Experts, etc)
…Simply Makes Good Business Sense…
© Clearwater Compliance | All Rights Reserved
59
Download white papers
Risky Business: How to Conduct a Bona Fide HIPAA
Security Risk Analysishttp://clearwatercompliance.com/hipaa-risk-analysis-
essentials-lp/
59
© Clearwater Compliance | All Rights Reserved
60
Educational Opportunities
© Clearwater Compliance | All Rights Reserved
61
Clearwater HIPAA Compliance and Information Risk Management BootCamp™
Take Your HIPAA Privacy and Security Program to a Better
Place, Faster …
Earn CPE Credits!
Join us for our next virtual, web-based event…Three, 3hr sessions: • August 6th, 13th, 20th 2015
http://clearwatercompliance.com/bootcamps/
Designed for busy professionals, the Clearwater Information Risk Management BootCamp™ distills into one action-packed day, the critical information you need to know about the HIPAA Privacy and Security Final Rules and the HITECH Breach Notification Rule.
© Clearwater Compliance | All Rights Reserved
62
Other Upcoming Clearwater Events
May 21,2015Bob Chaput is
speaking!Audit World 2015, New Orleans, LA
May 26,2015Complimentary
WebinarBona Fide Risk
Analysis & Risk Management
May 28,2015Complimentary Web
EventBlue Ribbon Panel:
Information Risk Management
Essentials
June 4, 2015How to Calculate the
Cost of a Data Breach and How to Get the Budget for Your HIPAA-HITECH
Compliance Program
Visit ClearwaterCompliance.com for more info!
© Clearwater Compliance | All Rights Reserved
63
Resources
Register For Upcoming Live HIPAA-HITECH Webinars at:
https://clearwatercompliance.com/live-educational-webinars/
© Clearwater Compliance | All Rights Reserved
64
Bob Chaput, MA, CISSP, HCISPP, CRISC, CIPP/US
https://www.clearwatercompliance.com
Phone: 800-704-3394 or 615-656-4299
linkedin.com/in/BobChaput
Exit Survey, Please
© Clearwater Compliance | All Rights Reserved
65
American Hospital Association Exclusive Endorsement
Health Care Information Privacy, Security, Compliance and Risk Management Solutions from Clearwater Compliance LLC have earned the exclusive endorsement of the American Hospital Association.
“In line with our mission to foster operational excellence in hospitals and health care systems, we collaborate with hospital leaders to identify key challenges the health care field faces. After conducting the proprietary AHA Signature Due Diligence Process™, we award the exclusive AHA Endorsement to the solution that stands out from other candidates in best enabling hospitals to surmount an operational challenge.”
- AHA
© Clearwater Compliance | All Rights Reserved 66
© Clearwater Compliance | All Rights Reserved
WWW.CLEARWATERCOMPLIANCE.COM
(800) 704-3394http://www.linkedin.com/in/bobchaput/
@clearwaterhipaa
ClearwaterCompliance
Thank You!