Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
1© Clearwater Compliance | All Rights Reserved
What we might see from OCR in 2020Live Web Event
February 12, 2020
22
Legal Disclaimer
Although the information provided by Clearwater Compliance may be helpful in informing customers and others who have an interest in data privacy and security issues, it does not constitute legal advice. This information may be based in part on current federal law and is subject to change based on changes in federal law or subsequent interpretative guidance. Where this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource and should not be relied upon as a substitute for competent legal advice specific to your circumstances. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND RECOMMENDATIONS PROVIDED BY CLEARWATER IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE.
Copyright Notice
All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.
*The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.
© Clearwater Compliance | All Rights Reserved
33
© Clearwater Compliance | All Rights Reserved
1. Slide materials – Link In Chat Box (Should have also received in reminder email earlier today)
2. All attendees are in “Listen Only Mode”3. Please ask content related questions in “Q&A” 4. In case of technical issues, use / check “Chat”5. Please participate in all polls6. Please complete Exit Survey when you leave our session 7. Recorded version, final slides, and Certificate of Attendance
will be shared with you within 48 hours
Webinar Logistics
4© Clearwater Compliance | All Rights Reserved
Founded in Nashville in 2010, colleagues in 20+ states, growing rapidly
Portfolio company of Altaris Capital Partners, a healthcare PE firm with $3B under management
Leading provider of enterprise cyber risk management and HIPAA compliance software and solutions for healthcare
Approximately 400 customers, including 60 IDNs, many with enterprise programs
100% success rate when deliverables submitted to the Office for Civil Rights (OCR)
© Clearwater Compliance | All Rights Reserved
Introduction to Clearwater
55
© Clearwater Compliance | All Rights Reserved
• 40+ years in Business, Operations, Technology & Cyber Risk Management
• 25+ years in Healthcare
• Executive | Educator | Entrepreneur
• Global Healthcare Executive: GE, JNJ, HWAY
• Responsible for some of largest, most sensitive healthcare datasets in world
• Industry Expertise and Focus: Healthcare Covered Entities and Business Associates
• Member: NACD, IAPP, ISC2, CHIME/AEHIS, HIMSS, ISSA, HCCA
Bob Chaput, MA, CISSP, HCISPP, CRISC, C|EH, CIPP/US, NACD CERT Cyber Risk Oversight
Executive Chairman & Founder, Clearwater
Your Presenters:
66
© Clearwater Compliance | All Rights Reserved
• Recognized by the healthcare industry as a preeminent thought leader and speaker on data privacy and security, particularly with regard to HIPAA, the HITECH Act, the 21st Century Cures Act, the Genetic Information Nondiscrimination Act (GINA), the Privacy Act, and emerging cyber threats to health data
• For over a decade, she both developed health information privacy and security policy, including on emerging technologies and cyber threats, for the Department of Health and Human Services, and enforced HIPAA regulations through spearheading multi-million dollar settlement agreements and civil money penalties pursuant to HIPAA.
• Member: ABA, AHLA, ISC2, Hispanic National Bar Association
Iliana Peters, JD, LLM, CISSP
Shareholder, Polsinelli PC, Former Acting Deputy Director HHS Office for Civil Rights
Your Presenters:
7© Clearwater Compliance | All Rights Reserved
Polsinelli serves clients nationally across the full spectrum of their legal needs:
100+ services and 70+ industry areas | 800+ Attorneys | 20 Cities – Metropolitan offices in:
▪ Atlanta▪ Boston▪ Chicago▪ Dallas▪ Denver
Legal Industry National Recognition
• Ranked #24 for Client Service Excellence 2018 BTI Client Service A-Team Report
• Ranked #10 for Best Client Relationships 2017 BTI Industry Power Rankings
• Named Among the top 20 best-known firms in the nation 2017 BTI Brand Elite
▪ Phoenix▪ St. Louis▪ San Francisco▪ Silicon Valley▪ Washington, D.C.▪ Wilmington
About Polsinelli
• Houston▪ Kansas City▪ Los Angeles▪ Nashville▪ New York
8
© Clearwater Compliance | All Rights Reserved
Pause and Poll
1. What type of organization do you represent?
Hospital / Health System / IDN Other Covered Entity Business Associate Hybrid Don’t Know
9© Clearwater Compliance | All Rights Reserved
• Review Clearwater Research and Publication
• Hear Iliana Peters’ Perspective
• Survey Your Perspective
• Summarize with Key Takeaways
https://go.clearwatercompliance.com/the-year-in-healthcare-information-security-and-privacy-regulations-and-what-lies-ahead-for-2020
Discussion Flow
1010
© Clearwater Compliance | All Rights Reserved
https://sites-polsinelli.vuturevx.com/112/2104/february-2020/d.c.-district-court-limits-the-hipaa-privacy-rule-requirement.asp?sid=26dee53c-6f58-4ecb-923b-68db46a2af8f
D.C. District Court Limits the HIPAA Privacy Rule Requirement for Covered Entities to Provide Access to Records
1111
© Clearwater Compliance | All Rights Reserved
• Treatment
• Public Health Activities
• Disclosures to Family, Friends, and Others
Involved in an Individual’s Care and for
Notification
• Disclosures to Prevent a Serious and
Imminent Threat
• Disclosures to the Media or Others Not
Involved in the Care of the
Patient/Notification
• Minimum Necessary
Recent Coronavirus Development
1212
© Clearwater Compliance | All Rights Reserved
Indicator 2019 Direction
Breaches
Patient complaints
Federal settlement dollars
State actions / penalties
Lawsuits
State Laws
Compliance and Cyber Risk Management costs
How Did Your Organization Fare in 2019?
What Did We See in 2019?
1313
© Clearwater Compliance | All Rights Reserved
371
494
# of Breaches
2018 2019
13,947,909
41,134,121
# of Records
2018 2019
195%
33%
Breaches and Records @ 12/31/2019 Under Investigation + Archived
1414
© Clearwater Compliance | All Rights Reserved
35,459,203
4,579,826 348,748 21,281
Hacking/IT Incident Unauthorized Access/Disclosure
Theft/Loss Improper Disposal
35,610,656
2,949,335 643,023 202,159
Network Server Email
Desktop Computer Laptop/Other Portable Device
Attack SurfaceCategories (Causes)
Attacking / Hacking Servers!
The Categories and Attack Surfaces of Records Under Investigation
15
© Clearwater Compliance | All Rights Reserved
Pause and Poll
2. Does your organization have budgeted compliance and cyber risk management improvement goals for 2020?
Yes, we have plans and a budget to make improvements No new plans, we’re in good shape Don’t know
1616
© Clearwater Compliance | All Rights Reserved
CE, 344
BA, 85
# OF BREACHES
CE, 16,081,235
BA, 24,327,823
# OF RECORDS
Business Associates - responsible for 20% of Breaches / 60% of Records
Business Associates Drove # of Records Breached in 2019
1717
© Clearwater Compliance | All Rights Reserved
Concern for third-party risk management will continue to be prominent
BAs should be prepared for even greater levels of due diligence
Key Takeaways for 2020
18
© Clearwater Compliance | All Rights Reserved
Pause and Poll
3. Please indicate extent of agreement with this statement: Our current third-party risk management program will adequately protect our organization in 2020.
Strongly Agree Agree Uncertain Disagree Strongly Disagree
1919
© Clearwater Compliance | All Rights Reserved
18,923
22,837 25,144
23,623
28,329
1,095 1,001
1,118 1,117
1,487
-
500
1,000
1,500
2,000
-
5,000
10,000
15,000
20,000
25,000
30,000
2015 2016 2017 2018 2019
Complaints Received and Investigated
Received Investigated
67%
78% 78% 77%
70%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
2015 2016 2017 2018 2019
% of CAO to Investigations
• The number of complaints in 2019 increased 20% over 2018
• Investigations in 2019 increased 33% over 2018
• However, % of Corrective Actions Obtained to Investigations still high at 70%
Complaints Are On The Rise
2020
© Clearwater Compliance | All Rights Reserved
Two Settlement Agreements in 2019 were initiated by Complaints following OCR establishing a “Right of Access Initiative” in 2019
The scope of HIPAA enforcement is broadening to encompass ensuring patient rights; Expect more to come
Key Takeaways for 2020
21
© Clearwater Compliance | All Rights Reserved
Pause and Poll4. At 45 CFR §164.530(a)(1)(ii), the Privacy Rule requires designation of
“… a contact person or office who is responsible for receiving complaints”. Please indicate the extent of your agreement with this statement: Our patients / customers / employees will contact our organization with a complaint before contacting OCR.
Strongly Agree Agree Uncertain Disagree Strongly Disagree
2222
© Clearwater Compliance | All Rights Reserved
Type of Violation Number Collected • Unencrypted laptop and mobile devices 3 $3,165,000.00• Not notifying OCR or victims of the breach 1 $3,000,000.00• Lack of BA Agreement 1 $2,175,000.00• Not discovering a breach in a timely manner 1 $2,154,000.00 - CMP• Lack of access credentials on public server 1 $1,600,000.00 - CMP• Failing to provide right of access 2 $170,000.00• Disclosing PHI on Yelp reviews 1 $10,000.00
10 $12,274,000.00
OCR Director Roger Severino admonished in a press release: “Neglecting to have a comprehensive, enterprise-wide risk
analysis is a recipe for failure.”
Out of 8 “ePHI cases”, 7 (88%) failed to conduct an OCR-Quality Risk Analysis®
1https://www.hhs.gov/civil-rights/for-providers/compliance-enforcement/agreements/index.html
Summary of 2019 OCR Settlements & CMPs1
2323
© Clearwater Compliance | All Rights Reserved
TO DATE, THERE HAVE BEEN
74OFFICE FOR CIVIL RIGHTS ENFORCEMENT ACTIONS
90%of those enforcement actions
involving ePHI included adverse findings in organizations’
RISK ANALYSIS
1. WRONG REPORT: submission of a Non-Technical Evaluation or Technical Evaluation or something else
2. NOT ASSET-BASED: too many organizations treating as a checklist matter rather than a loss/harm matter
3. NOT COMPREHENSIVE ENOUGH: must include every asset in every LOB in every facility in every location
4. NOT DETAILED ENOUGH: not considering every asset-threat-vulnerability scenario
5. NOT FOLLOWING OCR/NIST GUIDANCE: 9 essential elements in OCR guidance 6. NOT ENOUGH DOCUMENTATION/ENGAGEMENT: little evidence of vibrant
ongoing program and management engagement
IRM|Analysis™ and Clearwater isolate &
address all of these issues
Risk Analysis & Risk Management Adverse Findings
2424
© Clearwater Compliance | All Rights Reserved
Key Takeaways for 2020
OCR’s enforcement of the risk analysis requirement has been consistent
OCR expects risk analysis to be a continuous process, not a once and done assessment A comprehensive risk analysis must be done that is appropriate for the complexity and
scale of the organization
Medium to large organizations should leverage commercial cyber risk management software that:o Is designed for healthcare o Facilitates the continuous process requirementso Provides appropriate documentation as evidence of practiceo Optimizes security resources and budget o And is in accordance with the OCR Guidance on Risk Analysis Requirements
2525
© Clearwater Compliance | All Rights Reserved
1https://www.law360.com/articles/1233269/hipaa-boss-sees-low-hanging-fruit-ripe-for-enforcement
• "For enforcement purposes, there's still a lot of low-hanging fruit," the OCR director said. "There are a lot of entities that are not doing the basic steps to make sure they have proper, for example, cybersecurity protections in place. They're not doing the comprehensive risk analyses on the front end."
• "That information needs to be protected, which means entities have to do, first and foremost, proper risk analysis at the front end ... so that they don't have to face some very difficult questions in enforcement actions from OCR at the back end," the director said.
Regarding Risk Analysis1
26
© Clearwater Compliance | All Rights Reserved
Pause and Poll
5. Please indicate extent of agreement with this statement: Our organization can deliver an OCR-quality Risk Analysis™, if requested by OCR or other enforcement agencies.
Strongly Agree Agree Uncertain Disagree Strongly Disagree
2727
© Clearwater Compliance | All Rights Reserved
• April 2019 - HHS issued a notice regarding a change in the Annual Penalty Limit which previously applied the same cumulative annual CMP limit of $1,500,000 for each of the four penalties tiers in the HITECH Act to an annual amount that better reflects the level of culpability:
• No Knowledge• Reasonable Cause • Willful Neglect-Corrected• Willful Neglect-Not Corrected
• The Notice concludes with “HHS will use this penalty tier structure, as adjusted for inflation, until further notice,” adding: “This exercise of enforcement discretion is effective indefinitely.”
• November 2019 - HHS issued a statement increasing the CMP for HIPAA violations in accordance with the Inflation Adjustment Act. This increase will be effective immediately.
Key Takeaway: The revised Annual Limits have yet to be made official, so OCR can legally use the new maximum Annual Penalty Limit increased for inflation across all penalty tiers: $1,754,698
Civil Monetary Penalties Are Changing (maybe)
2828
© Clearwater Compliance | All Rights Reserved
AFTER NOTIFICATION OF ENFORCEMENT DISCRETION
BEFORE NOTIFICATION OF ENFORCEMENT DISCRETION
1https://www.ecfr.gov/cgi-bin/text-idx?SID=62698974ad3e15d8181d2eaed0152961&mc=true&node=pt45.1.160&rgn=div5#sp45.2.160.d
Imposition of Civil Money Penalties1
2929
© Clearwater Compliance | All Rights Reserved
CMP for HIPAA violations in accordance with the Inflation Adjustment Act
Key Takeaway: The revised Annual Limits have yet to be made
official, so OCR can legally use the new maximum Annual Penalty
Limit increased for inflation across all penalty tiers: $1,754,6981https://www.govinfo.gov/content/pkg/FR-2019-11-05/pdf/2019-23955.pdf
Annual Civil Money Penalties Inflation Adjustment1
3030
© Clearwater Compliance | All Rights Reserved
$38.7 $32.5
$39.0 $30.0
$8.1 $11.2
$13.4 $23.0
$-
$10.0
$20.0
$30.0
$40.0
$50.0
$60.0
FY2017 FY2018 FY2019 FY2020
Total Funding Provided
Net Appropriation Settlement Monies Spent / Budgeted
$46.8$43.7
$52.4 $53.0
(in $ millions)
$8.1
$75.0 $66.9
$19.3
$103.7
$84.4
$32.7
$116.0
$83.3
$55.7
$116.0
$60.3
$-
$20.0
$40.0
$60.0
$80.0
$100.0
$120.0
$140.0
Cumulative Settlement MoniesSpent/Budgeted
Cumulative Settlement MoniesCollected
Settlement Monies Remaining
Cumulative $ Spent/Collected/Remaining
FY2017 FY2018 FY2019 FY2020
(in $ millions)
Source:https://www.hhs.gov/about/budget/fy2020/index.htmlhttps://www.hhs.gov/sites/default/files/fy-2020-budget-in-brief.pdfhttps://www.hhs.gov/ocr/about-us/budget/index.html
OCR Total Spending UP | Use of Settlement Monies is UP
31
© Clearwater Compliance | All Rights Reserved
CMP /Settlement $
OTHER COSTS:Notification
LegalInvestigationIdentify Theft
MitigationRemediation
Class Action SuitForensics
ReputationCost of Capital
InsuranceEtc.
OTHER COSTS:Notification
LegalInvestigation
ForensicsIdentify Theft
MitigationRemediation
Class Action SuitReputation
Cost of CapitalInsurance
Etc.
3232
© Clearwater Compliance | All Rights Reserved
“And, St. Joseph Health System settled with a cash payment of $7.5 million to participating settlement class members. The court documents also indicate that St. Joseph spent an additional $7.5 million on identify theft protection, $13.0 million to institute policies to comply with federal & state regulations, and $7.5 million in attorney’s fees..."
$37.54 Million and counting…
$2.1 million OCR Settlement
St. Joseph Health System Case
3333
© Clearwater Compliance | All Rights Reserved
(in $ millions)OCR Settlement Amount $ 16.0 Expert Consultants 2.5 Initial Notification Costs 31.0 Estimated Security Upgrades 260.0 Class-Action settlement 115.0
Estimated Total Costs $ 424.5
Anthem’s annual reports filed with the SEC have not detailed the full cost of the data breach!
Anthem, Inc. – Current Tally
34
© Clearwater Compliance | All Rights Reserved
Pause and Poll
6. Please indicate extent of agreement with this statement: “Our C-Suite and Board understand the financial implications of a HIPAA violation and/or data breach?” Strongly Agree Agree Uncertain Disagree Strongly Disagree
3535
© Clearwater Compliance | All Rights Reserved
• State AGs are including violations of State Laws in addition to HIPAA
• Since 2010, State AGs have collected over $19,508,000
• 2018: 9 HIPAA cases, collected $3,543,000
• 2019: only 3 HIPAA cases, but collected $11,835,000
• Multi-state enforcement actions emerging
Key Takeaways for 2020: Expect more state enforcement actions in 2020 for
health care-related breaches
State Penalties Have Increased
3636
© Clearwater Compliance | All Rights Reserved
• California finalized CCPA in October 2019 which took affect January 1, 2020 inspired by the provisions in the GDPR providing for request that information to be deleted and forbidding its sale
• Nevada Senate Bill 220 Online Privacy took affect October 2019 providing residents an opt-out regarding the sale of personal information in addition to requesting what information is collected
• Maine signed into law in June 2019 An Act to Protect the Privacy of Online Customer Information, which prohibits ISPs from using, disclosing, selling or permitting access to the vast majority of the information generated by a customer’s use of internet service
• New York signed into law the “Stop Hacks and Improve Electronic Data Security (SHIELD) which broadened the scope of private information to include biometric information and email addresses and password
• In addition, seven States amended Data Breach Notification Laws in 2019
State Privacy Laws Are Getting More Complex
3737
© Clearwater Compliance | All Rights Reserved
Individuals Filing Lawsuits
https://www.renalandurologynews.com/home/departments/hipaa-compliance/patient-lawsuits-for-hipaa-related-breaches/
• No private right of action under HIPAA
• Lawsuits are based on breach of fiduciary duty, breach of contract, or negligence
3838
© Clearwater Compliance | All Rights Reserved
On December 19, 2019, OCR and the Department of Education released updated guidance clarifying how FERPA and THE HIPAA Privacy Rule apply to education and health records maintained about students. Addresses new questions such as:
• When can PHI or PII from an education record be shared with the parent of an adult student?
• What options do family members of an adult student have under HIPAA if they are concerned about the student’s mental health and the student does not agree to disclosures of their PHI?
• Does HIPAA allow a provider to disclose PHI about a minor with a mental health condition or substance use disorder to the minor’s parents?
• When can PHI or PII be shared about a student who presents a danger to self or others?
• Under FERPA, can an educational agency disclose, without prior written consent, PII from a student’s education records, including health records, to law enforcement officials?
• Does FERPA permit an educational agency to disclose, without prior written consent, PII from a student’s education records to the National Instant Criminal Background Check System (NICS)?
1 https://www.hhs.gov/about/news/2019/12/19/updated-joint-guidance-privacy-and-student-education-and-health-records.html
Updated Guidance on Privacy and Student Education and Health Records1
3939
© Clearwater Compliance | All Rights Reserved
The updated OCR and DOE guidance reflects OCR’s efforts to provide for evolving patient data sharing trends.
To that end, expect discussions on how to update HIPAA for the digital age to intensify this year, especially in the wake of PROJECT NIGHTINGALE1
1https://www.healthcaredive.com/news/it-execs-call-for-hipaa-overhaul-in-project-nightingale-wake/567520/
Key Takeaways for 2020
4040
© Clearwater Compliance | All Rights Reserved
Evolving Focus is Required
ComplianceSecurity & ECRM
Medical Professional
Liability
c. 2010
c. 2015
c. 2020
Patient Safety
c. 2018
41© Clearwater Compliance | All Rights Reserved
Timely CareAccess to Care Quality & Safe Care
AvailabilityIntegrityConfidentiality
Patient Information & Patient Safety & MPL
Connect the Dots!
4242
© Clearwater Compliance | All Rights Reserved
• Breaches increasing?
• Patient complaints increasing?
• Federal penalties increasing?
• State penalties increasing?
• Lawsuits increasing?
• State Laws getting even more complex?
• Compliance and Cyber Risk Management costs increasing?
• Risk Analysis / Risk Management Enforcement increasing?
Be Prepared for More in 2020
• No matter where you are in your compliance risk management and cyber risk management programs, dial it up!
• Engage the C-suite and Board because it’s business risk management issue
What Might We Expect from OCR and Others in 2020?
43
© Clearwater Compliance | All Rights Reserved
Pause and Poll
7. Please indicate extent of agreement with this statement: This web session helped me better understand what enforcement we might expect from OCR and state regulators in 2020?
Strongly Agree Agree Uncertain Disagree Strongly Disagree
4444
© Clearwater Compliance | All Rights Reserved
*This event is for CHIME members only.
Upcoming Educational Events
Learn more and register for additional upcoming educational events
4545
© Clearwater Compliance | All Rights Reserved
1. Polsinelli Article: D.C. District Court Limits the HIPAA Privacy Rule Requirement for Covered Entities to Provide Access to Records
2. Article discussed in this session: The Year in Healthcare Information Security and Privacy Regulations and What Lies Ahead for 2020
3. OCR enforcement information: Recent Civil Rights Resolution Agreements & Compliance Reviews
4. Previously recorded live web event: Top Reasons for Risk Analysis Failures | Featuring former OCR Leader & Investigator, Iliana Peters
5. Clearwater White Paper: Connecting the Dots Between Cyber Risk and Patient Safety
6. Research Paper: CT-GAN: Malicious Tampering of 3D Medical Imagery using Deep Learning
7. Recent Law360 article: HIPAA Boss Sees 'Low-Hanging Fruit' Ripe For Enforcement
Resources for You
4646
© Clearwater Compliance | All Rights Reserved
Bob Chaputbob.chaput@ClearwaterCompliance.com615.656.4299www.clearwatercompliance.com
Iliana [email protected]
Thank You & Questions
47© Clearwater Compliance | All Rights Reserved
www.ClearwaterCompliance.com
800.704.3394
LinkedIn | linkedin.com/company/clearwater-compliance-llc/
Twitter | @clearwaterhipaa
48
Additional Slides
4949
© Clearwater Compliance | All Rights Reserved
155
429
# of Breaches
2018 2019
6,478,436
40,409,058
# of Records
2018 2019
523%198%
OCR Pipeline?
Breaches and Records @12/31/2019 Under Investigation
5050
© Clearwater Compliance | All Rights Reserved
* through 12/31/2019
• Total Dollars Collected is down in 2019• Number of Cases /Settlements has
steady during Roger Severino’s tenure• 2019 average settlement ($1.2MM) is
lower than 2018 ($2.8MM)
$2,250 $1,035
$6,166 $4,850
$3,741
$7,940 $6,193
$23,505
$19,414
$28,683
$12,274
$-
$5,000
$10,000
$15,000
$20,000
$25,000
$30,000
$35,000
2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019
Settlement Totals per Year ($000s)
12
3
5 5
76
13
1011
10
0
2
4
6
8
10
12
14
2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019
# of Settlements
$2,250
$518
$2,055
$970 $748
$1,134 $1,032
$1,808 $1,941
$2,608
$1,227
$-
$500
$1,000
$1,500
$2,000
$2,500
$3,000
2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019
Average $/Settlement ($000s)
OCR Enforcement Trends
5151
© Clearwater Compliance | All Rights Reserved
Robinsue FrohboeseActing Director, OCR
Jan 2017 – Mar 2017 (3 mos)
1 Settlement Agreement1 CMP
$8,717,000 total$2,905,667/month
Leon RodriguezDirector, OCR
Sep 2011 – Jul 2014 (2 yrs 11 mos)
16 Settlement Agreements$16,381,000 total$468,029/month
Phase One Audits
Jocelyn SamuelsDirector, OCR
Aug 2014 – Jan 2017 (2 yrs 6 mos)
21 Settlement Agreements1 CMP
$32,527,882 total$1,084,263/month
Phase Two Audits
Roger SeverinoDirector, OCR
Apr 2017 - present(2 yrs 9 mos)
24 Settlement Agreements3 CMP
$48,975,600 total$1,484,109/month
Agreements by OCR Directors
5252
© Clearwater Compliance | All Rights Reserved
https://www.claimsjournal.com/news/national/2019/03/21/289896.htm https://www.psqh.com/analysis/report-finds-radiologists-to-blame-for-missed-diagnoses/#
https://arxiv.org/pdf/1901.03597.pdf https://www.youtube.com/watch?v=_mkRAArj-x0
Malicious Tampering
with 3D Medical Imagery
Using Deep Learning
How Can A Medical Professional Liability Lawsuit Possibly Happen?
5353
© Clearwater Compliance | All Rights Reserved
• Lifts a limit on fees that providers and
companies are allowed to charge when a
patient requests to send their health data to
a third party.
• Applies to third parties (e.g., law firms, life
insurers, record retrieval companies).
• CEs and BAs may impose a reasonable, cost-
based fee to an individual, provided that the
fee includes only the cost of Labor, Supplies
and Postage.
"Individuals still have the right to timely access to their own health records at a reasonable cost and OCR will continue to vigorously enforce that right consistent
with the court's order," Roger Severino said.
Recent Right of Access Development
54
© Clearwater Compliance | All Rights Reserved
CMP Settlement $
OTHER COSTS:Notification
LegalInvestigationIdentify Theft
MitigationRemediation
Class Action SuitForensics
ReputationCost of Capital
InsuranceEtc.