hipaa-hitech requirements to safeguard protected health...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

HIPAA-HITECH Requirements to Safeguard Protected

Health Information (PHI)

September 10, 2012

1

Bob Chaput, CISSP, CIPP/US, MA, CHP, CHSS [email protected]


Briefing Agenda 1. Sources & Magnitude of

Liability & Risks

2. HIPAA & HITECH 101

3. How to Spot Key Client Issues

4. Clearwater Compliance 101

2


Not Exactly a News Flash!

3 Published Winter 2009


Not Exactly a News Flash!

4

“Managing Your Risks

These are significant risks that should not be dismissed lightly, but they can be managed

through a combination of vendor due diligence, contractual negotiations, and insurance.”

May I add…

• Vendor Due Diligence should include documentation and representations that robust

HIPAA Privacy, HIPAA Security, HITECH Breach compliance programs are in place…


We are in the midst of a large and rapidly growing health information privacy crisis

5

• 60% of consumers privacy laws don’t adequately protect their privacy

• Over 80% of regulated entities privacy laws are too complex and difficult to understand

• 40 million health records were reported breached between 2005-2008

• 20.8 million Americans reportedly had their health privacy breached in past 2.5 years, HHS Wall of Shame

Privacy Crisis

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html


What’s The Big Deal1? • Street cost for a stolen Record

• Medical:$50 vs SSN:$1

• Payout for identity theft

• Medical:$20,000 vs Regular: $2,000

• Medical records can be

exploited 4x longer

• Credit cards can be cancelled; medical

records can’t

6 1RSA Report on Cybercrime and the Healthcare Industry

Medical Record Abuse

consequences Prescription Fraud

Embarrassment

Financial Fraud

Personal Data Resale

Blackmail / Extortion

Medical Claims Fraud

Job loss / Reputational

• Majority of clinical fraud? Obtain

prescription narcotics for illegitimate

use

• ~5% of clinical fraud: Free health

care

http://abouthipaa.com/wp-content/uploads/RSA-Report-on-Cybercrime-and-the-Healthcare-Industry.pdf

http://abouthipaa.com/wp-content/uploads/RSA-Report-on-Cybercrime-and-the-Healthcare-Industry.pdf


Sources of Risk

and Liability

7


Briefing Agenda 1. Sources & Magnitude of Liability

& Risks




8


Three Pillars of HIPAA-HITECH Compliance…

9

Pri

vacy

Sec

uri

ty

Bre

ach

Noti

fica

tio

n

… …

HITECH

HIPAA

Breach Notification IFR • 6 pages / 2K words • 4 Standards • 9 Implementation

Specs

Privacy Final Rule • 75 pages / 27K words • 56 Standards • ~ 54 “dense”

Implementation Specs

Security Final Rule • 18 pages / 4.5K words • 22 Standards • ~50 Implementation

Specs


The HITECH Act THREE absolute “game changers”:

1) More Enforcement

2) Bigger fines

3) Wider Net Cast

10

HITECH = Hey It’s Time to End your Compliance Holiday


Penalties Starting to Look Like Real Money

11


CMS Meaningful Use Attestation Audits

12

Will CMS conduct audits?1

“Any provider attesting to receive an

EHR incentive payment for either the

Medicare EHR Incentive Program or the

Medicaid EHR Incentive Program

potentially may be subject to an audit.”

“…If you attest prior to actually

meeting the meaningful use security

requirement (HIPAA Security Risk

Analysis), you could increase your

business liability for federal law

violations and making a false claim.”

1 https://www.cms.gov/Regulations-and-

Guidance/Legislation/EHRIncentivePrograms/Attestation.html#10

http://abouthipaa.com/wp-content/uploads/ONC_privacy-and-security-guide_May-2012.pdf

https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Attestation.html










“…only way to change is through

enforcement…”

“…our 5% budget reduction doesn’t

change anything…”

“… enforcement revenues will be used

for restitution for victims…AND…

reinvestment in STRATEGIC

ENFORCEMENT…”

“… enforcement will continue and

intensify…”

“…we’re moving from complaint-driven to

proactive enforcement…”

“… we’re looking for the “whole

menu”…get going on training, PnPs and

risk analysis…”

Why is This Man Smiling?

13


New “Arrows” in HHS/OCR Enforcement Quiver

• New Civil Monetary Penalty System

• SAG Jurisdiction

• OCR Audits

• Wider Net

• Breach Notification Rule

• “Wall of Shame”

• CMS MU Attestation Audits

• FCA? 14

© 2010-12 Clearwater Compliance LLC | All Rights Reserved 15

COMPLAINTS

http://www.melamedia.com/HIPAA.Stats.home.html


1. Increasing revenues+

2. Increasing efficiencies+

3.Cutting and or

containing costs

….

….

17. (Blah! Yuck!) Staying

in compliance

Why is VITO1 NOT Really Smiling?

16

1Very Important Top Official

Chief Executive Officer and

Associate Vice Chancellor,

UCLA Health System

David T. Feinberg, M.D., M.B.A.


Pierre "Peter" Tibi, MD

1. Increasing revenues+

2. Increasing efficiencies+

3.Cutting and or

containing costs

….

….

17. (Blah! Yuck!) Staying

in compliance

Why are these VITOs1 NOT Really Smiling?

17

1Very Important Top Official

H. Kenith Fang, MD

Phoenix Cardiac Surgery

OCR’s investigation also revealed the following issues…Phoenix

Cardiac Surgery failed to…:

• implement adequate policies and procedures to appropriately

safeguard patient information;

• document that it trained any employees on its policies and

procedures on the Privacy and Security Rules;

• identify a security official and conduct a risk

analysis; and

• obtain business associate agreements with Internet-based

email and calendar services where the provision of the

service included storage of and access to its ePHI.

http://www.phoenixcardiacsurgery.com/tibi.htm



http://www.phoenixcardiacsurgery.com/fang.htm







HIPAA-HITECH Chain of Trust

HIPAA-HITECH Covered Entity

Business Associate 2

18

Business Associate n

… …

Sub- Contractor

n

Business Associate 1

Sub- Contractor

1

Sub- Contractor

2

Employer

Outside IT

Independent Insuror

EHR Contractor

Outside Law Firm

Medical Billing Co.

Regulations Create Chain of Trust

Hospital


Who should care? (the size of the market)

NAICS Code1 Providers/Suppliers # Entities

6211-6213 Office of MDs, DOs, Mental Health Practitioners, Dentists, PT, OT, ST, Audiologists 419,286

Durable Medical Equipment Suppliers2 107,567

4611 Pharmacies3 88,396

623

Nursing Facilities (Nursing Care Facilities, Residential Mental Retardation Facilities, Residential Mental

Health and Substance Abuse Facilities, Community Care Facilities for the Elderly, Continuing Care

Retirement Communities)

34,400

6216 Home Health Service Covered Entities 15,329

6214

Outpatient Care Centers (Family Planning Centers, Outpatient Mental Health and Drug Abuse Centers,

Other Outpatient Health Centers, HMO Medical Centers, Kidney Dialysis Centers, Freestanding

Ambulatory Surgical and Emergency Centers, All Other Outpatient Care Centers) 13,962

6215 Medical Diagnostic, and Imaging Service Covered Entities 7,879

6219 Other Ambulatory Care Service Covered Entities (Ambulance and Other) 5,879

622 Hospitals (General Medical and Surgical, Psychiatric, Substance Abuse, Other Specialty) 4,060

524292 Third Party Administrators Working on Behalf of Covered Health Plans 3,522

524114 Health Insurance Carriers 1,045

Total Estimated Covered Entities 701,325

Total Estimated Business Associates4 1,500,000

Total Estimated Business Associates Subcontractors5 1,500,000

3,701,325

Number of Organizations That Should Care About HIPAA Privacy & Security Compliance

PLUS: New Entries: ACOs, Exchanges and HIEs

1 North American Industry Classification System; Office of Advocacy, SBA, http://www.sba.gov/advo/research/data.html.

2 Centers for Medicare & Medicaid Services covered entities.

3 The Chain Pharmacy Industry http://www.nacds.org/wmspage.cfm?parm1=507.

4 Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under The HITECH Act (NPRM)

5 Conservative SWAG by Bob Chaput



& Risks




20


Keep it in Perspective Event

21

Incident

Breach

?

?


Balanced Privacy & Security Program?

Policy defines an

organization’s values & expected behaviors; establishes “good faith” intent

People must include

talented privacy & security & technical staff, engaged and supportive management and trained/aware colleagues

Procedures or

process provide the actions required to deliver on

organization’s values

Technology includes the various families of technical security controls

including encryption, firewalls, antivirus, intrusion

detection, AND Incident management tools

Balanced

Security

Program


3. Completed a Privacy Rule compliance assessment? (45 CFR

§164.530)

4. Completed a Breach Rule compliance assessment? (45 CFR

§164.400)

5. Completed a HIPAA Security Risk Analysis? (45 CFR §164.308(a)(1)(ii)(A))

6. Developed comprehensive HIPAA Privacy and Security and

Breach Notification Policies & Procedures? (45 CFR §164.530 and 45 CFR

§164.316)

7. Documented and acting on a corrective action plan?

Key Items to Check

23

1. Privacy and Security Risk Management

& Governance Program in place? (45 CFR §

164.308(a)(1))

2. Completed a HIPAA Security Evaluation? (45 CFR § 164.308(a)(8))

Demonstrated Good Faith Effort?


Now What? 24



& Risks




25


A Few Clearwater Clients

26


Business Risk Management Approach

Avoid / Transfer Risks

Accept Risks

Mitigate / Transfer Risks

Risk Identification

Ris

k T

reatm

en

t

Risks of all types & sizes exist

27


Clearwater Compliance Brief Introduction

1. Decades Of Experience 2. Deep Expertise in HIPAA-HITECH 3. Major Clients Across The US 4. All Segments Of Healthcare 5. Proven And Mature Software 6. Methodology & Thought Leadership 7. Superb Customer Service 8. Rigorously Follow All Regulations 9. Business Risk Management 10. Build Longstanding Relationships

Highly Reference-able Customers & Raving Fans

28


Thought Leadership


Thought Leadership

Premium Sponsor • Significant Development

of Costing Framework • Chief Editor • 70 Companies / 100

Experts across U.S. • Congressional Staff

Briefing • National Press Club

Briefing


How We Scale

33

• People VAR Network Trained in Processes and

Technology

• Processes Web-based PM/tools/templates QA Oversight, Continuous

Process Improvement

• Technology Enterprise-scalable SaaS Solutions Anytime, anywhere

accessibility


Areas Of Expertise

34

• Healthcare • Risk Management • Executive Leadership • Public Company • Privacy • Security • Technical • Regulatory • Financial • Legal • Clinical • Project Management • Consulting


Methodologies We Use

35

• By-the-Book Surveys, Tools and Templates

• “Educate | Assess | Respond | Monitor | Document” Approach

• Clearwater Compliance WorkShop™ Process

• Repeatable, Consistent I-P-O Process Engineering Methods

• Powerful, Proven and Rigorous Software

• Collaborative Web-based Project Management


High Value – High Impact

WorkShop™ Process

I. PREPARATION A. Plan / Gather B. Read Ahead C. Complete Surveys

36

II. ONSITE ASSESSMENT A. Facilitate B. Educate C. Evaluate

III. WRITTEN REPORT A. Findings B. Observations C. Recommendations

1 Day


Collaboration With Compliance Team Members

37


Collaboration With Compliance Team Members

38


39

Systematic, Sustainable Programmatic Approach:

Reenergize and operationalize your HIPAA-HITECH Compliance Program

Ongoing Support and Guidance

• Re-Assessments

• Corrective Action Plans

• Policies & Procedures

Review

• Training

Must be a Program, Not a Project

Start Year 1 Year 2 • Oversight

• Assessments


• Policies & Procedures

• Training

• Re-Assessments


• Policies & Procedures Review

• Training

Clearwater message: how to do it


1. Exposures up Significantly

2. HIPAA-HITECH Enforcement on Upswing

3. Millions of CEs and BAs with Issues

4. Clearwater Compliance May Be Able to Help

40


Questions?

41


Additional Information

42


Here’s The Big Deal

43

• Privacy breaches and security cost hospitals $6 billion a year, and that is rapidly increasing, Benchmark Study on Patient Privacy and Data Security

• Survey Nov. 2011—Found that 96% of health providers had at least one privacy breach in the past 24 months

• Most providers believe electronic privacy violations will get worse, ANSI Report, p. 21, 37 http://webstore.ansi.org/phi

http://www2.idexpertscorp.com/resources/healthcare/healthcare-articles-whitepapers/ponemon-benchmark-study-on-patient-data-security-practices/?utm_source=Ponemon+Redirect&utm_medium=Online&utm_campaign=Ponemon+Redirect/

http://webstore.ansi.org/phi




New Civil Monetary Penalty System • Tier 1 (Accidental)

– $100 each violation

– Up to $25,000 for identical violations, per year

• Tier 2 (Not Willful Neglect, but Not Accidental) – $1000 each violation


• Tier 3 (Willful Neglect, but Corrected) – $10,000 each violation


• Tier 4 (Willful Neglect, Not Corrected) – $50,000 each violation

– Up to $1.5 million, per year

44


PS – Don’t Forget Criminal Penalties Congress also established criminal penalties for certain actions…

• Up to $50,000 and one year in prison for certain offenses such as knowingly obtaining PHI

• Up to $100,000 and up to five years in prison if the offenses are committed under false pretenses

• Up to $250,000 and up to 10 years in prison if the offenses are committed with the intent to sell, transfer, or use protected health information for commercial advantage, personal gain, or malicious harm.

45

hipaa-hitech requirements to safeguard protected health...

Documents