65
© Clearwater Compliance LLC | All Rights Reserved Copyright Notice 1 Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content. For reprint permission and information, please direct your inquiry to [email protected]

Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

  • Upload
    others

  • View
    3

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

Copyright Notice

1

Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content. For reprint permission and information, please direct your inquiry to [email protected]

Page 2: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

Legal Disclaimer

2

Legal Disclaimer. This information does not constitute legal advice and is for educational purposes only. This information is based on current federal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.

Page 3: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

“I think we’re going to find that there were a lot of covered entities that didn’t realize they have BAs and BAs that didn’t know they were BAs.”2

2September 23, 2013 HIMSS Media Privacy & Security Forum

1December 2012 interview with Healthcare IT News

“My advice to business associates is to get in compliance now, because it's what you're supposed to be doing anyway for the benefit of your clients, and it's going to avoid a lot of problems down the line.”1

3

Director of the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Leon

Rodriguez

Page 4: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved 4

What Business Associates Need to Know About HIPAA

WEBINAR

April 10, 2014

Bob Chaput, MA, CISSP, HCISPP, CIPP/US 615-656-4299 or 800-704-3394 [email protected] Clearwater Compliance LLC

Page 5: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

About HIPAA-HITECH Compliance

1. We are not attorneys!

2. The Omnibus has arrived!

3. Lots of different interpretations!

So there!

5

Page 6: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

Some Ground Rules

6

1. Slide materials A.Check “Chat” or “Question” area on GoToWebinar

Control panel to copy/paste link and download materials

B. http://…

2. All Attendees are in Listen Only Mode 3. Please post Questions in “Question Area” on

GTW Control Panel 4. In case of technical issues, check “Chat Area” 5. Please complete Exit Survey, when you leave

session 6. Recorded version and final slides within 48

hours

Page 7: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

Bob Chaput MA, CISSP, HCISPP, CIPP/US

7

• President – Clearwater Compliance LLC • 30+ years in Business, Operations and Technology • 20+ years in Healthcare • Executive | Educator |Entrepreneur • Global Executive: GE, JNJ, HWAY • Responsible for largest healthcare datasets in world • Numerous Technical Certifications (MCSE, MCSA, etc) • Expertise and Focus: Healthcare, Financial Services, Retail, Legal

• Member: IAPP, ISC2, ISACA, HIMSS, ISSA, HCCA, HCAA, ACHE, AHIMA, NTC, ACP, SIM Chambers, Boards

http://www.linkedin.com/in/BobChaput

Page 8: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

Our Passion

8

… And, keeping those same organizations off the Wall of Shame…!

…we’re helping organizations improve care safeguard the very personal and private healthcare information of millions of fellow Americans…

We’re excited about what we do because…

Page 9: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

What Makes Us The Leader

9

2. We’re healthcare executives helping other healthcare executives (we left the kids on the bus)

3. We religiously follow the Regs / Rules and

industry-recognized Standards (we don’t make stuff up)

1. Our industry-leading web-based software operationalizes your program (no DOA PDF reports)

Page 10: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

Poll #1 – What type of organization?

10

Page 11: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

Poll #2 – What is your level of HIPAA-HITECH expertise?

11

Page 12: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

Bottom Line Up Front

1. Comply with the entire HIPAA Security Rule 2. Comply with a specific section of the HITECH

Breach Notification Rule 3. Comply with all applicable sections of the Privacy

Rule “mileage will vary greatly…”

• Largest and most consequential federal expansion • Significantly more Business Associates • Substantially increases the magnitude of HIPAA

enforcement risk and liability • A “Call to Arms” for Business Associates…

HITECH Omnibus: • “Game-changer” • Healthcare industry woefully unprepared • Many business associates, even less so

12

Page 13: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

Session Agenda

1. Business Associates / Sub-Business Associates

2. Security Rule 3. Privacy Rule 4. Breach Notification Rule 5. Enforcement 6. Timing 7. Next Actions for BAs and

Resources to Assist

13

Page 14: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

HITECH Changes the Game for BAs TITLE XIII—HEALTH INFORMATION TECHNOLOGY Subtitle D—Privacy

SEC. 13401. APPLICATION OF SECURITY PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED ENTITIES; ANNUAL GUIDANCE ON SECURITY PROVISIONS

14

SEC. 13404. APPLICATION OF PRIVACY PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED ENTITIES

Page 15: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

Three Pillars of HIPAA-HITECH Compliance…

15

Priv

acy

Secu

rity

Bre

ach

Not

ifica

tion

… …

HITECH HIPAA

Breach Notification • 6 pages / 2K words • 4 Standards • 9 Implementation

Specs

Privacy Final Rule • 75 pages / 27K words • 56 Standards • ~ 54 “dense”

Implementation Specs

Security Final Rule • 18 pages / 4.5K words • 22 Standards • ~50 Implementation

Specs

OMNIBUS FINAL RULE

Page 16: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

HIPAA-HITECH Entities • Covered Entity

– Health care providers (that conduct e-transactions), health plans, health care clearinghouses

• Business Associate – Entity that uses or discloses PHI on

behalf of a CE – Create, receive, maintain or

transmit PHI on behalf of a CE

16

• Subcontractor (or Agent?) Sub Business Associate – A person or entity to whom a BA delegates a function,

activity, or service, other than in the capacity of a member of the workforce of such BA.

Page 17: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

Business Associate and Subcontractor Provisions - 45 CFR §160.103

After Omnibus • Create, receive, maintain or transmit PHI • AND,

• Health Information Organizations • e-prescribing gateways • Transmits and has access • Personal Health Record vendors for CEs • SUBCONTRACTORS to BAs • Physical storage facilities and electronic storage

vendors that maintain PHI • Provides legal, actuarial, accounting,

consulting, data aggregation, management, administrative, accreditation or financial services

Much Wider Net More Risks & Liabilities More Monitoring by All

Before Omnibus • Performs or assists

in the performance of any function

• TPAs • Analytics firms • Billing companies • IT consultants • Accountants • Etc

17

Page 18: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

A couple Business Associates

18

• Software vendors • App Development Contractors • File / Data Storage company • Clearinghouses • Web portal company • Medicare HCC Coding Company • Call Center Software firm • Document Imaging company • Claims Scrubbing Company • Cloud-Storage Provider • Data Analytics Company • Pharmaceutical/ Medical Device

Companies • Contract Research Organizations • Data Transmission (HIE) • Data Storage / Data Back-up • Health Information Organizations (HIOs) • Data Recovery Services • Software as a Service (SaaS) Offerings • On-Line Diagnostic Services • Mobile Devices • Web Portals – Physicians • Web Portals – Consumers

• Pharmacy Benefits Managers • Third Party Administrators • Benefit Administrators • Claims Review /Utilization • Billing Processors • Business Process Outsourcing (BPO) firms • Revenue Cycle Companies • Payment Agencies • Collection Agencies • Hospital Discharge Care Support • Disease Management Companies • Wellness Companies • Fulfillment Companies • Health Risk Assessment Organizations • Independent Insurance Agents / Brokers • CPA firm • Medical transcriptionists • Consultants • Auditors • Accreditation Firms • Application Trouble-Shooters • Law firms • Biometric Companies • Phlebotomists

Page 19: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

Applicability of Privacy Rule and Security Rule to Business Associates - 45 CFR §164.104

After Omnibus • BAs to comply with the Security Rule

and applicable parts of the Privacy Rule direct liability

• BAs subject to CMPs and criminal penalties for a violation of the Privacy Rule or Security Rule.

• Remember: subcontractors are BAs!

BAs More Risks & Liabilities More Monitoring by Upstream CEs and BAs Get

Going on Compliance Program Now!

Before Omnibus • Privacy Rule and

Security Rule directly apply only to CEs

• BAs and their subcontractors are only indirectly subject to Rules contractually through BAAs

19

Page 20: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

Know These Brands?

14.6M of 30.6M (~48%) 239 BAs in 931 Breaches 20

Page 21: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

Hospital

HIPAA-HITECH Chain of Trust HIPAA-HITECH Covered Entity

Business Associate 2

21

Business Associate n

… …

Sub- Contractor

n

Business Associate 1

Sub- Contractor

1

Sub- Contractor

2

Outside IT

Wellness Vendor

ERP Contractor

Outside Law Firm RCM

Portal Provider

Data Analytics

firm

Regulations Create Chain of Trust… doesn’t

end…

Page 22: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

Basic HIPAA Requirements on a CE/BA!

45 C.F.R. §164.308 Administrative Safeguards.

(b)(1) Business associate contracts and other arrangements. A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if … (2) A business associate may permit a business associate that is a subcontractor to create, receive, maintain, or transmit electronic protected health information on its behalf only if … (3) Implementation specifications: Written contract or other arrangement

22

Chain of Trust Does Not End!

Page 23: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

Basic HIPAA Requirements on a CE/BA!

HIPAA SECURITY FINAL RULE §164.314 Organizational requirements. (a)(1) Standard: Business associate contracts or other arrangements. The contract or other arrangement required by §164.308(b)(3) must meet the requirements of paragraph (a)(2)(i), (a)(2)(ii), or (a)(2)(iii) of this section, as applicable. (2) Implementation specifications (Required).

(i) Business associate contracts. The contract must provide that the business associate will … (ii) Other arrangements. The covered entity is in compliance with paragraph (a)(1) of this section if it has another arrangement in place that meets the requirements of §164.504(e)(3). (iii) Business associate contracts with subcontractors. The requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this section …

23

Page 24: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

Privacy Rule BA Contract Requirements § 164.504(e)

1.Establish the permitted and required uses and disclosures of PHI by the business associate. 2.Provide that the business associate will:

• Not use or further disclose PHI other than as permitted or required by the contract or by law; • Use appropriate safeguards and comply with the Security Rule with respect to electronic PHI; • Report to the CE any use or disclosure of the information not provided for by its contract,

including breaches of unsecured protected health information; • Ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the

BA agree to these same restrictions and conditions; • Make PHI available for Individual rights of access; amendment (including incorporating

amendments) and accounting of disclosures • To the extent the BA is to carry out a CE’s obligation, comply with the Privacy Rule regulations

that apply to the covered entity • Make practices and records relating to the use and disclosure of PHI received from, or created or

received by the BA available to the Secretary for determining the CE’s compliance with the Privacy Rule;

• At termination of the contract return or destroy all PHI created or received from/ by the BA. If such return or destruction is not feasible, extend the protections of the contract to the information.

3.Authorize termination of the contract by the CE, if the BA has violated a material term of the contract (A) Terminate the contract or arrangement, if feasible; or if termination is not feasible, reported the problem to the Secretary. 24

Page 25: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

Business Associate Agreement Provisions Required by Privacy Rule - 45 CFR §164.504(e)

After Omnibus • All from BEFORE… PLUS…

• Report breaches of BAA • Report breaches of unsecured PHI • Comply with the Security Rule • Enter into a compliant downstream

agreement with any subcontractor

• New Provision • If BA is to carry out a covered entity’s

obligation under the Privacy Rule BAA must require the BA to accrue CE’s Privacy Rule

BAs and CEs must update BAAs; Grace period for certain BAAs

Before Omnibus • Establish the permitted

and required uses and disclosures of PHI by the business associate. • Limit further use or disclosure • Use appropriate safeguards • Report use or disclosure • Ensure agents / subs protect • Ensure access, amendment,

accounting, etc. • Destroy upon term. • Etc.

25

Page 26: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

Business Associate and Subcontractor Provisions - 45 CFR §160.103

No BA Contract Required • CE to healthcare provider • GHP to Plan Sponsor • Provider to Health Plan for Payment • Persons or Entities not involved with PHI (janitorial service or

electrician) • OHCA participants • CE purchase of health plan product or insurance (e.g. reinsurance)

from insurer • Disclosure of PHI to a researcher for research purposes, either

with patient authorization or as a limited data set. • The transfer of funds for payment for health care or health plan

premiums by a financial institution.

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html 26

Page 27: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

SAMPLE BUSINESS ASSOCIATE AGREEMENT PROVISIONS (Published January 25, 2013)

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html

27

BA Contracts

http://www.hhs.gov/hipaafaq/providers/covered/365.html

• Implementing BAAs with any downstream subcontractors

• “knew of a pattern of activity or practice of a subcontractor that constituted a material breach or violation” must cure or terminate

Page 28: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

Session Agenda

1. Business Associates / Sub-Business Associates

2. Security Rule 3. Privacy Rule 4. Breach Notification Rule 5. Enforcement 6. Timing 7. Next Actions for BAs and

Resources

28

Page 29: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

Security Rule

After Omnibus • Direct liability for BAs • All Standards, Implementation

Specs and Requirements • HITECH Act Section 13401

• “…Guidance on the most effective and appropriate technical safeguards” as determined by the Secretary (HHS)… issued annually

• Big Priority: Risk Analysis • Rigorous Audit Protocols • Direct liability for BAs

Policies, Procedures, People & Safeguards

Before Omnibus • No specific guidance • No mandate on any specific

technology or approach • Self-risk analysis based • No direct liability for BAs

29

Page 30: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

The Security Rule

30

Administrative Safeguards

Physical Safeguards

Technical Safeguards

Organizational Requirements

Policies & Procedures

Only ePHI

Page 31: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

Policy defines an organization’s values & expected behaviors; establishes “good faith” intent

People must include talented privacy &

security & technical staff, engaged and supportive

management and trained/aware colleagues

following PnPs.

Procedures or processes – documented - provide the actions required to deliver on organization’s values.

Safeguards includes the various families of administrative, physical or

technical security controls (including “guards, guns, and gates”,

encryption, firewalls, anti-malware, intrusion detection, incident

management tools, etc.)

Balanced Compliance

Program

Balanced Compliance Program

Clearwater Compliance Compass™ 31

Page 32: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

The Security Rule

22 Standards and 50+ Implementation Specifications: Not all requirements are created equal.

32

Get Risk Analysis

Done

Page 33: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved 33

Poll #3 – Security Evaluation?

Page 34: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved 34

Poll #4 – Bona Fide Risk Analysis?

Page 35: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

Session Agenda

1. Business Associates / Subcontractors

2. Security Rule 3. Privacy Rule 4. Breach Notification Rule 5. Enforcement 6. Timing 7. Next Actions for BAs and

Resources to Assist

35

Page 36: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

The Privacy Rule

36

Uses and Disclosures

Individual Rights

Notice of Privacy Practices

Organizational Requirements

Administrative Requirements

All PHI, including ePHI

Page 37: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

Privacy Rule Business associates are directly liable under the HIPAA Rules for:

• Impermissible uses and disclosures - §164.502(a)(3) • Failure to provide breach notification to the covered

entity - §164.410. • Failure to provide access to a copy of ePHI to either the

covered entity, the individual, or the individual’s designee - § 164.502(a)(4)(ii).

• Failure to disclose PHI where required by the Secretary to investigate or determine the business associate’s compliance with the HIPAA Rules - § 164.502(a)(4)(i).

• Failure to follow Minimum Necessary standard when using or disclosing PHI § 164.514(d).

• Failure to provide an accounting of disclosures - 76 Fed. Reg. 31426 (May 31, 2011).

37

Page 38: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

BA Privacy Requirements… Vary!

38 Find and Work With Experts!

Page 39: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

Session Agenda

1. Business Associates / Sub-Business Associates

2. Security Rule 3. Privacy Rule 4. Breach Notification Rule 5. Enforcement 6. Timing 7. Next Actions for BAs and

Resources to Assist

39

Page 40: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

Definition of Breach - 45 CFR § 164.402

After Omnibus • Added a regulatory presumption

that any acquisition, access, use or disclosure of PHI in violation of the Privacy Rule is a breach

• “Compromise Assessment” • Burden of Proof for CE

• …demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment

• Burden of Proof for BA • …all notifications have been made

• Now, Three Exceptions

More Reportable Breaches More Pressure on CEs and BAs

Before Omnibus • “Harm Standard” • “Secured PHI” • Burden of Proof for CE

• …compromises the security or privacy of the protected health information means poses a significant risk of financial, reputational, or other harm to the individual.

• Four Exceptions

40

Page 41: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

The Breach Notification Rule

41

Administrative Requirements

Breach Notification

Burden of Proof

All PHI, including ePHI

Page 42: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

Session Agenda

1. Business Associates / Sub-Business Associates

2. Security Rule 3. Privacy Rule 4. Breach Notification Rule 5. Enforcement 6. Timing 7. Next Actions for BAs and

Resources to Assist

42

Page 43: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

Enforcement: Amount of CMP - 45 CFR § 160.404

After Omnibus • New Civil Monetary Penalty (CMP)

System – Tiered • Discretion to use up to $50K per

violation at each tier • No more “did not know” affirmative

defense • Investigations & Monetary Penalties

are mandatory for violations involving "willful neglect“

• Collected penalties back to OCR for enforcement

• Penalty monies back to harmed individuals… soon?

More Penalties | Audits More Enforcement

Before Omnibus • No more than $100 for

each violation or $25,000 for all identical violations of the same provision

• CE could bar the Secretary's imposition of a civil money penalty by demonstrating that it did not know that it violated the HIPAA rules.

43

Page 44: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

New “Arrows” in HHS/OCR Enforcement Quiver • New Civil Monetary Penalty

System • Monies Back to OCR Coffers • State AGs Jurisdiction • OCR Audits • Wider Net • Breach Notification Rule • “Wall of Shame” • Increased Complaints Help from… • CMS MU Audits • Possible FCA Actions • Possible FTC Actions • SEC Disclosure Requirements 44

Page 45: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

(C)(ii) Willful Neglect – Not Corrected

$50,000 $1,500,000

Discretion to Use $50K at Any Level CEs & BAs Act Swiftly in Case of Breach

Enforcement: Amount of CMP - 45 CFR § 160.404

Violation Category - Section 1176(a)(1)

Penalty Range for Each Violation

All Such Violations of an Identical Provision in a Calendar Year

(A) Reasonable Diligence (Did Not Know)

$100 - $50,000 $1,500,000

(B) Reasonable Cause $1,000 - $50,000 $1,500,000 (C)(i) Willful Neglect – Corrected

$10,000 - $50,000 $1,500,000

45

Page 46: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved 46

Some OCR Corrective Action Plans

Corrective Action Plan (CAP) Requirement

$150K AP

DERM

$1.2M

AHP

$1.7M

WLP

$400K

ISU

$50K

HONI

$1.5M

MEEI

$2.3M

CVS

$1.0M

Rite-Aid

$1.5M BCBS

TN

$1.0M

MGH

$100K

PHX

$865K

UCLA

$1.7M AK

DHSS

Establish a Comprehensive Information Security Program x x x

Designate an accountable Security Owner x x Develop Privacy and Security policies and procedures x x x x x x x x Document authorized access to ePHI x Distribute and update policies and procedures x x x x x x x Document Process for responding to security incidents X x x x x x x x x x Implement training and sanctions for non-compliance x x x x x x x Conduct Risk Analysis / Establish Risk Management Process x x x x x x x x x x x x x Implement Reasonable Safeguards to control risks x x x x x x x x x x Regularly review records of information system activity x Implement reasonable steps to select service providers x Testing and monitor security controls following changes x x x x x x x x Obtain assessments from qualified independent 3rd party x x x x x x x x Retain required documentation x x x x x x x x x x

$13.5+M

Page 47: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved 47

Congress also established criminal penalties for certain actions… • Up to $50,000 and one year in prison for

certain offenses such as knowingly obtaining PHI • Up to $100,000 and up to five years in prison if

the offenses are committed under false pretenses

• Up to $250,000 and up to 10 years in prison if the offenses are committed with the intent to sell, transfer, or use protected health information for commercial advantage, personal gain, or malicious harm.

PS – Don’t Forget Criminal Penalties

Page 48: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

Enforcement: OCR Investigations and Compliance Reviews - 45 CFR §§ 160.306, 160.308, 160.312

Increased Enforcement Don’t Wait Gap Assessments, Risk Analyses, PnPs, Training, etc.

After Omnibus • OCR required to conduct an

investigation or compliance review when a preliminary investigation of the facts indicate a possible violation due to willful neglect (i.e., the third and fourth culpability levels under the civil money penalty provisions).

• Final Rule permits, but does not require, OCR to attempt to resolve by informal means investigations

Before Omnibus • OCR may, but is not

required to, conduct complaint investigations or compliance reviews

• OCR required to attempt to resolve by informal means investigations

48

Page 49: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

Sources of Risk and Liability

49

Landscape

Page 50: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

New Texas HB 300 Penalties • Tier 1 (Committed Negligently)

– $5,000 each violation

• Tier 2 (Committed Knowingly or Intentionally) – $25,000 each violation

• Tier 3 (Committed intentionally and PHI is used for financial gain) – $250,000 each violation

• Annual Maximum (Pattern or Practice) – Not to Exceed $1.5 million, per year

1TEXAS HEALTH AND SAFETY CODE TITLE 2. HEALTH SUBTITLE I. MEDICAL RECORDS SECTION 181.201. Check Laws in All Jurisdictions

50

Page 51: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

Session Agenda

1. Business Associates / Sub-Business Associates

2. Security Rule 3. Privacy Rule 4. Breach Notification Rule 5. Enforcement 6. Timing 7. Next Actions for BAs and

Resources to Assist

51

Page 52: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

Omnibus Timing1

• January 17, 2013 Release • January 25, 2013 Publication • March 26, 2013 Effective Date • September 23, 2013 Compliance Date

1Subject to BAA Transition Provisions

Business Associate Agreements: Compliance Dates • September 23, 2013 OR • If a compliant contract was in place

‒ prior to January 25, 2013 and not renewed between March 26, 2013 and September 23, 2013,

‒ then that prior contract or other arrangement shall be deemed compliant until September 22, 2014 or the date it is renewed or modified on or after September 23, 2013, whichever is earlier

52

It’s Happening

Page 53: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

Session Agenda

1. Business Associates / Sub-Business Associates

2. Security Rule 3. Privacy Rule 4. Breach Notification Rule 5. Enforcement 6. Timing 7. Next Actions for BAs and

Resources to Assist

53

Page 54: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

9 Actions to Take Now

54

4. Complete a HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))

5. Complete a HIPAA Security Evaluation (= compliance assessment) (45 CFR § 164.308(a)(8))

6. Complete Technical Testing of Your Environment (45 CFR § 164.308(a)(8))

7. Implement a Strong, Proactive Business Associate / Management Program (45 CFR §164.502(e) and 45 CFR §164.308(b))

8. Complete Privacy Rule and Breach Rule compliance assessments (45 CFR §164.530 and 45 CFR §164.400)

9. Document and act upon a remediation plan

1. Set Privacy and Security Risk Management & Governance Program in place (45 CFR § 164.308(a)(1))

2. Develop & Implement comprehensive HIPAA Privacy and Security and Breach Notification Policies & Procedures (45 CFR §164.530 and 45 CFR §164.316)

3. Train all Members of Your Workforce (45 CFR §164.530(b) and 45 CFR §164.308(a)(5))

Demonstrate Good Faith Effort!

Page 55: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

Clearwater BA Omnibus ReadinessCheck™:

http://clearwatercompliance.com/business-associate-omnibus-readinesscheck/

55

Two Specific Helpful Documents Risk Analysis Buyer’s Guide: http://abouthipaa.com/about-hipaa/hipaa-risk-analysis-resources/hipaa-risk-analysis-buyers-

guide-checklist/

Page 56: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved 56

Three Industry-Leading SaaS Solutions

… to address all regulatory requirements

Page 57: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved 57

Inve

stm

ent

Assurance

Three Ways to Engage… to meet your budget and assurance requirements

Page 58: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

Policies and Procedures Templates

58

Industry-Leading HIPAA Policies and Procedures Templates Based on the Needs of Your

Organization…

Template Solution

Investment

Clearwater HIPAA Security Policies & Procedures™ ToolKit - Enterprise

$ 1,995

Clearwater HIPAA Security Policies & Procedures™ ToolKit - SMBs $ 995

Clearwater HIPAA Privacy Policies & Procedures™ ToolKit - B2B Business Associates

$ 995

Clearwater HIPAA Privacy Policies & Procedures™ ToolKit - B2C Business Associates

$ 1,495

Clearwater HIPAA Privacy Policies & Procedures™ ToolKit - Covered Entities

$ 1,495

Clearwater Breach Notification Policies & Procedures™ ToolKit $ 495

Page 59: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved 59

Clearwater HIPAA Compliance BootCamp™ Events

Take Your HIPAA Privacy and Security Program to a Better

Place, Faster

Other 2014 Plans – Virtual, Web-Based Events (3, 3-hr sessions): • May 14-21-28 • August 13-20-27 • November 5-12-19

Other 2014 Plans - Live, In-Person Events (9-hours): • April 24 - San Francisco • July 24 – Boston • October 16 - Los Angeles

April 24| Live HIPAA BootCamp™ | San Francisco

May 14, 21, 28 | HIPAA Virtual BootCamp™

Page 60: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

HIPAA Compliance BootCamp™ Welcome, Introductions and Overview 1. How to Set Up Your Privacy and Security Risk Management & Governance Program 2. How to Assess Your Increased Liability Risk Under the Omnibus Final Rule 3. How to Develop & Implement Comprehensive HIPAA Privacy and Security and

Breach Notification Policies & Procedures (PnPs) Networking Break 4. How to Prepare for and Manage an OCR Investigation 5. How to Train all Members of Your Workforce Networking Luncheon & Refresh 6. Panel Discussion – How to Implement a Strong, Proactive Business Associate

Management Program 7. How to Complete All HIPAA Security Rule Assessment Requirements Networking Break 8. Presentation and Panel Discussion: How to Create a “Culture of Compliance” 9. How to Assess and Monitor Your Compliance with the HIPAA Privacy Rule and

HITECH Breach Notification Rule Buffer Time, Q&A, Final Remarks Attendee Reception (optional)

60

HOW TO…

Page 61: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved 61

Gregory J. Ehardt, JD, LL.M. HIPAA/Assistant Compliance Officer - HCA Adjunct Professor Office of General Counsel Idaho State University

Bob Chaput, CISSP, CIPP/US CHP, CHSS CEO Clearwater Compliance

Expert Instructors

Mary Chaput, MBA, CIPP/US, CHP CFO & Chief Compliance Officer Clearwater Compliance

Meredith Phillips, MHSA, CHC, CHPC Chief Information Privacy & Security Officer Henry Ford Health System

David Finn, CISA, CISM, CRISC Health IT Officer Symantec Corporation

Ann Waldo, JD, CIPP Partner Wittie, Letsche & Waldo, LLP

Page 62: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

Register For Upcoming Live HIPAA-HITECH Webinars at:

http://abouthipaa.com/webinars/upcoming-live-webinars/

62

Get more info…

View pre-recorded Webinars like this one at:

http://abouthipaa.com/webinars/on-demand-webinars/

Page 63: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

In Summary - You Should …

1. Read the Regulations Inside-Out or Find Experts Who Know Them

2. Determine What Your Specific Requirements Are Related To The Privacy Rule – Possibly Trickiest!

3. Stand Up Your Program / Governance and Develop and Execute Your Gap Assessments and Remediation Plans

63

Page 64: Copyright Notice€¦ · Need to Know About HIPAA . WEBINAR . April 10, 2014 . Bob Chaput, MA, CISSP, HCISPP, CIPP/US ... PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED

© Clearwater Compliance LLC | All Rights Reserved

Bob Chaput, CISSP, HCISPP, CIPP/US http://www.ClearwaterCompliance.com [email protected] Phone: 800-704-3394 or 615-656-4299 Clearwater Compliance LLC

64

Contact

Exit Survey, Please