Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
© Clearwater Compliance LLC | All Rights Reserved
Copyright Notice
1
Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content. For reprint permission and information, please direct your inquiry to [email protected]
© Clearwater Compliance LLC | All Rights Reserved
Legal Disclaimer
2
Legal Disclaimer. This information does not constitute legal advice and is for educational purposes only. This information is based on current federal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.
© Clearwater Compliance LLC | All Rights Reserved
“I think we’re going to find that there were a lot of covered entities that didn’t realize they have BAs and BAs that didn’t know they were BAs.”2
2September 23, 2013 HIMSS Media Privacy & Security Forum
1December 2012 interview with Healthcare IT News
“My advice to business associates is to get in compliance now, because it's what you're supposed to be doing anyway for the benefit of your clients, and it's going to avoid a lot of problems down the line.”1
3
Director of the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Leon
Rodriguez
© Clearwater Compliance LLC | All Rights Reserved 4
What Business Associates Need to Know About HIPAA
WEBINAR
April 10, 2014
Bob Chaput, MA, CISSP, HCISPP, CIPP/US 615-656-4299 or 800-704-3394 [email protected] Clearwater Compliance LLC
© Clearwater Compliance LLC | All Rights Reserved
About HIPAA-HITECH Compliance
1. We are not attorneys!
2. The Omnibus has arrived!
3. Lots of different interpretations!
So there!
5
© Clearwater Compliance LLC | All Rights Reserved
Some Ground Rules
6
1. Slide materials A.Check “Chat” or “Question” area on GoToWebinar
Control panel to copy/paste link and download materials
B. http://…
2. All Attendees are in Listen Only Mode 3. Please post Questions in “Question Area” on
GTW Control Panel 4. In case of technical issues, check “Chat Area” 5. Please complete Exit Survey, when you leave
session 6. Recorded version and final slides within 48
hours
© Clearwater Compliance LLC | All Rights Reserved
Bob Chaput MA, CISSP, HCISPP, CIPP/US
7
• President – Clearwater Compliance LLC • 30+ years in Business, Operations and Technology • 20+ years in Healthcare • Executive | Educator |Entrepreneur • Global Executive: GE, JNJ, HWAY • Responsible for largest healthcare datasets in world • Numerous Technical Certifications (MCSE, MCSA, etc) • Expertise and Focus: Healthcare, Financial Services, Retail, Legal
• Member: IAPP, ISC2, ISACA, HIMSS, ISSA, HCCA, HCAA, ACHE, AHIMA, NTC, ACP, SIM Chambers, Boards
http://www.linkedin.com/in/BobChaput
© Clearwater Compliance LLC | All Rights Reserved
Our Passion
8
… And, keeping those same organizations off the Wall of Shame…!
…we’re helping organizations improve care safeguard the very personal and private healthcare information of millions of fellow Americans…
We’re excited about what we do because…
© Clearwater Compliance LLC | All Rights Reserved
What Makes Us The Leader
9
2. We’re healthcare executives helping other healthcare executives (we left the kids on the bus)
3. We religiously follow the Regs / Rules and
industry-recognized Standards (we don’t make stuff up)
1. Our industry-leading web-based software operationalizes your program (no DOA PDF reports)
© Clearwater Compliance LLC | All Rights Reserved
Poll #1 – What type of organization?
10
© Clearwater Compliance LLC | All Rights Reserved
Poll #2 – What is your level of HIPAA-HITECH expertise?
11
© Clearwater Compliance LLC | All Rights Reserved
Bottom Line Up Front
1. Comply with the entire HIPAA Security Rule 2. Comply with a specific section of the HITECH
Breach Notification Rule 3. Comply with all applicable sections of the Privacy
Rule “mileage will vary greatly…”
• Largest and most consequential federal expansion • Significantly more Business Associates • Substantially increases the magnitude of HIPAA
enforcement risk and liability • A “Call to Arms” for Business Associates…
HITECH Omnibus: • “Game-changer” • Healthcare industry woefully unprepared • Many business associates, even less so
12
© Clearwater Compliance LLC | All Rights Reserved
Session Agenda
1. Business Associates / Sub-Business Associates
2. Security Rule 3. Privacy Rule 4. Breach Notification Rule 5. Enforcement 6. Timing 7. Next Actions for BAs and
Resources to Assist
13
© Clearwater Compliance LLC | All Rights Reserved
HITECH Changes the Game for BAs TITLE XIII—HEALTH INFORMATION TECHNOLOGY Subtitle D—Privacy
SEC. 13401. APPLICATION OF SECURITY PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED ENTITIES; ANNUAL GUIDANCE ON SECURITY PROVISIONS
14
SEC. 13404. APPLICATION OF PRIVACY PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED ENTITIES
© Clearwater Compliance LLC | All Rights Reserved
Three Pillars of HIPAA-HITECH Compliance…
15
Priv
acy
Secu
rity
Bre
ach
Not
ifica
tion
… …
HITECH HIPAA
Breach Notification • 6 pages / 2K words • 4 Standards • 9 Implementation
Specs
Privacy Final Rule • 75 pages / 27K words • 56 Standards • ~ 54 “dense”
Implementation Specs
Security Final Rule • 18 pages / 4.5K words • 22 Standards • ~50 Implementation
Specs
OMNIBUS FINAL RULE
© Clearwater Compliance LLC | All Rights Reserved
HIPAA-HITECH Entities • Covered Entity
– Health care providers (that conduct e-transactions), health plans, health care clearinghouses
• Business Associate – Entity that uses or discloses PHI on
behalf of a CE – Create, receive, maintain or
transmit PHI on behalf of a CE
16
• Subcontractor (or Agent?) Sub Business Associate – A person or entity to whom a BA delegates a function,
activity, or service, other than in the capacity of a member of the workforce of such BA.
© Clearwater Compliance LLC | All Rights Reserved
Business Associate and Subcontractor Provisions - 45 CFR §160.103
After Omnibus • Create, receive, maintain or transmit PHI • AND,
• Health Information Organizations • e-prescribing gateways • Transmits and has access • Personal Health Record vendors for CEs • SUBCONTRACTORS to BAs • Physical storage facilities and electronic storage
vendors that maintain PHI • Provides legal, actuarial, accounting,
consulting, data aggregation, management, administrative, accreditation or financial services
Much Wider Net More Risks & Liabilities More Monitoring by All
Before Omnibus • Performs or assists
in the performance of any function
• TPAs • Analytics firms • Billing companies • IT consultants • Accountants • Etc
17
© Clearwater Compliance LLC | All Rights Reserved
A couple Business Associates
18
• Software vendors • App Development Contractors • File / Data Storage company • Clearinghouses • Web portal company • Medicare HCC Coding Company • Call Center Software firm • Document Imaging company • Claims Scrubbing Company • Cloud-Storage Provider • Data Analytics Company • Pharmaceutical/ Medical Device
Companies • Contract Research Organizations • Data Transmission (HIE) • Data Storage / Data Back-up • Health Information Organizations (HIOs) • Data Recovery Services • Software as a Service (SaaS) Offerings • On-Line Diagnostic Services • Mobile Devices • Web Portals – Physicians • Web Portals – Consumers
• Pharmacy Benefits Managers • Third Party Administrators • Benefit Administrators • Claims Review /Utilization • Billing Processors • Business Process Outsourcing (BPO) firms • Revenue Cycle Companies • Payment Agencies • Collection Agencies • Hospital Discharge Care Support • Disease Management Companies • Wellness Companies • Fulfillment Companies • Health Risk Assessment Organizations • Independent Insurance Agents / Brokers • CPA firm • Medical transcriptionists • Consultants • Auditors • Accreditation Firms • Application Trouble-Shooters • Law firms • Biometric Companies • Phlebotomists
© Clearwater Compliance LLC | All Rights Reserved
Applicability of Privacy Rule and Security Rule to Business Associates - 45 CFR §164.104
After Omnibus • BAs to comply with the Security Rule
and applicable parts of the Privacy Rule direct liability
• BAs subject to CMPs and criminal penalties for a violation of the Privacy Rule or Security Rule.
• Remember: subcontractors are BAs!
BAs More Risks & Liabilities More Monitoring by Upstream CEs and BAs Get
Going on Compliance Program Now!
Before Omnibus • Privacy Rule and
Security Rule directly apply only to CEs
• BAs and their subcontractors are only indirectly subject to Rules contractually through BAAs
19
© Clearwater Compliance LLC | All Rights Reserved
Know These Brands?
14.6M of 30.6M (~48%) 239 BAs in 931 Breaches 20
© Clearwater Compliance LLC | All Rights Reserved
Hospital
HIPAA-HITECH Chain of Trust HIPAA-HITECH Covered Entity
Business Associate 2
21
Business Associate n
… …
Sub- Contractor
n
Business Associate 1
Sub- Contractor
1
Sub- Contractor
2
Outside IT
Wellness Vendor
ERP Contractor
Outside Law Firm RCM
Portal Provider
Data Analytics
firm
Regulations Create Chain of Trust… doesn’t
end…
© Clearwater Compliance LLC | All Rights Reserved
Basic HIPAA Requirements on a CE/BA!
45 C.F.R. §164.308 Administrative Safeguards.
(b)(1) Business associate contracts and other arrangements. A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if … (2) A business associate may permit a business associate that is a subcontractor to create, receive, maintain, or transmit electronic protected health information on its behalf only if … (3) Implementation specifications: Written contract or other arrangement
22
Chain of Trust Does Not End!
© Clearwater Compliance LLC | All Rights Reserved
Basic HIPAA Requirements on a CE/BA!
HIPAA SECURITY FINAL RULE §164.314 Organizational requirements. (a)(1) Standard: Business associate contracts or other arrangements. The contract or other arrangement required by §164.308(b)(3) must meet the requirements of paragraph (a)(2)(i), (a)(2)(ii), or (a)(2)(iii) of this section, as applicable. (2) Implementation specifications (Required).
(i) Business associate contracts. The contract must provide that the business associate will … (ii) Other arrangements. The covered entity is in compliance with paragraph (a)(1) of this section if it has another arrangement in place that meets the requirements of §164.504(e)(3). (iii) Business associate contracts with subcontractors. The requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this section …
23
© Clearwater Compliance LLC | All Rights Reserved
Privacy Rule BA Contract Requirements § 164.504(e)
1.Establish the permitted and required uses and disclosures of PHI by the business associate. 2.Provide that the business associate will:
• Not use or further disclose PHI other than as permitted or required by the contract or by law; • Use appropriate safeguards and comply with the Security Rule with respect to electronic PHI; • Report to the CE any use or disclosure of the information not provided for by its contract,
including breaches of unsecured protected health information; • Ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the
BA agree to these same restrictions and conditions; • Make PHI available for Individual rights of access; amendment (including incorporating
amendments) and accounting of disclosures • To the extent the BA is to carry out a CE’s obligation, comply with the Privacy Rule regulations
that apply to the covered entity • Make practices and records relating to the use and disclosure of PHI received from, or created or
received by the BA available to the Secretary for determining the CE’s compliance with the Privacy Rule;
• At termination of the contract return or destroy all PHI created or received from/ by the BA. If such return or destruction is not feasible, extend the protections of the contract to the information.
3.Authorize termination of the contract by the CE, if the BA has violated a material term of the contract (A) Terminate the contract or arrangement, if feasible; or if termination is not feasible, reported the problem to the Secretary. 24
© Clearwater Compliance LLC | All Rights Reserved
Business Associate Agreement Provisions Required by Privacy Rule - 45 CFR §164.504(e)
After Omnibus • All from BEFORE… PLUS…
• Report breaches of BAA • Report breaches of unsecured PHI • Comply with the Security Rule • Enter into a compliant downstream
agreement with any subcontractor
• New Provision • If BA is to carry out a covered entity’s
obligation under the Privacy Rule BAA must require the BA to accrue CE’s Privacy Rule
BAs and CEs must update BAAs; Grace period for certain BAAs
Before Omnibus • Establish the permitted
and required uses and disclosures of PHI by the business associate. • Limit further use or disclosure • Use appropriate safeguards • Report use or disclosure • Ensure agents / subs protect • Ensure access, amendment,
accounting, etc. • Destroy upon term. • Etc.
25
© Clearwater Compliance LLC | All Rights Reserved
Business Associate and Subcontractor Provisions - 45 CFR §160.103
No BA Contract Required • CE to healthcare provider • GHP to Plan Sponsor • Provider to Health Plan for Payment • Persons or Entities not involved with PHI (janitorial service or
electrician) • OHCA participants • CE purchase of health plan product or insurance (e.g. reinsurance)
from insurer • Disclosure of PHI to a researcher for research purposes, either
with patient authorization or as a limited data set. • The transfer of funds for payment for health care or health plan
premiums by a financial institution.
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html 26
© Clearwater Compliance LLC | All Rights Reserved
SAMPLE BUSINESS ASSOCIATE AGREEMENT PROVISIONS (Published January 25, 2013)
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html
27
BA Contracts
http://www.hhs.gov/hipaafaq/providers/covered/365.html
• Implementing BAAs with any downstream subcontractors
• “knew of a pattern of activity or practice of a subcontractor that constituted a material breach or violation” must cure or terminate
© Clearwater Compliance LLC | All Rights Reserved
Session Agenda
1. Business Associates / Sub-Business Associates
2. Security Rule 3. Privacy Rule 4. Breach Notification Rule 5. Enforcement 6. Timing 7. Next Actions for BAs and
Resources
28
© Clearwater Compliance LLC | All Rights Reserved
Security Rule
After Omnibus • Direct liability for BAs • All Standards, Implementation
Specs and Requirements • HITECH Act Section 13401
• “…Guidance on the most effective and appropriate technical safeguards” as determined by the Secretary (HHS)… issued annually
• Big Priority: Risk Analysis • Rigorous Audit Protocols • Direct liability for BAs
Policies, Procedures, People & Safeguards
Before Omnibus • No specific guidance • No mandate on any specific
technology or approach • Self-risk analysis based • No direct liability for BAs
29
© Clearwater Compliance LLC | All Rights Reserved
The Security Rule
30
Administrative Safeguards
Physical Safeguards
Technical Safeguards
Organizational Requirements
Policies & Procedures
Only ePHI
© Clearwater Compliance LLC | All Rights Reserved
Policy defines an organization’s values & expected behaviors; establishes “good faith” intent
People must include talented privacy &
security & technical staff, engaged and supportive
management and trained/aware colleagues
following PnPs.
Procedures or processes – documented - provide the actions required to deliver on organization’s values.
Safeguards includes the various families of administrative, physical or
technical security controls (including “guards, guns, and gates”,
encryption, firewalls, anti-malware, intrusion detection, incident
management tools, etc.)
Balanced Compliance
Program
Balanced Compliance Program
Clearwater Compliance Compass™ 31
© Clearwater Compliance LLC | All Rights Reserved
The Security Rule
22 Standards and 50+ Implementation Specifications: Not all requirements are created equal.
32
Get Risk Analysis
Done
© Clearwater Compliance LLC | All Rights Reserved 33
Poll #3 – Security Evaluation?
© Clearwater Compliance LLC | All Rights Reserved 34
Poll #4 – Bona Fide Risk Analysis?
© Clearwater Compliance LLC | All Rights Reserved
Session Agenda
1. Business Associates / Subcontractors
2. Security Rule 3. Privacy Rule 4. Breach Notification Rule 5. Enforcement 6. Timing 7. Next Actions for BAs and
Resources to Assist
35
© Clearwater Compliance LLC | All Rights Reserved
The Privacy Rule
36
Uses and Disclosures
Individual Rights
Notice of Privacy Practices
Organizational Requirements
Administrative Requirements
All PHI, including ePHI
© Clearwater Compliance LLC | All Rights Reserved
Privacy Rule Business associates are directly liable under the HIPAA Rules for:
• Impermissible uses and disclosures - §164.502(a)(3) • Failure to provide breach notification to the covered
entity - §164.410. • Failure to provide access to a copy of ePHI to either the
covered entity, the individual, or the individual’s designee - § 164.502(a)(4)(ii).
• Failure to disclose PHI where required by the Secretary to investigate or determine the business associate’s compliance with the HIPAA Rules - § 164.502(a)(4)(i).
• Failure to follow Minimum Necessary standard when using or disclosing PHI § 164.514(d).
• Failure to provide an accounting of disclosures - 76 Fed. Reg. 31426 (May 31, 2011).
37
© Clearwater Compliance LLC | All Rights Reserved
BA Privacy Requirements… Vary!
38 Find and Work With Experts!
© Clearwater Compliance LLC | All Rights Reserved
Session Agenda
1. Business Associates / Sub-Business Associates
2. Security Rule 3. Privacy Rule 4. Breach Notification Rule 5. Enforcement 6. Timing 7. Next Actions for BAs and
Resources to Assist
39
© Clearwater Compliance LLC | All Rights Reserved
Definition of Breach - 45 CFR § 164.402
After Omnibus • Added a regulatory presumption
that any acquisition, access, use or disclosure of PHI in violation of the Privacy Rule is a breach
• “Compromise Assessment” • Burden of Proof for CE
• …demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment
• Burden of Proof for BA • …all notifications have been made
• Now, Three Exceptions
More Reportable Breaches More Pressure on CEs and BAs
Before Omnibus • “Harm Standard” • “Secured PHI” • Burden of Proof for CE
• …compromises the security or privacy of the protected health information means poses a significant risk of financial, reputational, or other harm to the individual.
• Four Exceptions
40
© Clearwater Compliance LLC | All Rights Reserved
The Breach Notification Rule
41
Administrative Requirements
Breach Notification
Burden of Proof
All PHI, including ePHI
© Clearwater Compliance LLC | All Rights Reserved
Session Agenda
1. Business Associates / Sub-Business Associates
2. Security Rule 3. Privacy Rule 4. Breach Notification Rule 5. Enforcement 6. Timing 7. Next Actions for BAs and
Resources to Assist
42
© Clearwater Compliance LLC | All Rights Reserved
Enforcement: Amount of CMP - 45 CFR § 160.404
After Omnibus • New Civil Monetary Penalty (CMP)
System – Tiered • Discretion to use up to $50K per
violation at each tier • No more “did not know” affirmative
defense • Investigations & Monetary Penalties
are mandatory for violations involving "willful neglect“
• Collected penalties back to OCR for enforcement
• Penalty monies back to harmed individuals… soon?
More Penalties | Audits More Enforcement
Before Omnibus • No more than $100 for
each violation or $25,000 for all identical violations of the same provision
• CE could bar the Secretary's imposition of a civil money penalty by demonstrating that it did not know that it violated the HIPAA rules.
43
© Clearwater Compliance LLC | All Rights Reserved
New “Arrows” in HHS/OCR Enforcement Quiver • New Civil Monetary Penalty
System • Monies Back to OCR Coffers • State AGs Jurisdiction • OCR Audits • Wider Net • Breach Notification Rule • “Wall of Shame” • Increased Complaints Help from… • CMS MU Audits • Possible FCA Actions • Possible FTC Actions • SEC Disclosure Requirements 44
© Clearwater Compliance LLC | All Rights Reserved
(C)(ii) Willful Neglect – Not Corrected
$50,000 $1,500,000
Discretion to Use $50K at Any Level CEs & BAs Act Swiftly in Case of Breach
Enforcement: Amount of CMP - 45 CFR § 160.404
Violation Category - Section 1176(a)(1)
Penalty Range for Each Violation
All Such Violations of an Identical Provision in a Calendar Year
(A) Reasonable Diligence (Did Not Know)
$100 - $50,000 $1,500,000
(B) Reasonable Cause $1,000 - $50,000 $1,500,000 (C)(i) Willful Neglect – Corrected
$10,000 - $50,000 $1,500,000
45
© Clearwater Compliance LLC | All Rights Reserved 46
Some OCR Corrective Action Plans
Corrective Action Plan (CAP) Requirement
$150K AP
DERM
$1.2M
AHP
$1.7M
WLP
$400K
ISU
$50K
HONI
$1.5M
MEEI
$2.3M
CVS
$1.0M
Rite-Aid
$1.5M BCBS
TN
$1.0M
MGH
$100K
PHX
$865K
UCLA
$1.7M AK
DHSS
Establish a Comprehensive Information Security Program x x x
Designate an accountable Security Owner x x Develop Privacy and Security policies and procedures x x x x x x x x Document authorized access to ePHI x Distribute and update policies and procedures x x x x x x x Document Process for responding to security incidents X x x x x x x x x x Implement training and sanctions for non-compliance x x x x x x x Conduct Risk Analysis / Establish Risk Management Process x x x x x x x x x x x x x Implement Reasonable Safeguards to control risks x x x x x x x x x x Regularly review records of information system activity x Implement reasonable steps to select service providers x Testing and monitor security controls following changes x x x x x x x x Obtain assessments from qualified independent 3rd party x x x x x x x x Retain required documentation x x x x x x x x x x
$13.5+M
© Clearwater Compliance LLC | All Rights Reserved 47
Congress also established criminal penalties for certain actions… • Up to $50,000 and one year in prison for
certain offenses such as knowingly obtaining PHI • Up to $100,000 and up to five years in prison if
the offenses are committed under false pretenses
• Up to $250,000 and up to 10 years in prison if the offenses are committed with the intent to sell, transfer, or use protected health information for commercial advantage, personal gain, or malicious harm.
PS – Don’t Forget Criminal Penalties
© Clearwater Compliance LLC | All Rights Reserved
Enforcement: OCR Investigations and Compliance Reviews - 45 CFR §§ 160.306, 160.308, 160.312
Increased Enforcement Don’t Wait Gap Assessments, Risk Analyses, PnPs, Training, etc.
After Omnibus • OCR required to conduct an
investigation or compliance review when a preliminary investigation of the facts indicate a possible violation due to willful neglect (i.e., the third and fourth culpability levels under the civil money penalty provisions).
• Final Rule permits, but does not require, OCR to attempt to resolve by informal means investigations
Before Omnibus • OCR may, but is not
required to, conduct complaint investigations or compliance reviews
• OCR required to attempt to resolve by informal means investigations
48
© Clearwater Compliance LLC | All Rights Reserved
Sources of Risk and Liability
49
Landscape
© Clearwater Compliance LLC | All Rights Reserved
New Texas HB 300 Penalties • Tier 1 (Committed Negligently)
– $5,000 each violation
• Tier 2 (Committed Knowingly or Intentionally) – $25,000 each violation
• Tier 3 (Committed intentionally and PHI is used for financial gain) – $250,000 each violation
• Annual Maximum (Pattern or Practice) – Not to Exceed $1.5 million, per year
1TEXAS HEALTH AND SAFETY CODE TITLE 2. HEALTH SUBTITLE I. MEDICAL RECORDS SECTION 181.201. Check Laws in All Jurisdictions
50
© Clearwater Compliance LLC | All Rights Reserved
Session Agenda
1. Business Associates / Sub-Business Associates
2. Security Rule 3. Privacy Rule 4. Breach Notification Rule 5. Enforcement 6. Timing 7. Next Actions for BAs and
Resources to Assist
51
© Clearwater Compliance LLC | All Rights Reserved
Omnibus Timing1
• January 17, 2013 Release • January 25, 2013 Publication • March 26, 2013 Effective Date • September 23, 2013 Compliance Date
1Subject to BAA Transition Provisions
Business Associate Agreements: Compliance Dates • September 23, 2013 OR • If a compliant contract was in place
‒ prior to January 25, 2013 and not renewed between March 26, 2013 and September 23, 2013,
‒ then that prior contract or other arrangement shall be deemed compliant until September 22, 2014 or the date it is renewed or modified on or after September 23, 2013, whichever is earlier
52
It’s Happening
© Clearwater Compliance LLC | All Rights Reserved
Session Agenda
1. Business Associates / Sub-Business Associates
2. Security Rule 3. Privacy Rule 4. Breach Notification Rule 5. Enforcement 6. Timing 7. Next Actions for BAs and
Resources to Assist
53
© Clearwater Compliance LLC | All Rights Reserved
9 Actions to Take Now
54
4. Complete a HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))
5. Complete a HIPAA Security Evaluation (= compliance assessment) (45 CFR § 164.308(a)(8))
6. Complete Technical Testing of Your Environment (45 CFR § 164.308(a)(8))
7. Implement a Strong, Proactive Business Associate / Management Program (45 CFR §164.502(e) and 45 CFR §164.308(b))
8. Complete Privacy Rule and Breach Rule compliance assessments (45 CFR §164.530 and 45 CFR §164.400)
9. Document and act upon a remediation plan
1. Set Privacy and Security Risk Management & Governance Program in place (45 CFR § 164.308(a)(1))
2. Develop & Implement comprehensive HIPAA Privacy and Security and Breach Notification Policies & Procedures (45 CFR §164.530 and 45 CFR §164.316)
3. Train all Members of Your Workforce (45 CFR §164.530(b) and 45 CFR §164.308(a)(5))
Demonstrate Good Faith Effort!
© Clearwater Compliance LLC | All Rights Reserved
Clearwater BA Omnibus ReadinessCheck™:
http://clearwatercompliance.com/business-associate-omnibus-readinesscheck/
55
Two Specific Helpful Documents Risk Analysis Buyer’s Guide: http://abouthipaa.com/about-hipaa/hipaa-risk-analysis-resources/hipaa-risk-analysis-buyers-
guide-checklist/
© Clearwater Compliance LLC | All Rights Reserved 56
Three Industry-Leading SaaS Solutions
… to address all regulatory requirements
© Clearwater Compliance LLC | All Rights Reserved 57
Inve
stm
ent
Assurance
Three Ways to Engage… to meet your budget and assurance requirements
© Clearwater Compliance LLC | All Rights Reserved
Policies and Procedures Templates
58
Industry-Leading HIPAA Policies and Procedures Templates Based on the Needs of Your
Organization…
Template Solution
Investment
Clearwater HIPAA Security Policies & Procedures™ ToolKit - Enterprise
$ 1,995
Clearwater HIPAA Security Policies & Procedures™ ToolKit - SMBs $ 995
Clearwater HIPAA Privacy Policies & Procedures™ ToolKit - B2B Business Associates
$ 995
Clearwater HIPAA Privacy Policies & Procedures™ ToolKit - B2C Business Associates
$ 1,495
Clearwater HIPAA Privacy Policies & Procedures™ ToolKit - Covered Entities
$ 1,495
Clearwater Breach Notification Policies & Procedures™ ToolKit $ 495
© Clearwater Compliance LLC | All Rights Reserved 59
Clearwater HIPAA Compliance BootCamp™ Events
Take Your HIPAA Privacy and Security Program to a Better
Place, Faster
Other 2014 Plans – Virtual, Web-Based Events (3, 3-hr sessions): • May 14-21-28 • August 13-20-27 • November 5-12-19
Other 2014 Plans - Live, In-Person Events (9-hours): • April 24 - San Francisco • July 24 – Boston • October 16 - Los Angeles
April 24| Live HIPAA BootCamp™ | San Francisco
May 14, 21, 28 | HIPAA Virtual BootCamp™
© Clearwater Compliance LLC | All Rights Reserved
HIPAA Compliance BootCamp™ Welcome, Introductions and Overview 1. How to Set Up Your Privacy and Security Risk Management & Governance Program 2. How to Assess Your Increased Liability Risk Under the Omnibus Final Rule 3. How to Develop & Implement Comprehensive HIPAA Privacy and Security and
Breach Notification Policies & Procedures (PnPs) Networking Break 4. How to Prepare for and Manage an OCR Investigation 5. How to Train all Members of Your Workforce Networking Luncheon & Refresh 6. Panel Discussion – How to Implement a Strong, Proactive Business Associate
Management Program 7. How to Complete All HIPAA Security Rule Assessment Requirements Networking Break 8. Presentation and Panel Discussion: How to Create a “Culture of Compliance” 9. How to Assess and Monitor Your Compliance with the HIPAA Privacy Rule and
HITECH Breach Notification Rule Buffer Time, Q&A, Final Remarks Attendee Reception (optional)
60
HOW TO…
© Clearwater Compliance LLC | All Rights Reserved 61
Gregory J. Ehardt, JD, LL.M. HIPAA/Assistant Compliance Officer - HCA Adjunct Professor Office of General Counsel Idaho State University
Bob Chaput, CISSP, CIPP/US CHP, CHSS CEO Clearwater Compliance
Expert Instructors
Mary Chaput, MBA, CIPP/US, CHP CFO & Chief Compliance Officer Clearwater Compliance
Meredith Phillips, MHSA, CHC, CHPC Chief Information Privacy & Security Officer Henry Ford Health System
David Finn, CISA, CISM, CRISC Health IT Officer Symantec Corporation
Ann Waldo, JD, CIPP Partner Wittie, Letsche & Waldo, LLP
© Clearwater Compliance LLC | All Rights Reserved
Register For Upcoming Live HIPAA-HITECH Webinars at:
http://abouthipaa.com/webinars/upcoming-live-webinars/
62
Get more info…
View pre-recorded Webinars like this one at:
http://abouthipaa.com/webinars/on-demand-webinars/
© Clearwater Compliance LLC | All Rights Reserved
In Summary - You Should …
1. Read the Regulations Inside-Out or Find Experts Who Know Them
2. Determine What Your Specific Requirements Are Related To The Privacy Rule – Possibly Trickiest!
3. Stand Up Your Program / Governance and Develop and Execute Your Gap Assessments and Remediation Plans
63
© Clearwater Compliance LLC | All Rights Reserved
Bob Chaput, CISSP, HCISPP, CIPP/US http://www.ClearwaterCompliance.com [email protected] Phone: 800-704-3394 or 615-656-4299 Clearwater Compliance LLC
64
Contact
Exit Survey, Please
© Clearwater Compliance LLC | All Rights Reserved 65
Title 45 CFR – Public Welfare Part 164 Part 160
Omnibus Final Rule Big Changes in
160 & 164