1© Clearwater Compliance | All Rights Reserved

What we might see from OCR in 2020Live Web Event

February 12, 2020

22

Legal Disclaimer

Although the information provided by Clearwater Compliance may be helpful in informing customers and others who have an interest in data privacy and security issues, it does not constitute legal advice. This information may be based in part on current federal law and is subject to change based on changes in federal law or subsequent interpretative guidance. Where this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource and should not be relied upon as a substitute for competent legal advice specific to your circumstances. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND RECOMMENDATIONS PROVIDED BY CLEARWATER IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE.

Copyright Notice

All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.

*The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.

© Clearwater Compliance | All Rights Reserved

33

© Clearwater Compliance | All Rights Reserved

1. Slide materials – Link In Chat Box (Should have also received in reminder email earlier today)

2. All attendees are in “Listen Only Mode”3. Please ask content related questions in “Q&A” 4. In case of technical issues, use / check “Chat”5. Please participate in all polls6. Please complete Exit Survey when you leave our session 7. Recorded version, final slides, and Certificate of Attendance

will be shared with you within 48 hours

Webinar Logistics

4© Clearwater Compliance | All Rights Reserved

Founded in Nashville in 2010, colleagues in 20+ states, growing rapidly

Portfolio company of Altaris Capital Partners, a healthcare PE firm with $3B under management

Leading provider of enterprise cyber risk management and HIPAA compliance software and solutions for healthcare

Approximately 400 customers, including 60 IDNs, many with enterprise programs

100% success rate when deliverables submitted to the Office for Civil Rights (OCR)

© Clearwater Compliance | All Rights Reserved

Introduction to Clearwater

55

© Clearwater Compliance | All Rights Reserved

• 40+ years in Business, Operations, Technology & Cyber Risk Management

• 25+ years in Healthcare

• Executive | Educator | Entrepreneur

• Global Healthcare Executive: GE, JNJ, HWAY

• Responsible for some of largest, most sensitive healthcare datasets in world

• Industry Expertise and Focus: Healthcare Covered Entities and Business Associates

• Member: NACD, IAPP, ISC2, CHIME/AEHIS, HIMSS, ISSA, HCCA

Bob Chaput, MA, CISSP, HCISPP, CRISC, C|EH, CIPP/US, NACD CERT Cyber Risk Oversight

Executive Chairman & Founder, Clearwater

Your Presenters:

66

© Clearwater Compliance | All Rights Reserved

• Recognized by the healthcare industry as a preeminent thought leader and speaker on data privacy and security, particularly with regard to HIPAA, the HITECH Act, the 21st Century Cures Act, the Genetic Information Nondiscrimination Act (GINA), the Privacy Act, and emerging cyber threats to health data

• For over a decade, she both developed health information privacy and security policy, including on emerging technologies and cyber threats, for the Department of Health and Human Services, and enforced HIPAA regulations through spearheading multi-million dollar settlement agreements and civil money penalties pursuant to HIPAA.

• Member: ABA, AHLA, ISC2, Hispanic National Bar Association

Iliana Peters, JD, LLM, CISSP

Shareholder, Polsinelli PC, Former Acting Deputy Director HHS Office for Civil Rights

Your Presenters:

7© Clearwater Compliance | All Rights Reserved

Polsinelli serves clients nationally across the full spectrum of their legal needs:

100+ services and 70+ industry areas | 800+ Attorneys | 20 Cities – Metropolitan offices in:

▪ Atlanta▪ Boston▪ Chicago▪ Dallas▪ Denver

Legal Industry National Recognition

• Ranked #24 for Client Service Excellence 2018 BTI Client Service A-Team Report

• Ranked #10 for Best Client Relationships 2017 BTI Industry Power Rankings

• Named Among the top 20 best-known firms in the nation 2017 BTI Brand Elite

▪ Phoenix▪ St. Louis▪ San Francisco▪ Silicon Valley▪ Washington, D.C.▪ Wilmington

About Polsinelli

• Houston▪ Kansas City▪ Los Angeles▪ Nashville▪ New York

8

© Clearwater Compliance | All Rights Reserved

Pause and Poll

1. What type of organization do you represent?

Hospital / Health System / IDN Other Covered Entity Business Associate Hybrid Don’t Know

9© Clearwater Compliance | All Rights Reserved

• Review Clearwater Research and Publication

• Hear Iliana Peters’ Perspective

• Survey Your Perspective

• Summarize with Key Takeaways

https://go.clearwatercompliance.com/the-year-in-healthcare-information-security-and-privacy-regulations-and-what-lies-ahead-for-2020

Discussion Flow

1010

© Clearwater Compliance | All Rights Reserved

https://sites-polsinelli.vuturevx.com/112/2104/february-2020/d.c.-district-court-limits-the-hipaa-privacy-rule-requirement.asp?sid=26dee53c-6f58-4ecb-923b-68db46a2af8f

D.C. District Court Limits the HIPAA Privacy Rule Requirement for Covered Entities to Provide Access to Records

1111

© Clearwater Compliance | All Rights Reserved

• Treatment

• Public Health Activities

• Disclosures to Family, Friends, and Others

Involved in an Individual’s Care and for

Notification

• Disclosures to Prevent a Serious and

Imminent Threat

• Disclosures to the Media or Others Not

Involved in the Care of the

Patient/Notification

• Minimum Necessary

Recent Coronavirus Development

1212

© Clearwater Compliance | All Rights Reserved

Indicator 2019 Direction

Breaches

Patient complaints

Federal settlement dollars

State actions / penalties

Lawsuits

State Laws

Compliance and Cyber Risk Management costs

How Did Your Organization Fare in 2019?

What Did We See in 2019?

1313

© Clearwater Compliance | All Rights Reserved

371

494

# of Breaches

2018 2019

13,947,909

41,134,121

# of Records

2018 2019

195%

33%

Breaches and Records @ 12/31/2019 Under Investigation + Archived

1414

© Clearwater Compliance | All Rights Reserved

35,459,203

4,579,826 348,748 21,281

Hacking/IT Incident Unauthorized Access/Disclosure

Theft/Loss Improper Disposal

35,610,656

2,949,335 643,023 202,159

Network Server Email

Desktop Computer Laptop/Other Portable Device

Attack SurfaceCategories (Causes)

Attacking / Hacking Servers!

The Categories and Attack Surfaces of Records Under Investigation

15

© Clearwater Compliance | All Rights Reserved

Pause and Poll

2. Does your organization have budgeted compliance and cyber risk management improvement goals for 2020?

Yes, we have plans and a budget to make improvements No new plans, we’re in good shape Don’t know

1616

© Clearwater Compliance | All Rights Reserved

CE, 344

BA, 85

# OF BREACHES

CE, 16,081,235

BA, 24,327,823

# OF RECORDS

Business Associates - responsible for 20% of Breaches / 60% of Records

Business Associates Drove # of Records Breached in 2019

1717

© Clearwater Compliance | All Rights Reserved

Concern for third-party risk management will continue to be prominent

BAs should be prepared for even greater levels of due diligence

Key Takeaways for 2020

18

© Clearwater Compliance | All Rights Reserved

Pause and Poll

3. Please indicate extent of agreement with this statement: Our current third-party risk management program will adequately protect our organization in 2020.

Strongly Agree Agree Uncertain Disagree Strongly Disagree

1919

© Clearwater Compliance | All Rights Reserved

18,923

22,837 25,144

23,623

28,329

1,095 1,001

1,118 1,117

1,487

-

500

1,000

1,500

2,000

-

5,000

10,000

15,000

20,000

25,000

30,000

2015 2016 2017 2018 2019

Complaints Received and Investigated

Received Investigated

67%

78% 78% 77%

70%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

2015 2016 2017 2018 2019

% of CAO to Investigations

• The number of complaints in 2019 increased 20% over 2018

• Investigations in 2019 increased 33% over 2018

• However, % of Corrective Actions Obtained to Investigations still high at 70%

Complaints Are On The Rise

2020

© Clearwater Compliance | All Rights Reserved

Two Settlement Agreements in 2019 were initiated by Complaints following OCR establishing a “Right of Access Initiative” in 2019

The scope of HIPAA enforcement is broadening to encompass ensuring patient rights; Expect more to come

Key Takeaways for 2020

21

© Clearwater Compliance | All Rights Reserved

Pause and Poll4. At 45 CFR §164.530(a)(1)(ii), the Privacy Rule requires designation of

“… a contact person or office who is responsible for receiving complaints”. Please indicate the extent of your agreement with this statement: Our patients / customers / employees will contact our organization with a complaint before contacting OCR.

Strongly Agree Agree Uncertain Disagree Strongly Disagree

2222

© Clearwater Compliance | All Rights Reserved

Type of Violation Number Collected • Unencrypted laptop and mobile devices 3 $3,165,000.00• Not notifying OCR or victims of the breach 1 $3,000,000.00• Lack of BA Agreement 1 $2,175,000.00• Not discovering a breach in a timely manner 1 $2,154,000.00 - CMP• Lack of access credentials on public server 1 $1,600,000.00 - CMP• Failing to provide right of access 2 $170,000.00• Disclosing PHI on Yelp reviews 1 $10,000.00

10 $12,274,000.00

OCR Director Roger Severino admonished in a press release: “Neglecting to have a comprehensive, enterprise-wide risk

analysis is a recipe for failure.”

Out of 8 “ePHI cases”, 7 (88%) failed to conduct an OCR-Quality Risk Analysis®

1https://www.hhs.gov/civil-rights/for-providers/compliance-enforcement/agreements/index.html

Summary of 2019 OCR Settlements & CMPs1

2323

© Clearwater Compliance | All Rights Reserved

TO DATE, THERE HAVE BEEN

74OFFICE FOR CIVIL RIGHTS ENFORCEMENT ACTIONS

90%of those enforcement actions

involving ePHI included adverse findings in organizations’

RISK ANALYSIS

1. WRONG REPORT: submission of a Non-Technical Evaluation or Technical Evaluation or something else

2. NOT ASSET-BASED: too many organizations treating as a checklist matter rather than a loss/harm matter

3. NOT COMPREHENSIVE ENOUGH: must include every asset in every LOB in every facility in every location

4. NOT DETAILED ENOUGH: not considering every asset-threat-vulnerability scenario

5. NOT FOLLOWING OCR/NIST GUIDANCE: 9 essential elements in OCR guidance 6. NOT ENOUGH DOCUMENTATION/ENGAGEMENT: little evidence of vibrant

ongoing program and management engagement

IRM|Analysis™ and Clearwater isolate &

address all of these issues

Risk Analysis & Risk Management Adverse Findings

2424

© Clearwater Compliance | All Rights Reserved

Key Takeaways for 2020

OCR’s enforcement of the risk analysis requirement has been consistent

OCR expects risk analysis to be a continuous process, not a once and done assessment A comprehensive risk analysis must be done that is appropriate for the complexity and

scale of the organization

Medium to large organizations should leverage commercial cyber risk management software that:o Is designed for healthcare o Facilitates the continuous process requirementso Provides appropriate documentation as evidence of practiceo Optimizes security resources and budget o And is in accordance with the OCR Guidance on Risk Analysis Requirements

2525

© Clearwater Compliance | All Rights Reserved

1https://www.law360.com/articles/1233269/hipaa-boss-sees-low-hanging-fruit-ripe-for-enforcement

• "For enforcement purposes, there's still a lot of low-hanging fruit," the OCR director said. "There are a lot of entities that are not doing the basic steps to make sure they have proper, for example, cybersecurity protections in place. They're not doing the comprehensive risk analyses on the front end."

• "That information needs to be protected, which means entities have to do, first and foremost, proper risk analysis at the front end ... so that they don't have to face some very difficult questions in enforcement actions from OCR at the back end," the director said.

Regarding Risk Analysis1

26

© Clearwater Compliance | All Rights Reserved

Pause and Poll

5. Please indicate extent of agreement with this statement: Our organization can deliver an OCR-quality Risk Analysis™, if requested by OCR or other enforcement agencies.

Strongly Agree Agree Uncertain Disagree Strongly Disagree

2727

© Clearwater Compliance | All Rights Reserved

• April 2019 - HHS issued a notice regarding a change in the Annual Penalty Limit which previously applied the same cumulative annual CMP limit of $1,500,000 for each of the four penalties tiers in the HITECH Act to an annual amount that better reflects the level of culpability:

• No Knowledge• Reasonable Cause • Willful Neglect-Corrected• Willful Neglect-Not Corrected

• The Notice concludes with “HHS will use this penalty tier structure, as adjusted for inflation, until further notice,” adding: “This exercise of enforcement discretion is effective indefinitely.”

• November 2019 - HHS issued a statement increasing the CMP for HIPAA violations in accordance with the Inflation Adjustment Act. This increase will be effective immediately.

Key Takeaway: The revised Annual Limits have yet to be made official, so OCR can legally use the new maximum Annual Penalty Limit increased for inflation across all penalty tiers: $1,754,698

Civil Monetary Penalties Are Changing (maybe)

2828

© Clearwater Compliance | All Rights Reserved

AFTER NOTIFICATION OF ENFORCEMENT DISCRETION

BEFORE NOTIFICATION OF ENFORCEMENT DISCRETION

1https://www.ecfr.gov/cgi-bin/text-idx?SID=62698974ad3e15d8181d2eaed0152961&mc=true&node=pt45.1.160&rgn=div5#sp45.2.160.d

Imposition of Civil Money Penalties1

2929

© Clearwater Compliance | All Rights Reserved

CMP for HIPAA violations in accordance with the Inflation Adjustment Act

Key Takeaway: The revised Annual Limits have yet to be made

official, so OCR can legally use the new maximum Annual Penalty

Limit increased for inflation across all penalty tiers: $1,754,6981https://www.govinfo.gov/content/pkg/FR-2019-11-05/pdf/2019-23955.pdf

Annual Civil Money Penalties Inflation Adjustment1

3030

© Clearwater Compliance | All Rights Reserved

$38.7 $32.5

$39.0 $30.0

$8.1 $11.2

$13.4 $23.0

$-

$10.0

$20.0

$30.0

$40.0

$50.0

$60.0

FY2017 FY2018 FY2019 FY2020

Total Funding Provided

Net Appropriation Settlement Monies Spent / Budgeted

$46.8$43.7

$52.4 $53.0

(in $ millions)

$8.1

$75.0 $66.9

$19.3

$103.7

$84.4

$32.7

$116.0

$83.3

$55.7

$116.0

$60.3

$-

$20.0

$40.0

$60.0

$80.0

$100.0

$120.0

$140.0

Cumulative Settlement MoniesSpent/Budgeted

Cumulative Settlement MoniesCollected

Settlement Monies Remaining

Cumulative $ Spent/Collected/Remaining

FY2017 FY2018 FY2019 FY2020

(in $ millions)

Source:https://www.hhs.gov/about/budget/fy2020/index.htmlhttps://www.hhs.gov/sites/default/files/fy-2020-budget-in-brief.pdfhttps://www.hhs.gov/ocr/about-us/budget/index.html

OCR Total Spending UP | Use of Settlement Monies is UP

31

© Clearwater Compliance | All Rights Reserved

CMP /Settlement $

OTHER COSTS:Notification

LegalInvestigationIdentify Theft

MitigationRemediation

Class Action SuitForensics

ReputationCost of Capital

InsuranceEtc.

OTHER COSTS:Notification

LegalInvestigation

ForensicsIdentify Theft

MitigationRemediation

Class Action SuitReputation

Cost of CapitalInsurance

Etc.

3232

© Clearwater Compliance | All Rights Reserved

“And, St. Joseph Health System settled with a cash payment of $7.5 million to participating settlement class members. The court documents also indicate that St. Joseph spent an additional $7.5 million on identify theft protection, $13.0 million to institute policies to comply with federal & state regulations, and $7.5 million in attorney’s fees..."

$37.54 Million and counting…

$2.1 million OCR Settlement

St. Joseph Health System Case

3333

© Clearwater Compliance | All Rights Reserved

(in $ millions)OCR Settlement Amount $ 16.0 Expert Consultants 2.5 Initial Notification Costs 31.0 Estimated Security Upgrades 260.0 Class-Action settlement 115.0

Estimated Total Costs $ 424.5

Anthem’s annual reports filed with the SEC have not detailed the full cost of the data breach!

Anthem, Inc. – Current Tally

34

© Clearwater Compliance | All Rights Reserved

Pause and Poll

6. Please indicate extent of agreement with this statement: “Our C-Suite and Board understand the financial implications of a HIPAA violation and/or data breach?” Strongly Agree Agree Uncertain Disagree Strongly Disagree

3535

© Clearwater Compliance | All Rights Reserved

• State AGs are including violations of State Laws in addition to HIPAA

• Since 2010, State AGs have collected over $19,508,000

• 2018: 9 HIPAA cases, collected $3,543,000

• 2019: only 3 HIPAA cases, but collected $11,835,000

• Multi-state enforcement actions emerging

Key Takeaways for 2020: Expect more state enforcement actions in 2020 for

health care-related breaches

State Penalties Have Increased

3636

© Clearwater Compliance | All Rights Reserved

• California finalized CCPA in October 2019 which took affect January 1, 2020 inspired by the provisions in the GDPR providing for request that information to be deleted and forbidding its sale

• Nevada Senate Bill 220 Online Privacy took affect October 2019 providing residents an opt-out regarding the sale of personal information in addition to requesting what information is collected

• Maine signed into law in June 2019 An Act to Protect the Privacy of Online Customer Information, which prohibits ISPs from using, disclosing, selling or permitting access to the vast majority of the information generated by a customer’s use of internet service

• New York signed into law the “Stop Hacks and Improve Electronic Data Security (SHIELD) which broadened the scope of private information to include biometric information and email addresses and password

• In addition, seven States amended Data Breach Notification Laws in 2019

State Privacy Laws Are Getting More Complex

3737

© Clearwater Compliance | All Rights Reserved

Individuals Filing Lawsuits

https://www.renalandurologynews.com/home/departments/hipaa-compliance/patient-lawsuits-for-hipaa-related-breaches/

• No private right of action under HIPAA

• Lawsuits are based on breach of fiduciary duty, breach of contract, or negligence

3838

© Clearwater Compliance | All Rights Reserved

On December 19, 2019, OCR and the Department of Education released updated guidance clarifying how FERPA and THE HIPAA Privacy Rule apply to education and health records maintained about students. Addresses new questions such as:

• When can PHI or PII from an education record be shared with the parent of an adult student?

• What options do family members of an adult student have under HIPAA if they are concerned about the student’s mental health and the student does not agree to disclosures of their PHI?

• Does HIPAA allow a provider to disclose PHI about a minor with a mental health condition or substance use disorder to the minor’s parents?

• When can PHI or PII be shared about a student who presents a danger to self or others?

• Under FERPA, can an educational agency disclose, without prior written consent, PII from a student’s education records, including health records, to law enforcement officials?

• Does FERPA permit an educational agency to disclose, without prior written consent, PII from a student’s education records to the National Instant Criminal Background Check System (NICS)?

1 https://www.hhs.gov/about/news/2019/12/19/updated-joint-guidance-privacy-and-student-education-and-health-records.html

Updated Guidance on Privacy and Student Education and Health Records1

3939

© Clearwater Compliance | All Rights Reserved

The updated OCR and DOE guidance reflects OCR’s efforts to provide for evolving patient data sharing trends.

To that end, expect discussions on how to update HIPAA for the digital age to intensify this year, especially in the wake of PROJECT NIGHTINGALE1

1https://www.healthcaredive.com/news/it-execs-call-for-hipaa-overhaul-in-project-nightingale-wake/567520/

Key Takeaways for 2020

4040

© Clearwater Compliance | All Rights Reserved

Evolving Focus is Required

ComplianceSecurity & ECRM

Medical Professional

Liability

c. 2010

c. 2015

c. 2020

Patient Safety

c. 2018

41© Clearwater Compliance | All Rights Reserved

Timely CareAccess to Care Quality & Safe Care

AvailabilityIntegrityConfidentiality

Patient Information & Patient Safety & MPL

Connect the Dots!

4242

© Clearwater Compliance | All Rights Reserved

• Breaches increasing?

• Patient complaints increasing?

• Federal penalties increasing?

• State penalties increasing?

• Lawsuits increasing?

• State Laws getting even more complex?

• Compliance and Cyber Risk Management costs increasing?

• Risk Analysis / Risk Management Enforcement increasing?

Be Prepared for More in 2020

• No matter where you are in your compliance risk management and cyber risk management programs, dial it up!

• Engage the C-suite and Board because it’s business risk management issue

What Might We Expect from OCR and Others in 2020?

43

© Clearwater Compliance | All Rights Reserved

Pause and Poll

7. Please indicate extent of agreement with this statement: This web session helped me better understand what enforcement we might expect from OCR and state regulators in 2020?

Strongly Agree Agree Uncertain Disagree Strongly Disagree

4444

© Clearwater Compliance | All Rights Reserved

*This event is for CHIME members only.

Upcoming Educational Events

Learn more and register for additional upcoming educational events

4545

© Clearwater Compliance | All Rights Reserved

1. Polsinelli Article: D.C. District Court Limits the HIPAA Privacy Rule Requirement for Covered Entities to Provide Access to Records

2. Article discussed in this session: The Year in Healthcare Information Security and Privacy Regulations and What Lies Ahead for 2020

3. OCR enforcement information: Recent Civil Rights Resolution Agreements & Compliance Reviews

4. Previously recorded live web event: Top Reasons for Risk Analysis Failures | Featuring former OCR Leader & Investigator, Iliana Peters

5. Clearwater White Paper: Connecting the Dots Between Cyber Risk and Patient Safety

6. Research Paper: CT-GAN: Malicious Tampering of 3D Medical Imagery using Deep Learning

7. Recent Law360 article: HIPAA Boss Sees 'Low-Hanging Fruit' Ripe For Enforcement

Resources for You

4646

© Clearwater Compliance | All Rights Reserved

Bob Chaputbob.chaput@ClearwaterCompliance.com615.656.4299www.clearwatercompliance.com

Iliana PetersIPeters@Polsinelli.comwww.Polsinelli.com202.626.8327

Thank You & Questions

47© Clearwater Compliance | All Rights Reserved

www.ClearwaterCompliance.com

800.704.3394

LinkedIn | linkedin.com/company/clearwater-compliance-llc/

Twitter | @clearwaterhipaa

48

Additional Slides

4949

© Clearwater Compliance | All Rights Reserved

155

429

# of Breaches

2018 2019

6,478,436

40,409,058

# of Records

2018 2019

523%198%

OCR Pipeline?

Breaches and Records @12/31/2019 Under Investigation

5050

© Clearwater Compliance | All Rights Reserved

* through 12/31/2019

• Total Dollars Collected is down in 2019• Number of Cases /Settlements has

steady during Roger Severino’s tenure• 2019 average settlement ($1.2MM) is

lower than 2018 ($2.8MM)

$2,250 $1,035

$6,166 $4,850

$3,741

$7,940 $6,193

$23,505

$19,414

$28,683

$12,274

$-

$5,000

$10,000

$15,000

$20,000

$25,000

$30,000

$35,000

2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019

Settlement Totals per Year ($000s)

12

3

5 5

76

13

1011

10

0

2

4

6

8

10

12

14

2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019

# of Settlements

$2,250

$518

$2,055

$970 $748

$1,134 $1,032

$1,808 $1,941

$2,608

$1,227

$-

$500

$1,000

$1,500

$2,000

$2,500

$3,000

2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019

Average $/Settlement ($000s)

OCR Enforcement Trends

5151

© Clearwater Compliance | All Rights Reserved

Robinsue FrohboeseActing Director, OCR

Jan 2017 – Mar 2017 (3 mos)

1 Settlement Agreement1 CMP

$8,717,000 total$2,905,667/month

Leon RodriguezDirector, OCR

Sep 2011 – Jul 2014 (2 yrs 11 mos)

16 Settlement Agreements$16,381,000 total$468,029/month

Phase One Audits

Jocelyn SamuelsDirector, OCR

Aug 2014 – Jan 2017 (2 yrs 6 mos)

21 Settlement Agreements1 CMP

$32,527,882 total$1,084,263/month

Phase Two Audits

Roger SeverinoDirector, OCR

Apr 2017 - present(2 yrs 9 mos)

24 Settlement Agreements3 CMP

$48,975,600 total$1,484,109/month

Agreements by OCR Directors

5252

© Clearwater Compliance | All Rights Reserved

https://www.claimsjournal.com/news/national/2019/03/21/289896.htm https://www.psqh.com/analysis/report-finds-radiologists-to-blame-for-missed-diagnoses/#

https://arxiv.org/pdf/1901.03597.pdf https://www.youtube.com/watch?v=_mkRAArj-x0

Malicious Tampering

with 3D Medical Imagery

Using Deep Learning

How Can A Medical Professional Liability Lawsuit Possibly Happen?

5353

© Clearwater Compliance | All Rights Reserved

• Lifts a limit on fees that providers and

companies are allowed to charge when a

patient requests to send their health data to

a third party.

• Applies to third parties (e.g., law firms, life

insurers, record retrieval companies).

• CEs and BAs may impose a reasonable, cost-

based fee to an individual, provided that the

fee includes only the cost of Labor, Supplies

and Postage.

"Individuals still have the right to timely access to their own health records at a reasonable cost and OCR will continue to vigorously enforce that right consistent

with the court's order," Roger Severino said.

Recent Right of Access Development

54

© Clearwater Compliance | All Rights Reserved

CMP Settlement $

OTHER COSTS:Notification

LegalInvestigationIdentify Theft

MitigationRemediation

Class Action SuitForensics

ReputationCost of Capital

InsuranceEtc.