hipaa-hitech requirements to safeguard protected health...
TRANSCRIPT
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
HIPAA-HITECH Requirements to Safeguard Protected
Health Information (PHI)
September 10, 2012
1
Bob Chaput, CISSP, CIPP/US, MA, CHP, CHSS [email protected]
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Briefing Agenda 1. Sources & Magnitude of
Liability & Risks
2. HIPAA & HITECH 101
3. How to Spot Key Client Issues
4. Clearwater Compliance 101
2
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Not Exactly a News Flash!
3 Published Winter 2009
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Not Exactly a News Flash!
4
“Managing Your Risks
These are significant risks that should not be dismissed lightly, but they can be managed
through a combination of vendor due diligence, contractual negotiations, and insurance.”
May I add…
• Vendor Due Diligence should include documentation and representations that robust
HIPAA Privacy, HIPAA Security, HITECH Breach compliance programs are in place…
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
We are in the midst of a large and rapidly growing health information privacy crisis
5
• 60% of consumers privacy laws don’t adequately protect their privacy
• Over 80% of regulated entities privacy laws are too complex and difficult to understand
• 40 million health records were reported breached between 2005-2008
• 20.8 million Americans reportedly had their health privacy breached in past 2.5 years, HHS Wall of Shame
Privacy Crisis
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
What’s The Big Deal1? • Street cost for a stolen Record
• Medical:$50 vs SSN:$1
• Payout for identity theft
• Medical:$20,000 vs Regular: $2,000
• Medical records can be
exploited 4x longer
• Credit cards can be cancelled; medical
records can’t
6 1RSA Report on Cybercrime and the Healthcare Industry
Medical Record Abuse
consequences Prescription Fraud
Embarrassment
Financial Fraud
Personal Data Resale
Blackmail / Extortion
Medical Claims Fraud
Job loss / Reputational
• Majority of clinical fraud? Obtain
prescription narcotics for illegitimate
use
• ~5% of clinical fraud: Free health
care
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Sources of Risk
and Liability
7
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Briefing Agenda 1. Sources & Magnitude of Liability
& Risks
2. HIPAA & HITECH 101
3. How to Spot Key Client Issues
4. Clearwater Compliance 101
8
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Three Pillars of HIPAA-HITECH Compliance…
9
Pri
vacy
Sec
uri
ty
Bre
ach
Noti
fica
tio
n
… …
HITECH
HIPAA
Breach Notification IFR • 6 pages / 2K words • 4 Standards • 9 Implementation
Specs
Privacy Final Rule • 75 pages / 27K words • 56 Standards • ~ 54 “dense”
Implementation Specs
Security Final Rule • 18 pages / 4.5K words • 22 Standards • ~50 Implementation
Specs
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
The HITECH Act THREE absolute “game changers”:
1) More Enforcement
2) Bigger fines
3) Wider Net Cast
10
HITECH = Hey It’s Time to End your Compliance Holiday
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Penalties Starting to Look Like Real Money
11
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
CMS Meaningful Use Attestation Audits
12
Will CMS conduct audits?1
“Any provider attesting to receive an
EHR incentive payment for either the
Medicare EHR Incentive Program or the
Medicaid EHR Incentive Program
potentially may be subject to an audit.”
“…If you attest prior to actually
meeting the meaningful use security
requirement (HIPAA Security Risk
Analysis), you could increase your
business liability for federal law
violations and making a false claim.”
1 https://www.cms.gov/Regulations-and-
Guidance/Legislation/EHRIncentivePrograms/Attestation.html#10
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
“…only way to change is through
enforcement…”
“…our 5% budget reduction doesn’t
change anything…”
“… enforcement revenues will be used
for restitution for victims…AND…
reinvestment in STRATEGIC
ENFORCEMENT…”
“… enforcement will continue and
intensify…”
“…we’re moving from complaint-driven to
proactive enforcement…”
“… we’re looking for the “whole
menu”…get going on training, PnPs and
risk analysis…”
Why is This Man Smiling?
13
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
New “Arrows” in HHS/OCR Enforcement Quiver
• New Civil Monetary Penalty System
• SAG Jurisdiction
• OCR Audits
• Wider Net
• Breach Notification Rule
• “Wall of Shame”
• CMS MU Attestation Audits
• FCA? 14
© 2010-12 Clearwater Compliance LLC | All Rights Reserved 15
COMPLAINTS
http://www.melamedia.com/HIPAA.Stats.home.html
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
1. Increasing revenues+
2. Increasing efficiencies+
3.Cutting and or
containing costs
….
….
17. (Blah! Yuck!) Staying
in compliance
Why is VITO1 NOT Really Smiling?
16
1Very Important Top Official
Chief Executive Officer and
Associate Vice Chancellor,
UCLA Health System
David T. Feinberg, M.D., M.B.A.
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Pierre "Peter" Tibi, MD
1. Increasing revenues+
2. Increasing efficiencies+
3.Cutting and or
containing costs
….
….
17. (Blah! Yuck!) Staying
in compliance
Why are these VITOs1 NOT Really Smiling?
17
1Very Important Top Official
H. Kenith Fang, MD
Phoenix Cardiac Surgery
OCR’s investigation also revealed the following issues…Phoenix
Cardiac Surgery failed to…:
• implement adequate policies and procedures to appropriately
safeguard patient information;
• document that it trained any employees on its policies and
procedures on the Privacy and Security Rules;
• identify a security official and conduct a risk
analysis; and
• obtain business associate agreements with Internet-based
email and calendar services where the provision of the
service included storage of and access to its ePHI.
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
HIPAA-HITECH Chain of Trust
HIPAA-HITECH Covered Entity
Business Associate 2
18
Business Associate n
… …
Sub- Contractor
n
Business Associate 1
Sub- Contractor
1
Sub- Contractor
2
Employer
Outside IT
Independent Insuror
EHR Contractor
Outside Law Firm
Medical Billing Co.
Regulations Create Chain of Trust
Hospital
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Who should care? (the size of the market)
NAICS Code1 Providers/Suppliers # Entities
6211-6213 Office of MDs, DOs, Mental Health Practitioners, Dentists, PT, OT, ST, Audiologists 419,286
Durable Medical Equipment Suppliers2 107,567
4611 Pharmacies3 88,396
623
Nursing Facilities (Nursing Care Facilities, Residential Mental Retardation Facilities, Residential Mental
Health and Substance Abuse Facilities, Community Care Facilities for the Elderly, Continuing Care
Retirement Communities)
34,400
6216 Home Health Service Covered Entities 15,329
6214
Outpatient Care Centers (Family Planning Centers, Outpatient Mental Health and Drug Abuse Centers,
Other Outpatient Health Centers, HMO Medical Centers, Kidney Dialysis Centers, Freestanding
Ambulatory Surgical and Emergency Centers, All Other Outpatient Care Centers) 13,962
6215 Medical Diagnostic, and Imaging Service Covered Entities 7,879
6219 Other Ambulatory Care Service Covered Entities (Ambulance and Other) 5,879
622 Hospitals (General Medical and Surgical, Psychiatric, Substance Abuse, Other Specialty) 4,060
524292 Third Party Administrators Working on Behalf of Covered Health Plans 3,522
524114 Health Insurance Carriers 1,045
Total Estimated Covered Entities 701,325
Total Estimated Business Associates4 1,500,000
Total Estimated Business Associates Subcontractors5 1,500,000
3,701,325
Number of Organizations That Should Care About HIPAA Privacy & Security Compliance
PLUS: New Entries: ACOs, Exchanges and HIEs
1 North American Industry Classification System; Office of Advocacy, SBA, http://www.sba.gov/advo/research/data.html.
2 Centers for Medicare & Medicaid Services covered entities.
3 The Chain Pharmacy Industry http://www.nacds.org/wmspage.cfm?parm1=507.
4 Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under The HITECH Act (NPRM)
5 Conservative SWAG by Bob Chaput
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Briefing Agenda 1. Sources & Magnitude of Liability
& Risks
2. HIPAA & HITECH 101
3. How to Spot Key Client Issues
4. Clearwater Compliance 101
20
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Keep it in Perspective Event
21
Incident
Breach
?
?
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Balanced Privacy & Security Program?
Policy defines an
organization’s values & expected behaviors; establishes “good faith” intent
People must include
talented privacy & security & technical staff, engaged and supportive management and trained/aware colleagues
Procedures or
process provide the actions required to deliver on
organization’s values
Technology includes the various families of technical security controls
including encryption, firewalls, antivirus, intrusion
detection, AND Incident management tools
Balanced
Security
Program
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
3. Completed a Privacy Rule compliance assessment? (45 CFR
§164.530)
4. Completed a Breach Rule compliance assessment? (45 CFR
§164.400)
5. Completed a HIPAA Security Risk Analysis? (45 CFR §164.308(a)(1)(ii)(A))
6. Developed comprehensive HIPAA Privacy and Security and
Breach Notification Policies & Procedures? (45 CFR §164.530 and 45 CFR
§164.316)
7. Documented and acting on a corrective action plan?
Key Items to Check
23
1. Privacy and Security Risk Management
& Governance Program in place? (45 CFR §
164.308(a)(1))
2. Completed a HIPAA Security Evaluation? (45 CFR § 164.308(a)(8))
Demonstrated Good Faith Effort?
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Now What? 24
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Briefing Agenda 1. Sources & Magnitude of Liability
& Risks
2. HIPAA & HITECH 101
3. How to Spot Key Client Issues
4. Clearwater Compliance 101
25
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
A Few Clearwater Clients
26
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Business Risk Management Approach
Avoid / Transfer Risks
Accept Risks
Mitigate / Transfer Risks
Risk Identification
Ris
k T
reatm
en
t
Risks of all types & sizes exist
27
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Clearwater Compliance Brief Introduction
1. Decades Of Experience 2. Deep Expertise in HIPAA-HITECH 3. Major Clients Across The US 4. All Segments Of Healthcare 5. Proven And Mature Software 6. Methodology & Thought Leadership 7. Superb Customer Service 8. Rigorously Follow All Regulations 9. Business Risk Management 10. Build Longstanding Relationships
Highly Reference-able Customers & Raving Fans
28
© 2010-12 Clearwater Compliance LLC | All Rights Reserved 29
Thought Leadership
© 2010-12 Clearwater Compliance LLC | All Rights Reserved 30
Thought Leadership
© 2010-12 Clearwater Compliance LLC | All Rights Reserved 31
Thought Leadership
© 2010-12 Clearwater Compliance LLC | All Rights Reserved 32
Thought Leadership
Premium Sponsor • Significant Development
of Costing Framework • Chief Editor • 70 Companies / 100
Experts across U.S. • Congressional Staff
Briefing • National Press Club
Briefing
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
How We Scale
33
• People VAR Network Trained in Processes and
Technology
• Processes Web-based PM/tools/templates QA Oversight, Continuous
Process Improvement
• Technology Enterprise-scalable SaaS Solutions Anytime, anywhere
accessibility
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Areas Of Expertise
34
• Healthcare • Risk Management • Executive Leadership • Public Company • Privacy • Security • Technical • Regulatory • Financial • Legal • Clinical • Project Management • Consulting
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Methodologies We Use
35
• By-the-Book Surveys, Tools and Templates
• “Educate | Assess | Respond | Monitor | Document” Approach
• Clearwater Compliance WorkShop™ Process
• Repeatable, Consistent I-P-O Process Engineering Methods
• Powerful, Proven and Rigorous Software
• Collaborative Web-based Project Management
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
High Value – High Impact
WorkShop™ Process
I. PREPARATION A. Plan / Gather B. Read Ahead C. Complete Surveys
36
II. ONSITE ASSESSMENT A. Facilitate B. Educate C. Evaluate
III. WRITTEN REPORT A. Findings B. Observations C. Recommendations
1 Day
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Collaboration With Compliance Team Members
37
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Collaboration With Compliance Team Members
38
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
39
Systematic, Sustainable Programmatic Approach:
Reenergize and operationalize your HIPAA-HITECH Compliance Program
Ongoing Support and Guidance
• Re-Assessments
• Corrective Action Plans
• Policies & Procedures
Review
• Training
Must be a Program, Not a Project
Start Year 1 Year 2 • Oversight
• Assessments
• Corrective Action Plans
• Policies & Procedures
• Training
• Re-Assessments
• Corrective Action Plans
• Policies & Procedures Review
• Training
Clearwater message: how to do it
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
1. Exposures up Significantly
2. HIPAA-HITECH Enforcement on Upswing
3. Millions of CEs and BAs with Issues
4. Clearwater Compliance May Be Able to Help
40
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Questions?
41
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Additional Information
42
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Here’s The Big Deal
43
• Privacy breaches and security cost hospitals $6 billion a year, and that is rapidly increasing, Benchmark Study on Patient Privacy and Data Security
• Survey Nov. 2011—Found that 96% of health providers had at least one privacy breach in the past 24 months
• Most providers believe electronic privacy violations will get worse, ANSI Report, p. 21, 37 http://webstore.ansi.org/phi
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
New Civil Monetary Penalty System • Tier 1 (Accidental)
– $100 each violation
– Up to $25,000 for identical violations, per year
• Tier 2 (Not Willful Neglect, but Not Accidental) – $1000 each violation
– Up to $100,000 for identical violations, per year
• Tier 3 (Willful Neglect, but Corrected) – $10,000 each violation
– Up to $250,000 for identical violations, per year
• Tier 4 (Willful Neglect, Not Corrected) – $50,000 each violation
– Up to $1.5 million, per year
44
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
PS – Don’t Forget Criminal Penalties Congress also established criminal penalties for certain actions…
• Up to $50,000 and one year in prison for certain offenses such as knowingly obtaining PHI
• Up to $100,000 and up to five years in prison if the offenses are committed under false pretenses
• Up to $250,000 and up to 10 years in prison if the offenses are committed with the intent to sell, transfer, or use protected health information for commercial advantage, personal gain, or malicious harm.
45