…Welcome to€¦ · 12-04-2012 · © 2010-12 Clearwater Compliance LLC | All Rights Reserved...
Transcript of …Welcome to€¦ · 12-04-2012 · © 2010-12 Clearwater Compliance LLC | All Rights Reserved...
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
How to Revitalize Your HIPAA-HITECH
Compliance Program
WEBINAR April 12, 2012
…Welcome to …
1
Bob Chaput 615-656-4299 or 800-704-3394 [email protected] Clearwater Compliance LLC
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
“…only way to change is through
enforcement…”
“…our 5% budget reduction doesn’t
change anything…”
“… enforcement revenues will be used
for restitution for victims…AND…
reinvestment in STRATEGIC
ENFORCEMENT…”
“… enforcement will continue and
intensify…”
“…we’re moving from complaint-driven to
proactive enforcement…”
“… we’re looking for the “whole
menu”…get going on training, PnPs and
risk analysis…”
Why is This Man Smiling?
2
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Bob Chaput CISSP, MA, CHP, CHSS, MCSE
3
• President – Clearwater Compliance LLC • 30+ years in Business, Operations and Technology • 20+ years in Healthcare • Executive | Educator |Entrepreneur • Global Executive: GE, JNJ, HWAY • Responsible for largest healthcare datasets in world • Numerous Technical Certifications (MCSE, MCSA, etc) • Expertise and Focus: Healthcare, Financial Services, Legal
• Member: HIMSS, ISSA, HCCA, ACHE, AHIMA, NTC, ACP, Chambers, Boards
http://www.linkedin.com/in/BobChaput
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Our Passion
4
… And, keeping those same
organizations off the Wall of
Shame…!
…we’re helping
organizations
safeguard the very
personal and
private healthcare
information of
millions of fellow
Americans…
We’re excited about
what we do
because…
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
About HIPAA-HITECH Compliance
1. We are not attorneys!
2. HIPAA and HITECH is dynamic!
3. Lots of different interpretations!
So there!
5
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Answer Page!
• Adult Education!
• Here’s How to
Revitalize Your
HIPAA-HITECH
Compliance
Program
6
How to Revitalize Your HIPAA-HITECH Compliance Program
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
1. Understand the Problem
2. Review Recent Cases, Data and Facts
3. Actions You Can Take Now!
Session Objectives
7
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
What’s The Big Deal?
• 1Street cost for a stolen Record • Medical:$50 vs SSN:$1
• 1Payout for identity theft • Medical:$20,000 vs Regular: $2,000
• 1Medical records can be
exploited 4x longer • Credit cards can be cancelled; medical
records can’t
8 1RSA Report on Cybercrime and the Healthcare Industry
Medical Record Abuse
consequences Prescription Fraud
Embarrassment
Financial Fraud
Personal Data Resale
Blackmail / Extortion
Medical Claims Fraud
Job loss / reputational
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Here’s The Big Deal
9
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Three Pillars of HIPAA-HITECH Compliance…
10
Pri
vacy
Sec
uri
ty
Data
Bre
ach
Noti
fica
tio
n
… …
HITECH
HIPAA
Breach Notification IFR • 6 pages / 2K words • 4 Standards • 9 Implementation
Specs
Privacy Final Rule • 75 pages / 27K words • 56 Standards • ~ 60 “dense”
Implementation Specs
Security Final Rule • 18 pages / 4.5K words • 22 Standards • ~50 Implementation
Specs
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Key Learnings of Successful Organizations - HIPAA-HITECH Compliance
I. It’s a matter of Business
Risk Management, not an
“IT problem”
II. It must be a Program, not
a Project
III. It requires unique skills, knowledge and experience
IV. Four “must have” key ingredients are Policies,
Procedures, People and Technology
V. Achieving Compliance is complex and stressful
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
The Problem
HIPAA HITECH
Compliance Is Hard!
Revenues and assets are at risk
Reputations are being damaged
Enforcement is on the upswing
Penalties are up dramatically
Class action lawsuits abound
Regulations are complex and
changing
Few organizations have skills, knowledge and experience to establish solid programs and
manage risks proactively
Few Nurture And Maintain Their Programs As
Required By Regulation
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Why Should You Care?
1. It’s the law… HIPAA & HITECH!
13
2. Your stakeholders trust and expect
you to do this
3. Your revenues, assets and
reputation depends on it!
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
1. Understand the Problem
2. Review Data, Facts & Recent Cases
3. Actions You Can Take Now!
Session Objectives
14
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
The HITECH Act THREE absolute “game changers”:
1) More Enforcement
2) Bigger fines
3) Wider Net Cast
15
HITECH = Hey It’s Time to End your Compliance Holiday
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
“Wall of Shame”
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
16
19.5M
03-26-2012 •409 CEs
•85 Named BAs
~19.2M Individuals Or State of NY
© 2010-12 Clearwater Compliance LLC | All Rights Reserved 17
Quick OCR / KPMG HIPAA Audit Update – 1st 20 Audits
Covered Entity
Type Level 1 Level 2 Level 3 Level 4 Total
Health plans 2 3 1 2 8
Health care
providers 2 2 2 4 10
Health care
clearinghouses 1 1 0 0 2
Total 5 6 3 6 20
Health Plans Medicaid 1
SCHIP 1
Group Health Plans 3
Health Insurance Issuer 3
Total 8
Health Care Providers Allopathic & Osteopathic
Physicians 3
Hospitals 3
Laboratories 1
Dental 1
Nursing and Custodial
Facilities 1
Pharmacy 1
Total 10
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
• BCBS Tennessee to pay $1.5 million in HIPAA settlement
• Sutter Health Hit With $1B Class-Action Lawsuit
• Patient files $20M lawsuit against Stanford Hospital
• TRICARE Health Management Sued for $4.9B
• UCLA Health System Enters into $865K Resolution Agreement & CAP with OCR
• Cignet Health Fined for Violation of HIPAA Privacy Rule: $4.3M
• MGH entering into a resolution agreement; includes a $1 million settlement
18 Lawsuits and Enforcement are on the upswing…
• AvMed Health sued over 'one of the largest medical breaches in history‘
• Health Net keeps paying for its data breach in 2009… $625K and counting
• WellPoint's notification delay following data breach brings action by Attorney General's office
Legal Activity
© 2010-12 Clearwater Compliance LLC | All Rights Reserved 19
Getting serious…?
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
1. Understand the Problem
2. Review Data, Facts & Recent Cases
3. Actions You Can Take Now!
Session Objectives
20
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
3. Complete a HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))
4. Develop comprehensive HIPAA Privacy and Security and
Breach Notification Policies & Procedures (45 CFR §164.530 and 45 CFR
§164.316)
5. Complete a Privacy Rule compliance assessment (45 CFR §164.530)
6. Document and act upon a corrective action plan
6 Actions to Take Now
21
1. Stand Up Your Privacy and
Security Risk Management &
Governance Program (45 CFR § 164.308(a)(1))
2. Complete a HIPAA Security
Evaluation (45 CFR § 164.308(a)(8))
Use the Regulations as Checklists!
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
22
Example – HIPAA Security Roadmap
HIPAA Security
Operations
HIPAA Security
Management Process
HIPAA Security
Evaluation
45 CFR164.308(a)(8)
45 CFR 164.308(a)(1)(ii)(D)
45 CFR 164.308(a)(1)
Preliminary Remediation
Plan
45 CFR 164.308(a)(1)(ii)(B)
HIPAA Security
Policies & Procedures
HIPAA
Security Risk
Analysis
45 CFR 164.308(a)(1)(ii)(A)
Information System Activity Review
Business Associate
Management Plan
45 CFR Parts 160, 164 Subpart D
45 CFR 164.316(a)
Data Breach Notification
Plan
45 CFR164.308(a)(8) 45 CFR 164.308(a)(5)(i)
HIPAA Training & Awareness
45 CFR 164.308(a)(1)(ii)(B)
HIPAA Security Risk Management
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Security Evaluation vs. Risk Analysis
Exposure-focused Trees/Weeds
Both Are Important and Necessary Compliance Roadmap
HIPAA Security Final Rule “taxonomy”
• 5 major areas
• 22 Standards
• 53 Implementation Specifications
Where do you stand?
Compliance-focused Forest
23
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Why do a Security Assessment?
1. Prepare for Mandatory Audits
2. Receive an Objective, Independent 3rd Party Review
3. Build Solid Educational Foundation
4. Meet 45 CFR 164.308(a)(8) - Evaluation
5. Jump – Start Overall Security Compliance Program
6. Develop / Execute Preliminary Remediation Plan
24 Demonstrate Good Faith Effort
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Quick Demo
25
https://HIPAASecurityAssessment.com
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
1. Serves as Assessment Wizard and
Advisory Guide
2. Auto-creates Remediation Plan and
Provides Management Tool
26
http://HIPAASecurityAssessment.com
Why Use Clearwater Security Assessment Tool?
3. Dynamically Updates Executive Dashboard
4. Established Baseline Score for Progress Monitoring
5. Serves as “Living Compliance Manual” and
6. Creates “Single Source of the Truth” and Document
Repository
7. Establishes Step 1 in Roadmap to Compliance
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Clearwater HIPAA Security Risk Analysis™
27
Educate | Assess | Respond Monitor| Document
https://HIPAASecurityRiskAnalysis.com/
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
High Value – High Impact
HIPAA-HITECH Compliance WorkShop™
I. PREPARATION A. Plan / Gather B. Read Ahead C. Complete QuickScreen™
28
II. ONSITE ASSESSMENT A. Facilitate B. Educate C. Evaluate
III. WRITTEN REPORT A. Findings B. Observations C. Recommendations
½ Day
½ Day
1 Day
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Summary and Next Steps
29
• Don’t Panic! Don’t Freeze!
• Assess the Forest First, Then Get
Into the Trees/Weeds
• Engage Executives and Leaders
• Stay Business Risk Management-
Focused
• Large or Small: Get Help (Tools,
Experts, etc) and Consider an
Independent, Objective Assessment
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
June 25, 2012 | Chicago, IL Clearwater HIPAA Audit Prep BootCamp™
Take Your
HIPAA
Compliance
Program to a
Better Place,
Faster
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
31
Jim Mathis, JD, CHC, CHP
Healthcare Industry Attorney
HIPAA Consultant
Bob Chaput, CISSP, CHP, CHSS, MCSE
CEO
Clearwater Compliance
Expert Instructors
James C. Pyles
Principal
Powers Pyles Sutter & Verville PC
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Get Smart!
“On Demand” HIPAA HITECH RESOURCES, IF NEEDED:
1. http://AboutHIPAA.com/about-hipaa/resources/
2. http://AboutHIPAA.com/webinars/ 32
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Bob Chaput, CISSP
http://www.ClearwaterCompliance.com [email protected]
Phone: 800-704-3394 or 615-656-4299
Clearwater Compliance LLC
33
Contact
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
“The WorkShop™ process made a very complicated process and subject matter simple. The ToolKit™ itself was excellent and precipitated exactly the right discussion we needed to have.” – outside Legal Counsel, national research consortium
"The HIPAA Security Assessment ToolKit™ and
WorkShop™ are a comprehensive approach that effectively guided our organization’s performance against HIPAA-HITECH Security requirements.” -- SVP and Chief Compliance, national hospice organization
What Our Customers Say…
34
“… The WorkShop™ process expedited assessment of gaps in our HIPAA Security Compliance program, began to address risk mitigation tasks within a matter of days and… the ‘ToolKit’ was a sound investment for the company, and I can't think of a better framework upon which to launch compliance efforts.” – VP & CIO, national care management organization
“…the process of going through the self-assessment WorkShop™ was a great shared
learning experience and teambuilding exercise. In retrospect, I can't think of a better or more efficient way to get started than to use the HIPAA Security Assessment ToolKit.“ – CIO, national kidney dialysis center firm
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
What’s The Big Deal?
…cost of clinical fraud for each victim was roughly
3.5 times greater than the costs incurred in
financial fraud…1
…Fraud resulting from medical identity theft takes
two forms:2
• Physician identification numbers that are stolen
and used to bill for services
• Patient identification information stolen and
used to obtain services or to bill for services
victims inadvertently could be treated based on
someone else's medical history and who might,
as a result, have a difficult time rebuilding their
medical files.
35
1Ponemon Institute, “Second Annual Survey on Medical Identity Theft.” (2011)
2“Identity Theft Steals Millions from Government Health Programs” by Jim McKay, Justice and Public Safety Editor,
Government Technology http://www.govtech.com/security/Identity-Theft-Steals-Millions-from-Government.html
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
What’s The Big Deal?
36
• Based on a recent Ponemon Institute study, the
average cost per lost healthcare record was
projected to be $282 per record in 2008, or
nearly $3MM for a breach of 10,000 records
• A recent study found that over the past six
years, data breaches have cost organizations
well in excess of $155 billion1. These losses
do not even include actual losses sustained
by the victims of the breach, but account for
only the organizations' costs.
1“Beware of Costly Data Breaches” by William B. Baker, Kathleen A. Kirby &247 Amy E. Worlton, Sept 2011/Mass Media Headlines
http://www.wileyrein.com/publications.cfm?sp=articles&newsletter=5&id=7505&&elq_mid=16002&elq_cid=1094517#page=1
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
What’s The Big Deal - $$$
• A clerk in a medical clinic in Florida hospital stole the
medical IDs of 1,100 patients and sold them. The
numbers were subsequently used to bill Medicare for
$2.8 million in false claims1
37
1McKay, Jim. “Identity Theft Steals Millions from Government Health Programs.” GovTech.com. 12 Feb. 2008. Web. 6 6 Sept. 2011
http://www.govtech.com/security/Identity-Theft-Steals-Millions-from-Government.html
2Brodkin, Jon. “ChoicePoint Details Data Breach Lessons.” PCWorld. 11 June 2007. Web. 7 Sept. 2011
http://www.pcworld.com/article/132795/choicepoint_details_data_breach_lessons.html
• In 2005, the records of 163,000 consumers were compromised after criminals
pretending to be legitimate ChoicePoint customers sought details about
individuals listed in the company's database of personal information.
ChoicePoint agreed to pay $10 million in civil penalties and $5 million for
consumer redress2.
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
ePHI & Security
38
What if my Protected
Health Information is
not complete, up-to-
date and accurate?
What if my Protected
Health Information is
shared? With whom?
How?
What if my Protected
Health Information is not
there when it is needed?
PHI
Privacy & security are
essential part of
healthcare vision
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
New Civil Monetary Penalty System
• Tier 1 (Accidental)
– $100 each violation
– Up to $25,000 for identical violations, per year
• Tier 2 (Not Willful Neglect, but Not Accidental)
– $1000 each violation
– Up to $100,000 for identical violations, per year
• Tier 3 (Willful Neglect, but Corrected)
– $10,000 each violation
– Up to $250,000 for identical violations, per year
• Tier 4 (Willful Neglect, Not Corrected)
– $50,000 each violation
– Up to $1.5 million, per year 39
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
PS – Don’t Forget Criminal Penalties
Congress also established criminal penalties for certain actions…
• Up to $50,000 and one year in prison for certain offenses such as knowingly obtaining PHI
• Up to $100,000 and up to five years in prison if the offenses are committed under false pretenses
• Up to $250,000 and up to 10 years in prison if the offenses are committed with the intent to sell, transfer, or use protected health information for commercial advantage, personal gain, or malicious harm.
40