Integrity HIPAA Solutions integrity HIPAA Internet Solutions IHS.
BOS HIPAA BootCamp - Module 7 - How to Assess and Monitor ...
Transcript of BOS HIPAA BootCamp - Module 7 - How to Assess and Monitor ...
![Page 1: BOS HIPAA BootCamp - Module 7 - How to Assess and Monitor ...](https://reader031.fdocuments.in/reader031/viewer/2022020621/61eac2ba8c78e9490c140222/html5/thumbnails/1.jpg)
7/28/2014
©Clearwater Compliance LLC 1
© Clearwater Compliance LLC | All Rights Reserved
Copyright Notice
1
Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.
For reprint permission and information, please direct your inquiry to [email protected]
© Clearwater Compliance LLC | All Rights Reserved
Legal Disclaimer
2
Legal Disclaimer. This information does not constitute legal advice and is for educational purposes only. This information is based on current federal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.
![Page 2: BOS HIPAA BootCamp - Module 7 - How to Assess and Monitor ...](https://reader031.fdocuments.in/reader031/viewer/2022020621/61eac2ba8c78e9490c140222/html5/thumbnails/2.jpg)
7/28/2014
©Clearwater Compliance LLC 2
© Clearwater Compliance LLC | All Rights Reserved
Instructional Module 7:
How to Assess and Monitor
Your Compliance with the
HIPAA Privacy and Security
and HITECH Breach
Notification Rules3
© Clearwater Compliance LLC | All Rights Reserved
1. “How to Assess and Monitor Your Compliance with the HIPAA Privacy and Security and HITECH Breach Notification Rules”
2. Instructional Module Duration =
45 minutes
1. Learning Objectives Addressed
In This Module‒ Describe the Process for Conducting a Compliance Assessments
‒ Identify Practical Solutions to Close Common Compliance Gaps
‒ Use OCR’s 2012 Audit Protocols to Identify Specific Documentation Requirements
‒ Design an Assessment Compliance Dashboard for Communicating Remediation Progress
‒ Describe additional factors to consider in Breach Determination
Module 7. Overview
4
![Page 3: BOS HIPAA BootCamp - Module 7 - How to Assess and Monitor ...](https://reader031.fdocuments.in/reader031/viewer/2022020621/61eac2ba8c78e9490c140222/html5/thumbnails/3.jpg)
7/28/2014
©Clearwater Compliance LLC 3
© Clearwater Compliance LLC | All Rights Reserved
9 Actions to Take Now
5
4. Complete a HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))
5. Complete a HIPAA Security Evaluation (= compliance assessment) (45 CFR § 164.308(a)(8))
6. Complete Technical Testing of Your Environment (45 CFR §164.308(a)(8))
7. Implement a Strong, Proactive Business Associate / Management Program (45 CFR §164.502(e) and 45 CFR §164.308(b))
8. Complete Privacy Rule and Breach Rule compliance assessments (45 CFR §164.530 and 45 CFR §164.400)
9. Document and act upon a remediation plan
1. Set Privacy and Security Risk Management & Governance Program in place (45 CFR § 164.308(a)(1))
2. Develop & Implement comprehensive HIPAA Privacy and Security and Breach Notification Policies & Procedures (45 CFR §164.530 and 45 CFR §164.316)
3. Train all Members of Your Workforce (45 CFR §164.530(b) and 45 CFR §164.308(a)(5))
Demonstrate Good Faith Effort!
© Clearwater Compliance LLC | All Rights Reserved
Policy defines an
organization’s values & expected behaviors; establishes “good faith” intent
Peoplemust include
talented privacy & security & technical staff, engaged and supportive
management and trained/aware colleagues
following PnPs.
Procedures or
processes – documented ‐provide the actions required to deliver on organization’s values.
Safeguards includes the various families of administrative, physical or
technical security controls (including “guards, guns, and gates”, encryption, firewalls, anti‐malware,
intrusion detection, incident management tools, etc.)
BalancedCompliance
Program
Four Critical Dimensions
Clearwater Compliance Compass™6
![Page 4: BOS HIPAA BootCamp - Module 7 - How to Assess and Monitor ...](https://reader031.fdocuments.in/reader031/viewer/2022020621/61eac2ba8c78e9490c140222/html5/thumbnails/4.jpg)
7/28/2014
©Clearwater Compliance LLC 4
© Clearwater Compliance LLC | All Rights Reserved
Sample OCR Enforcement Action
7
Seeking Evidence of:
• Governance
• PnPs
• Assessments
• Documentation
• Etc.
© Clearwater Compliance LLC | All Rights Reserved
Why do HIPAA Compliance Assessments?1. Prepare for Mandatory Audits
2. Prepare for Complaint or Breach Investigations
3. Reduce the Risk of a Costly Data Breach
4. Complete Security Rule requirement
45 C.F.R. §164.308(a)(8)
5. Build Solid Educational Foundation
6. Re‐energize Overall Compliance Program
Evidence of Good Faith Effort vs. Reckless Disregard
![Page 5: BOS HIPAA BootCamp - Module 7 - How to Assess and Monitor ...](https://reader031.fdocuments.in/reader031/viewer/2022020621/61eac2ba8c78e9490c140222/html5/thumbnails/5.jpg)
7/28/2014
©Clearwater Compliance LLC 5
© Clearwater Compliance LLC | All Rights Reserved
Types of Assessments
1. Compliance Assessments (Security Evaluation ‐ Non‐Technical, at 45 CFR §164.308(a)(8))
– Where do we stand?
– How well are we achieving ongoing compliance?
2. Risk Assessment (Risk Analysis, at 45 CFR §164.308(a)(1)(ii)(A))– What are the threats and vulnerabilities of our information assets (ePHI)?
– What do we need to do to mitigate risks?
3. Technical Assessments (Security Evaluation – Technical , at 45 CFR §164.308(a)(8))
– How effective are the safeguards we have implemented?
– Are the safeguards working?
4. Risk‐of‐Harm Breach Risk Assessment (Breach‐related, in HITECH parlance)
– Consideration of at least 4 factors to gauge the potential of compromise?
– Is there low probability of compromise of PHI?
Each Assessment Has Its Role and Proper Time 9
© Clearwater Compliance LLC | All Rights Reserved10
YES NO DON’T KNOW
HIPAA Compliance Assessments?
Pause & Quick Poll
• Has Your Organization Completed HIPAA Privacy, Security or Breach Notification Rule Assessments?
![Page 6: BOS HIPAA BootCamp - Module 7 - How to Assess and Monitor ...](https://reader031.fdocuments.in/reader031/viewer/2022020621/61eac2ba8c78e9490c140222/html5/thumbnails/6.jpg)
7/28/2014
©Clearwater Compliance LLC 6
© Clearwater Compliance LLC | All Rights Reserved11
Crosswalk Policies and Procedures against the Rules
Identify, Document and Prioritize Gaps
Recommend and Implement a Remediation Plan to Close Gaps
Update and Train on New and Revised Policies and Procedures
Monitor Progress, Audit and Report on Results
How To Conduct aHIPAA Compliance Assessment
© Clearwater Compliance LLC | All Rights Reserved12
Policies and Procedures Cross‐Walk to the Regulations
![Page 7: BOS HIPAA BootCamp - Module 7 - How to Assess and Monitor ...](https://reader031.fdocuments.in/reader031/viewer/2022020621/61eac2ba8c78e9490c140222/html5/thumbnails/7.jpg)
7/28/2014
©Clearwater Compliance LLC 7
© Clearwater Compliance LLC | All Rights Reserved
Reference NIST SP 800‐66
13
http://clearwatercompliance.com/wp-content/uploads/2013/12/NIST_SP-800-66-Revision1.pdf
• Basis of HIPAA Security Rule
• Cross‐walks HIPAA Security Rule to Compendium of NIST Security Framework Documents
© Clearwater Compliance LLC | All Rights Reserved
3 Dimensions of HIPAA Assessment
1. Is it documented?• Policies, Procedures and
Documentation
14
3. Is it Reasonable and Appropriate?• Comply with the implementation
specification
2. Are you doing it?• Using, Applying, Practicing,
Enforcing
![Page 8: BOS HIPAA BootCamp - Module 7 - How to Assess and Monitor ...](https://reader031.fdocuments.in/reader031/viewer/2022020621/61eac2ba8c78e9490c140222/html5/thumbnails/8.jpg)
7/28/2014
©Clearwater Compliance LLC 8
© Clearwater Compliance LLC | All Rights Reserved
“…one of the benefits that OCR wanted out of the pilot audit program was to be able to put a protocol out there, so that when its auditors went in, it was essentially an open‐book test for covered entities and they could later do their own internal assessments and audits.”
“That protocol is for the entity’s self‐learning and self‐correction.”
HIT Policy Committee Meeting 12‐4‐13
https://ocrnotifications.hhs.gov/hipaa.html
© Clearwater Compliance LLC | All Rights Reserved16
Crosswalk Policies and Procedures against the Rules
Identify, Document and Prioritize Gaps
Recommend and Implement a Remediation Plan to Close Gaps
Update and Train on New and Revised Policies and Procedures
Monitor Progress, Audit and Report on Results
How To Conduct aHIPAA Compliance Assessment
![Page 9: BOS HIPAA BootCamp - Module 7 - How to Assess and Monitor ...](https://reader031.fdocuments.in/reader031/viewer/2022020621/61eac2ba8c78e9490c140222/html5/thumbnails/9.jpg)
7/28/2014
©Clearwater Compliance LLC 9
© Clearwater Compliance LLC | All Rights Reserved17
2.60 65%
3.11 78%
Security Assessment Results
• Prioritize addressing those weaknesses that pose the highest risk• Consider the most prevalent causes of security incidents or privacy violations
© Clearwater Compliance LLC | All Rights Reserved
Privacy & Breach Assessment Results
18
2.60 65%
2.80 70%
![Page 10: BOS HIPAA BootCamp - Module 7 - How to Assess and Monitor ...](https://reader031.fdocuments.in/reader031/viewer/2022020621/61eac2ba8c78e9490c140222/html5/thumbnails/10.jpg)
7/28/2014
©Clearwater Compliance LLC 10
© Clearwater Compliance LLC | All Rights Reserved19
Crosswalk Policies and Procedures against the Rules
Identify, Document and Prioritize Gaps
Recommend and Implement a Remediation Plan to Close Gaps
Update and Train on New and Revised Policies and Procedures
Monitor Progress, Audit and Report on Results
How To Conduct aHIPAA Compliance Assessment
© Clearwater Compliance LLC | All Rights Reserved20
![Page 11: BOS HIPAA BootCamp - Module 7 - How to Assess and Monitor ...](https://reader031.fdocuments.in/reader031/viewer/2022020621/61eac2ba8c78e9490c140222/html5/thumbnails/11.jpg)
7/28/2014
©Clearwater Compliance LLC 11
© Clearwater Compliance LLC | All Rights Reserved
Assigned Compliance Responsibility
21
(1) Standard: Personnel designations. (i) A covered entity must designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity.
(2) Implementation specification: Personnel designations. A covered entity must document the personnel designations
Administrative Requirements §164.530 (a)
(2) A covered entity must, in accordance with § 164.306:
2. Standard: Assigned security responsibility. Identify the HIPAA Security Officer who is responsible for the development and implementation of the policies and procedures required by this subpart for the covered entity or business associate
Administrative Safeguards§164.308 (a)
© Clearwater Compliance LLC | All Rights Reserved22
Assigned Compliance Responsibility
![Page 12: BOS HIPAA BootCamp - Module 7 - How to Assess and Monitor ...](https://reader031.fdocuments.in/reader031/viewer/2022020621/61eac2ba8c78e9490c140222/html5/thumbnails/12.jpg)
7/28/2014
©Clearwater Compliance LLC 12
© Clearwater Compliance LLC | All Rights Reserved
Workforce Access to PHI
23
(1) Standard: minimum necessary requirements
(2)(i) A covered entity must identify: (A) Those persons or classes of persons, as appropriate, in its workforce who need access to protected health information to carry out their duties; and
(B) For each such person or class of persons, the category or categories of protected health information to which access is needed and any conditions appropriate to such access.
Minimum Necessary §164.514 (d)
(3)(i) Standard: Workforce security.Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, and to prevent those workforce members who do not have access from obtaining access to electronic protected health information.
Administrative safeguards.§ 164.308 (a)
© Clearwater Compliance LLC | All Rights Reserved24
Minimum Necessary Workforce Access Worksheet
![Page 13: BOS HIPAA BootCamp - Module 7 - How to Assess and Monitor ...](https://reader031.fdocuments.in/reader031/viewer/2022020621/61eac2ba8c78e9490c140222/html5/thumbnails/13.jpg)
7/28/2014
©Clearwater Compliance LLC 13
© Clearwater Compliance LLC | All Rights Reserved
Minimum Necessary ‐
25
(d) (3) Implementation specification: Minimum necessary disclosures of protected health information. (i) For any type of disclosure [or requests] that it makes on a routine and recurring basis, a covered entity must implement policies and procedures (which may be standard protocols) that limit the protected health information disclosed to the amount reasonably necessary to achieve the purpose of the disclosure.
§164.514 (e) – Routine Requests and Disclosures
© Clearwater Compliance LLC | All Rights Reserved
Business Associate Inventory
26
• Name of BA
• General Services Provided
• Business Owner
• Type of PHI Provided (specific medical information? sensitive?)
• Amount of PHI (# of records, frequency of sharing)
• Business Process Supported (specific services, minimum necessary?)
• Who Do They Share It With?
• BA Contract – up-to-date?
• Criticality to your organization
![Page 14: BOS HIPAA BootCamp - Module 7 - How to Assess and Monitor ...](https://reader031.fdocuments.in/reader031/viewer/2022020621/61eac2ba8c78e9490c140222/html5/thumbnails/14.jpg)
7/28/2014
©Clearwater Compliance LLC 14
© Clearwater Compliance LLC | All Rights Reserved
Minimum Necessary ‐
27
(d) (3) Implementation specification: Minimum necessary disclosures of protected health information. (i) For any type of disclosure [or requests] that it makes on a routine and recurring basis, a covered entity must implement policies and procedures (which may be standard protocols) that limit the protected health information disclosed to the amount reasonably necessary to achieve the purpose of the disclosure.
§164.514 (e) –Non-Routine Requests and Disclosures
(ii) For all other disclosures [or requests], a covered entity must:(A) Develop criteria designed to limit the protected health information disclosed to the information reasonably necessary to accomplish the purpose for which disclosure is sought; and(B) Review requests for disclosure on an individual basis in accordance with such criteria.
© Clearwater Compliance LLC | All Rights Reserved
Sanctions
28
(1) Standard. A covered entity or business associate must have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of this subpart.
(2) Implementation specification: Documentation. As required by paragraph (j) of this section, a covered entity or business associate must document the sanctions that are applied, if any.
Administrative Requirements §164.530 (e)
(C) Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.
Administrative safeguards.§ 164.308 (a)
![Page 15: BOS HIPAA BootCamp - Module 7 - How to Assess and Monitor ...](https://reader031.fdocuments.in/reader031/viewer/2022020621/61eac2ba8c78e9490c140222/html5/thumbnails/15.jpg)
7/28/2014
©Clearwater Compliance LLC 15
© Clearwater Compliance LLC | All Rights Reserved29
Type of
Violation
Example of
Unauthorized Use or
Disclosure
Result # of
Occurrences
Types or examples of
Sanctions
Non‐
Intentional
or
Accidental
Fax to wrong number
Mail to wrong recipient
Voice message
Wrong discharge papers
Loss of records or files
No further disclosure
1st time Additional training
2nd time Note in personnel file and
counseling
3rd time Reassignment or Termination
Further disclosure 1st time Note in file and counseling
2nd time Reassignment or termination
Intentional
& Non‐
Malicious Snooping No further disclosure
1st time Note in file, counseling or
suspension
2nd timeReassignment , suspension or
Termination
Further disclosure 1st time Suspension or Termination
Intentional
&
Malicious
Sharing or sale of
information
Business disruption
Financial, reputational or
other harm to individuals 1st time Termination
Example of Sanction Criteria(Actual sanctions will depend on organizational culture and policy‐Maintain sufficient flexibility in your Policy to allow for undefined situations)
© Clearwater Compliance LLC | All Rights Reserved
Incident Reporting and Processing
30
(f) Standard: Mitigation. A covered entity must mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of protected health information in violation of its policies and procedures or the requirements of this subpart by the covered entity or its business associate.
Administrative Requirements §164.530 (f)
(6) (i) Standard: Security incident procedures. Implement policies and procedures to address security incidents.
(ii) Implementation specification: Response and Reporting (Required).Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.
Administrative Safeguards§164.308 (a)
![Page 16: BOS HIPAA BootCamp - Module 7 - How to Assess and Monitor ...](https://reader031.fdocuments.in/reader031/viewer/2022020621/61eac2ba8c78e9490c140222/html5/thumbnails/16.jpg)
7/28/2014
©Clearwater Compliance LLC 16
© Clearwater Compliance LLC | All Rights Reserved
Complaints
31
(1) Standard. A covered entity must provide a process for individuals to make complaints concerning the covered entity’s policies and procedures required by this subpart and subpart D of this part or its compliance with such policies and procedures or the requirements of this subpart or subpart D of this part.
(2) Implementation specification: Documentation of complaints. As required by paragraph (j) of this section, a covered entity must document all complaints received, and their disposition, if any.
Administrative Requirements §164.530 (d)
© Clearwater Compliance LLC | All Rights Reserved32
Conduct initial screening; Investigate severity; Set priorities for next step; Determine timing of notifying management
Collect all relevant data for use in analysis; Adhere to policy and applicable laws; Notify Law Enforcement?
Secure area; Maintain uncontaminated evidence; Buy time for proper investigation; Limit additional data loss
In parallel with Containment, determine the source, root cause, method, motivation and timing of incident; Forensics needed?
Reduce risk of future harm of follow‐on data use or disclosure‐verify data return or destruction
Implement solutions to avoid another incident; consider updates to procedures, technology, training & sanctions
Test to ensure “solution” is working; audit periodically
Maintain log of all aspects of response activities
Triage
Investigate
Contain
Analyze
Mitigate
Remediate
Monitor
Document
Incident Response Protocol
![Page 17: BOS HIPAA BootCamp - Module 7 - How to Assess and Monitor ...](https://reader031.fdocuments.in/reader031/viewer/2022020621/61eac2ba8c78e9490c140222/html5/thumbnails/17.jpg)
7/28/2014
©Clearwater Compliance LLC 17
© Clearwater Compliance LLC | All Rights Reserved33
Crosswalk Policies and Procedures against the Rules
Identify, Document and Prioritize Gaps
Recommend and Implement a Remediation Plan to Close Gaps
Update and Train on New and Revised Policies and Procedures
Monitor Progress, Audit and Report on Results
How To Conduct aHIPAA Compliance Assessment
© Clearwater Compliance LLC | All Rights Reserved
Version Control andRetention
34
![Page 18: BOS HIPAA BootCamp - Module 7 - How to Assess and Monitor ...](https://reader031.fdocuments.in/reader031/viewer/2022020621/61eac2ba8c78e9490c140222/html5/thumbnails/18.jpg)
7/28/2014
©Clearwater Compliance LLC 18
© Clearwater Compliance LLC | All Rights Reserved35
Crosswalk Policies and Procedures against the Rules
Identify, Document and Prioritize Gaps
Recommend and Implement a Remediation Plan to Close Gaps
Update and Train on New and Revised Policies and Procedures
Monitor Progress, Audit and Report on Results
How To Conduct aHIPAA Compliance Assessment
© Clearwater Compliance LLC | All Rights Reserved36
Systematic, Sustainable Programmatic Approach:Reenergize and operationalize your HIPAA-HITECH Compliance Program
Ongoing Support and Guidance
• Re-Inventory PHI & ePHI• Re-Inventory BAs• Redo-Assessments• Remediation Plans• Policies & Procedures
Review• Business Associate
Management• Training Update
This image cannot currently be displayed.
This image cannot currently be displayed.
Think Program, Not Project!
Start Year 1 Year 2• Oversight• Inventory PHI & ePHI• Inventory BAs• Assessments • Remediation Plans• Policies & Procedures• Business Associate Management• Training
• Re-Inventory PHI & ePHI• Re-Inventory BAs• Redo-Assessments • Remediation Plans• Policies & Procedures Review• Business Associate Management• Training Update
Assessments NOT Once and Done
This image cannot currently be displayed.
![Page 19: BOS HIPAA BootCamp - Module 7 - How to Assess and Monitor ...](https://reader031.fdocuments.in/reader031/viewer/2022020621/61eac2ba8c78e9490c140222/html5/thumbnails/19.jpg)
7/28/2014
©Clearwater Compliance LLC 19
© Clearwater Compliance LLC | All Rights Reserved37
This image cannot currently be displayed.This image cannot currently be displayed.
Make progress on your remediation plan a standard
agenda item with your Compliance
Council
© Clearwater Compliance LLC | All Rights Reserved
Questions?
38
This image cannot currently be displayed.
![Page 20: BOS HIPAA BootCamp - Module 7 - How to Assess and Monitor ...](https://reader031.fdocuments.in/reader031/viewer/2022020621/61eac2ba8c78e9490c140222/html5/thumbnails/20.jpg)
7/28/2014
©Clearwater Compliance LLC 20
© Clearwater Compliance LLC | All Rights Reserved
The Breach Notification Rule
39
Burden of Proof
Breach Notification
Administrative
All PHI, including ePHI
© Clearwater Compliance LLC | All Rights Reserved40
This image cannot currently be displayed.This image cannot currently be displayed.
Breach Exceptions
This image cannot currently be displayed.This image cannot currently be displayed.
Exception #1• Unintentional• Good Faith• Within Scope of Authority• No Further Use or
Disclosure
Exception #2• Inadvertent• To another Authorized
Person• Same CE or BA or OHCA• Not Further Use or
Disclosed
Exception #3• Good Faith Belief that
information could not be retained
![Page 21: BOS HIPAA BootCamp - Module 7 - How to Assess and Monitor ...](https://reader031.fdocuments.in/reader031/viewer/2022020621/61eac2ba8c78e9490c140222/html5/thumbnails/21.jpg)
7/28/2014
©Clearwater Compliance LLC 21
© Clearwater Compliance LLC | All Rights Reserved41
This image cannot currently be displayed.This image cannot currently be displayed.
This image cannot currently be displayed.This image cannot currently be displayed.
Breach Risk Assessment
Factors
© Clearwater Compliance LLC | All Rights Reserved42
The Four Factors and SomeConsiderations for Analysis of “low probability of compromise”
This image cannot currently be displayed.This image cannot currently be displayed.
This image cannot currently be displayed.This image cannot currently be displayed.
This image cannot currently be displayed.This image cannot currently be displayed.
This image cannot currently be displayed.This image cannot currently be displayed.
![Page 22: BOS HIPAA BootCamp - Module 7 - How to Assess and Monitor ...](https://reader031.fdocuments.in/reader031/viewer/2022020621/61eac2ba8c78e9490c140222/html5/thumbnails/22.jpg)
7/28/2014
©Clearwater Compliance LLC 22
© Clearwater Compliance LLC | All Rights Reserved
From the Preamble…..
• In addition to the statutory exceptions that have been included in both the interim final rule and this final rule, there may be other similar situations that do not warrant breach notification.
• …there are several situations in which unauthorized acquisition, access, use, or disclosure of protected health information is so inconsequential that it does not warrant notification
• We agree with commenters that providing notification in such cases may cause the individual unnecessary anxiety or even eventual apathy if notifications of these types of incidents are sent routinely.
43
© Clearwater Compliance LLC | All Rights Reserved
Principles of the Framework
• Each individual breach case is unique
• Each investigation should follow the same process and criteria
• Assessment should guide a decision, but not the decision itself
• Provide for consistent application
• Modify for both state and federal breach definitions and requirements.
• Maintain documentation
44
Breach Risk Assessment Framework
![Page 23: BOS HIPAA BootCamp - Module 7 - How to Assess and Monitor ...](https://reader031.fdocuments.in/reader031/viewer/2022020621/61eac2ba8c78e9490c140222/html5/thumbnails/23.jpg)
7/28/2014
©Clearwater Compliance LLC 23
© Clearwater Compliance LLC | All Rights Reserved45
YES NO DON’T KNOW
BreachPreparation Plan?
Pause & Quick Poll
• Have you developed and tested a Breach Risk Assessment?
© Clearwater Compliance LLC | All Rights Reserved
This image cannot currently be displayed.
Supplemental Materials
7‐1. Workforce Access to PHI Inventory template (Excel)
7‐2. Business Associates Inventory (Excel)
7‐3. Documentation Requirements in Privacy and Breach Notification Rules (Word)
7‐4. Breach Preparation Plan (PDF)
7‐5. Health IT Policy Committee_Accounting of Disclosures_FINAL_11182013 (PPT)
46
![Page 24: BOS HIPAA BootCamp - Module 7 - How to Assess and Monitor ...](https://reader031.fdocuments.in/reader031/viewer/2022020621/61eac2ba8c78e9490c140222/html5/thumbnails/24.jpg)
7/28/2014
©Clearwater Compliance LLC 24
© Clearwater Compliance LLC | All Rights Reserved
Questions?
47
This image cannot currently be displayed.