Copyright Notice
Copyright Notice. All materials contained within this document are
protected by United States copyright law and may not be
reproduced, distributed, transmitted, displayed, published, or
broadcast without the prior, express written permission of Clearwater
Compliance LLC. You may not alter or remove any copyright or
other notice from copies of this content.
For reprint permission and information, please direct your inquiry to
bob.chaput@clearwatercompliance.com
1
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Legal Disclaimer
Legal Disclaimer. This information does not constitute legal advice and is for
educational purposes only. This information is based on current federal law and
subject to change based on changes in federal law or subsequent interpretative
guidance. Since this information is based on federal law, it must be modified to
reflect state law where that state law is more stringent than the federal law or other
state law exceptions apply. This information is intended to be a general information
resource regarding the matters covered, and may not be tailored to your specific
circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND
ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR
OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational
reference in any of the following materials should not be assumed as an
endorsement by Clearwater Compliance LLC.
2
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Welcome to
today’s Live
Event… we will
begin shortly…
Please feel free
to use “Chat” or
“Q&A” to tell us
any ‘burning’
questions you
may have in
advance…
3
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Webinar Slide Deck
WEBINAR(
(
January(17,(2014
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Check “Chat” or
“Question” area
on GoToWebinar
Control panel to
copy/paste link
and download
materials
5
http://clearwatercompliance.com/wp-content/uploads/2014/01/201401-17_How-To-Meet-HIPAA-HITECH-Encryption-Requirements_V3.pdf
4
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
How to Meet HIPAA-HITECH Encryption
Requirements & Beyond
WEBINAR
January 17, 2014
Bob Chaput, CISSP, CIPP-US, CHP, CHSS
CEO & Founder
Clearwater Compliance LLC
615-656-4299 or 800-704-3394
bob.chaput@ClearwaterCompliance.com
Stephen Treglia, JD
Legal Counsel, Recovery Section
Absolute Software Corporation
(877) 600-2293
streglia@absolute.com
5
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
About HIPAA-HITECH Compliance
1. We are not attorneys!
2. The Omnibus has arrived!
3. Lots of different interpretations!
So there!
6
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Stephen Treglia, JD
•
Legal Counsel, Absolute’s Investigations & Recovery Section 2010 –
present
•
Prosecutor in New York 1980-2010
•
Investigated/prosecuted Organized Crime 1985-1995
•
Used computers, seized computers
•
Started investigating/prosecuting computer crime 1996
•
Created one of first Technology Crime Units 1997, headed it to 2010
•
Started investigating/prosecuting Absolute cases in 2006
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Bob Chaput
MA, CISSP, CIPP/US, CHP, CHSS
•
•
•
•
•
•
•
•
President – Clearwater Compliance LLC
30+ years in Business, Operations and Technology
20+ years in Healthcare
Executive | Educator |Entrepreneur
Global Executive: GE, JNJ, HWAY
Responsible for largest healthcare datasets in world
Numerous Technical Certifications (MCSE, MCSA, etc)
Expertise and Focus: Healthcare, Financial Services, Retail, Legal
•
Member: IAPP, ISC2, HIMSS, ISSA, HCCA, HCAA, CAHP, ACAP, ACHE,
AHIMA, NTC, ACP, SIM, Chambers, Boards
http://www.linkedin.com/in/BobChaput
8
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Session Objectives
1. Define and understand basic HIPAAHITECH relevant terms and concepts
2. Review the specific requirements of
HIPAA and HITECH for encryption
3. Provide practical, actionable next steps
to take to meet HIPAA-HITECH
encryption requirements
4. Address Why Encryption is Not
Enough!
9
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Answer Page!
1. Secure Your PHI  Avoid the “Wall
of Shame” …Get Started Now
2. Technology solutions are an
important part, but only part of a
balanced Security Program
3. Large or Small: Consider Getting
Help (Tools, Experts, etc)
4. Encryption is likely not enough;
consider additional safeguards
Balanced1Compliance1Program1
People!must!include!
Policy!defines!an!
organiza- on’s!values!&!
expected!behaviors;!
establishes!“good!faith”!
intent!
Procedures!or!
processes!–!documented!F!
provide!the!ac- ons!required!
to!deliver!on!organiza- on’s!
values.!
Balanced
Compliance
Program
talented!privacy!&!
security!&!technical!staff,!
engaged!and!suppor- ve!
management!and!
trained/aware!colleagues!
following!PnPs.!!
Safeguards11
includes!the!various!families!
of!administra- ve,!physical!or!
technical!security!controls!
Clearwater1Compliance1Compass™1
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
33
10
Oops! Missed That Safe Harbor Thingy!
AvMed, Inc.
FL
Cincinnati Children's Hospital Medical Center OH
Praxair Healthcare Services, Inc.
CT
Thomas Jefferson University Hospitals, Inc.
PA
Aultman Hospital
OH
Department of Health Care Policy & Financing CO
Montefiore Medical Center
NY
St. Joseph Heritage Healthcare
CA
University of Oklahoma-Tulsa, Neurology ClinicOK
Montefiore Medical Center
NY
Geisinger Wyoming Valley Medical Center
PA
The Children's Medical Center of Dayton
OH
Sinai Hospital of Baltimore, Inc.
MD
Reliant Rehabilitation Hospital North Houston TX
Blue Cross Blue Shield of Tennessee
TN
Providence Hospital
MI
Puerto Rico Department of Health
PR
Triple-S Salud, Inc.
PR
Seacoast Radiology, PA
NH
Ankle & foot Center of Tampa Bay, Inc.
FL
Silicon Valley Eyecare Optometry and Contact Lenses
CA
1,220,000 12/10/2009 Theft
Laptop
60,998 3/27/2010 Theft
Laptop
54,165 2/18/2010 Theft
Laptop
21,000 6/14/2010 Theft
Laptop
13,867
6/7/2010 Theft
Laptop
105,470 5/17/2010 Theft
Desktop Computer
23,753
6/9/2010 Theft
Desktop Computer
22,012
3/6/2010 Theft
Desktop Computer
19,264 7/25/2010 Hacking/IT Incident
Desktop Computer
16,820 5/22/2010 Theft
Desktop Computer
2,928 11/6/2010 Unauthorized Access/Disclosure
E-mail
1,001 4/22/2010 Unauthorized Access/Disclosure
E-mail
937
5/3/2010 Unauthorized Access/Disclosure
E-mail
763
2/9/2010 Unauthorized Access/Disclosure
E-mail
1,023,209 10/2/2009 Theft
Hard Drives
83,945
2/4/2010 Loss
Hard Drives
400,000 9/21/2010 Unauthorized Access/Disclosure,
Network
Hacking/IT
Server
Incident
398,000
9/9/2010 Theft
Network Server
231,400 11/12/2010 Hacking/IT Incident
Network Server
156,000 11/10/2010 Hacking/IT Incident
Network Server
40,000
4/2/2010 Theft
Network Server
3,895,532
11
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Session Objectives
1. Define and understand basic HIPAAHITECH relevant terms and concepts
2. Review the specific requirements of
HIPAA and HITECH for encryption
3. Provide practical, actionable next steps
to take to meet HIPAA-HITECH
encryption requirements
4. Address Why Encryption is Not
Enough!
12
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Key Terms & Concepts
1. Protected Health Information (PHI)
2. electronic PHI (ePHI)
3. Secured PHI
4. Unsecured PHI
5. Data Breach
6. Encryption
7. Destruction
8. Safe Harbor
9. Security Essentials
10. Required versus Addressable
13
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Protected Health Information
• Protected Health
Information (PHI) is any
information about health
status, provision of
health care, or payment
for health care that can
be linked to a specific
individual.
• PHI is interpreted rather broadly and includes any part of a
patient’s medical record or payment history
• …and, that is linked to personal (18) identifiers
14
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Data Breach
• A breach is, generally, an
impermissible use or
disclosure under the Privacy
Rule that compromises the
security or privacy of the
protected health
information such that the
use or disclosure poses a
significant risk of financial,
reputational, or other harm
to the affected individual.
15
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Don’t Panic!
Event
?
Incident
?
Breach
16
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Unsecured PHI
• Unsecured PHI is PHI that has
not been rendered unusable,
unreadable, or indecipherable
• CEs and BAs must only
provide the required
notification if the breach
involved unsecured protected
health information.
17
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Encryption
Encryption means the use
of an algorithmic
process to transform
data into a form in
which there is a low
probability of assigning
meaning without use of
a confidential process
or key.1
145
C.F.R. § 164.304 Definitions
18
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Safe Harbor
“This guidance is intended to describe
the technologies and methodologies that
can be used to render PHI unusable,
unreadable, or indecipherable to
unauthorized individuals.
While covered entities and business
associates are not required to follow the
guidance, the specified technologies and
methodologies, if used, create the
functional equivalent of a safe harbor,
and thus, result in covered entities and
business associates not being required
to provide the notification otherwise
required by section 13402 in the event of
a breach.”1
1
DEPARTMENT OF HEALTH AND HUMAN SERVICES 45 CFR Parts 160 and 164 Guidance Specifying the Technologies and Methodologies That Render Protected Health
Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under Section 13402 of Title XIII (Health
Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009; Request for Information
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
19
Session Objectives
1. Define and understand basic HIPAAHITECH relevant terms and concepts
2. Review the specific requirements of
HIPAA and HITECH for encryption
3. Provide practical, actionable next steps
to take to meet HIPAA-HITECH
encryption requirements
4. Address Why Encryption is Not
Enough!
20
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Security Rule & Encryption
22 Security Standards
•
•
•
•
•
Access Control
Audit Control
Integrity
Person or Entity Authentication
Transmission Security
•
•
•
•
Facility Access Control
Workstation Use
Workstation Security
Device & Media Control
•
•
•
•
•
•
•
•
•
Security Management Process
Security Officer
Workforce Security
Information Access Mgmt
Security Training
Security Incident Process
Contingency Plan
Evaluation
Business Associate Contracts
Technical
Safeguards
HIPAA
ACTUALLY
SAYS LITTLE
ABOUT
ENCRYPTION!
for EPHI
Physical Safeguards
for EPHI
Administrative
Safeguards for EPHI
Privacy Rule  Reasonable
Safeguards for all PHI
21
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Access Control (think Data at Rest)
45 C.F.R. §164.312(a)(1)
Standard: Access Control.
(i)
Implement technical policies and procedures for electronic
information systems that maintain electronic protected health
information to allow access only to those persons or software
programs that have been granted access rights as specified in
Sec.164.308(a)(4).
…
(2) Implementation specifications:
(iv)
Encryption and Decryption. (Addressable). Implement a
mechanism to encrypt and decrypt electronic protected health
information.
22
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Transmission Security (think Data in Motion)
45 C.F.R. §164.312(e)(1)
Standard: Transmission Security.
(i)
Transmission Security -Section 164.312(e)(1) - Implement
technical security measures to guard against unauthorized
access to electronic protected health information that is being
transmitted over an electronic communications network.
(2) Implementation specifications:
(ii)
Encryption (Addressable). Implement a mechanism to
encrypt electronic protected health information whenever
deemed appropriate.
23
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
The Security Rule
Required vs. Addressable1
(i)
Assess whether each implementation
specification is a reasonable and appropriate
safeguard in its environment, when analyzed
with reference to the likely contribution to
protecting the entity’s electronic protected
health information; and
(ii) As applicable to the entity—
(A) Implement the implementation specification if
reasonable and appropriate; or
(B) If implementing the implementation specification is
not reasonable and appropriate—
(1) Document why it would not be reasonable and
appropriate to implement the implementation
specification; and
(2) Implement an equivalent alternative measure
if reasonable and appropriate.
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
145
ADDRESSABLE
≠
OPTIONAL
CFR 164.306(d)(3)
24
MU Stage 2 Requirements
Objective: Protect electronic health information created
or maintained by the Certified EHR Technology through the
implementation of appropriate technical capabilities
Measure: Conduct or review a security risk analysis in
accordance with the requirements under 45 CFR
164.308(a)(1), including addressing the
encryption/security of data at rest in accordance with
requirements under 45 CFR 164.312(a)(2)(iv) and 45
CFR 164.306(d)(3), and implement security updates as
necessary and correct identified security deficiencies as
part of the provider's risk management process.
25
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
The HITECH Act
THREE absolute “game changers”:
1) More Enforcement
2) Bigger fines
3) Wider Net Cast
26
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
HIPAA Rules Fall short…
HITECH Addressed
• No definition of Secured or
Unsecured PHI in HIPAA!
• The HITECH Act  Secretary
of Health and Human
Services must issue guidance
• Securing PHI as defined in the new guidance is important
because secured PHI is not subject to the breach
notification requirements of the HITECH Act.
27
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Encryption Definition
45 CFR 164.304 Definitions
• Encryption means the use of an algorithmic process to
transform data into a form in which there is a low
probability of assigning meaning without use of a
confidential process or key.
28
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
HHS / OCR Guidance1
• Two methodologies to secure PHI by making it
unusable, unreadable or indecipherable to
unauthorized persons:
• Encryption
• Destruction
• May be used to secure data in four commonly
recognized data states:
1. data in motion
2. data at rest
3. data in use
4. data disposed
1
DEPARTMENT OF HEALTH AND HUMAN SERVICES 45 CFR Parts 160 and 164 Guidance Specifying the Technologies and Methodologies That Render
Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under
Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009;
Request for Information
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
29
Encryption Guidance
Based on HHS/OCR Guidance1…
• Valid encryption processes for data at
rest are consistent with NIST Special
Publication 800-111, Guide to Storage
Encryption Technologies for End User
Devices.
• Valid encryption processes for data in motion are those
which comply, as appropriate, with:
•
•
•
NIST SP800-52, Guidelines for the Selection and Use of Transport Layer
Security (TLS) Implementations;
NIST SP800-77, Guide to IPsec VPNs;
NIST SP800-113, Guide to SSL VPNs,
•
or others Federal Information Processing Standards (FIPS) 140-2 validated.
1http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html
30
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Destruction Guidance
• Must shred or destroy paper,
film or other media
• Electronic media  cleared,
purged or destroyed
consistent with NIST SP 80088, Guidelines for Media
Sanitization
31
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
2012 OCR Audit Protocol
Audit Procedures
1. Inquire of management as to whether an encryption mechanism
is in place to protect ePHI.
2. Obtain and review formal or informal policies and procedures
and evaluate the content relative to the specified criteria to
determine that encryption standards exist to protect ePHI.
Based on the complexity of the entity, elements to consider
include but are not limited to:
a. Type(s) of encryption used.
b. How encryption keys are protected.
c. Access to modify or create keys is restricted to appropriate
personnel.
d. How keys are managed.
3. If the covered entity has chosen not to fully implement this
specification, the entity must have documentation on where
they have chosen not to fully implement this specification and
their rationale for doing so. Evaluate this documentation if
applicable.
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
32
Balanced Compliance Program
People must include
Policy defines an
organization’s values &
expected behaviors;
establishes “good faith”
intent
Procedures or
processes – documented provide the actions
required to deliver on
organization’s values.
Balanced
Compliance
Program
talented privacy &
security & technical staff,
engaged and supportive
management and
trained/aware colleagues
following PnPs.
Safeguards
includes the various families
of administrative, physical or
technical security controls
(including “guards, guns, and gates”,
encryption, firewalls, anti-malware,
intrusion detection, incident
management tools, etc.)
Clearwater Compliance Compass™
33
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Session Objectives
1. Define and understand basic HIPAAHITECH relevant terms and concepts
2. Review the specific requirements of
HIPAA and HITECH for encryption
3. Provide practical, actionable next
steps to take to meet HIPAA-HITECH
encryption requirements
4. Address Why Encryption is Not
Enough!
34
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Next Actions to Meet Requirements
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Get Educated on Encryption
Determine Regulations that Apply to You
Include ALL “ePHI homes”
Decide If Encryption is Enough
Establish Selection Criteria
Identify Alternatives for Secure PHI
Test Top Alternatives  Don’t Create Bricks!
Ensure Fit Into an Overall HIPAA Compliance Plan
Put BAs and Subcontractors on Notice
Seek Help, If Needed
35
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Session Objectives
1. Define and understand basic HIPAAHITECH relevant terms and concepts
2. Review the specific requirements of
HIPAA and HITECH for encryption
3. Provide practical, actionable next steps
to take to meet HIPAA-HITECH
encryption requirements
4. Address Why Encryption is Not
Enough!
36
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Is Encryption Enough?
37
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Graphical representation of state laws
• NM, SD, Kentucky, Alabama lack
statutes
• Darker colors – tougher laws
• Virginia considered toughest because of
highest penalties
• California started this with law passed
in 2002, effective 2003
• Generally applies to government
agencies and businesses
• Some States also cover healthcare
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
What even constitutes a breach requiring
notification?
• Again, varies State by State
• Typically, the release of a name
and some other identifier
• Address, SSN, account number
• Some States have a harm
requirement; some don’t
• Some require a minimum #
breached before notification
required
• Some make encryption a safe
harbor; some don’t
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
But does encryption always = “Safe Harbor”?
•
Those who claim encryption is a safe harbor to
HIPAA regulation should read 74 Federal Register
79 – issued 4/27/09
•
Guidance Specifying the Technologies and
Methodologies That Render Protected Health
Information Unusable, Unreadable, or
Indecipherable to Unauthorized Individuals
•
At page 19009 – “(a) Electronic PHI has been
encrypted as specified in the HIPAA Security Rule
by ‘the use of an algorithmic process to transform
data into a form in which there is a low
probability of assigning meaning without use of a
confidential process or key’ and such confidential
process or key that might enable decryption has
not been breached.”
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
New York General Business Law § 899-aa
Prior statute:
Current statute:
• "Personal identifying information" • "Private information" shall
means personal information
mean personal information
consisting of any information in
consisting of any information
combination with any one or more
in combination with any one or
of the following data elements,
more of the following data
when either the personal
elements, when either the
information or the data element is
personal information or the
not encrypted, or encrypted with
data element is not encrypted,
an encryption key that is included
or encrypted with an
in the same record as the encrypted
encryption key that has also
personal information or data
been acquired:
element:
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Several States do allow encryption to be a
safe harbor
Arizona 44-7501A
• 44-7501. Notification of breach of security system;
enforcement; civil penalty; preemption; exceptions;
definitions
A. When a person that conducts business in this state and that
owns or licenses unencrypted computerized data that includes
personal information becomes aware of an incident of
unauthorized acquisition and access to unencrypted or
unredacted computerized data that includes an individual's
personal information, the person shall conduct a reasonable
investigation to promptly determine if there has been a breach
of the security system. If the investigation results in a
determination that there has been a breach in the security
system, the person shall notify the individuals affected.
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
What does all this volatility mean to you?
• Causes the most problems for
multi-state entities
• How do compliance officers
respond?
• They comply with “highestdenominator”
• Means they comply with the
toughest State statues to play it
safe
• If in compliance with the toughest
• They’re in compliance with the rest
• Why is staying compliant
important?
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Consider More Robust Technology
44
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Many Services/Many Solutions/Even Unique Ones
• Computrace/Lojack for Laptops/Patented
Persistence – Unique to the industry
• Many devices/one solution – Also unique
• Recovery staff of 43 ex-law enforcement
officers/over 1000 years experience – Also
unique
• Encrypted devices/Encryption Reports
• Device Freeze/Data Delete
• Geo-fencing/Data Loss Prevention
• Forensic/Investigative Services
• Can tell what data is and isn’t seen/Report
generated
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Compliance is important way beyond HIPAA penalties & fines
•
Think as an ambulance-chasing attorney for a moment
•
Each listing of a breached healthcare system is > 500 identities
•
Generally, breached identity is valued at a minimum of $1000
•
Class action lawsuit just waiting to happen
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Apropos analogies?
Shooting fish in a barrel
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Shooting sitting ducks
(from a blind that’s
not all that blind)
A $4.9 BILLION Lawsuit
•
U.S. Dept. of Defense defendant for theft of computer tape from car driven by employee
of the subcontractor of one of its Business Associates
•
Records of 4.9 million members of military on the tape
•
$1000 per victim = $4.9 billion
•
Business Associate also a defendant, but not the subcontractor (sue the entities with the
biggest pockets)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Another $4 BILLION Lawsuit ???
Failing to use
Encryption
49
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Share Price
July 2011 - Accretive
employee’s laptop
computer, containing 20
million pieces of
information on 23,000
patients, was stolen from
the passenger
compartment of the
employee’s car
4/2/2013
CEO
Replaced
http://finance.yahoo.com/echarts?s=AH+I
nteractive#symbol=ah;range=5y;compare
=;indicator=volume;charttype=area;cross
hair=on;ohlcvalues=0;logscale=off;source
=undefined;
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
1/19/2012 MN 7/31/2012
$2.5M MN SAG
SAG Suit
Settlement
9/27/2013
$14M Class
8/26/2013 Settlement
CFO
Replaced
6/13/2013
Class Suit
12/31/2013
FTC Settle.
50
Summary
1. Secure Your PHI  Avoid the “Wall
of Shame” …Get Started Now
2. Technology solutions are an
important part, but only part of a
balanced Security Program
3. Large or Small: Consider Getting
Help (Tools, Experts, etc)
Balanced1Compliance1Program1
People!must!include!
Policy!defines!an!
organiza- on’s!values!&!
expected!behaviors;!
establishes!“good!faith”!
intent!
Procedures!or!
processes!–!documented!F!
provide!the!ac- ons!required!
to!deliver!on!organiza- on’s!
values.!
Balanced
Compliance
Program
talented!privacy!&!
security!&!technical!staff,!
engaged!and!suppor- ve!
management!and!
trained/aware!colleagues!
following!PnPs.!!
Safeguards11
includes!the!various!families!
of!administra- ve,!physical!or!
technical!security!controls!
Clearwater1Compliance1Compass™1
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
33
51
Resources
Risk Analysis Buyer’s Guide:
http://abouthipaa.com/about-hipaa/hipaa-riskanalysis-resources/hipaa-risk-analysis-buyersguide-checklist/
Encryption & Risk Analysis
Information:
http://abouthipaa.com/about-hipaa/hipaahitech-resources/
52
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Resources
Register For Upcoming Live
HIPAA-HITECH Webinars at:
http://clearwatercompliance.com
/live-educational-webinars/
View pre-recorded Webinars like this
one at:
http://clearwatercompliance.com/ondemand-webinars/
53
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Clearwater HIPAA Compliance
BootCamp™ Events
March 17| Live HIPAA BootCamp™ | Detroit
February 12, 19, 26 | HIPAA Virtual BootCamp™
Other 2014 Plans - Live, InPerson Events (9-hours):
• March 17 – Detroit
• April 24 - San Francisco
• July 24 – Boston
• October 16 - Los Angeles
Other 2014 Plans – Virtual, WebBased Events (3, 3-hr sessions):
• May 14-21-28
• August 13-20-27
• November 5-12-19
Take Your HIPAA
Privacy and Security
Program to a Better
Place, Faster
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
54
HIPAA Compliance BootCamp™
Welcome, Introductions and Overview
1. How to Set Up Your Privacy and Security Risk Management & Governance Program
2. How to Assess Your Increased Liability Risk Under the Omnibus Final Rule
3. How to Develop & Implement Comprehensive HIPAA Privacy and Security and
Breach Notification Policies & Procedures (PnPs)
Networking Break
4. How to Prepare for and Manage an OCR Investigation
5. How to Train all Members of Your Workforce
Networking Luncheon & Refresh
6. Panel Discussion – How to Implement a Strong, Proactive Business Associate
Management Program
7. How to Complete All HIPAA Security Rule Assessment Requirements
Networking Break
8. Presentation and Panel Discussion: How to Create a “Culture of Compliance”
9. How to Assess and Monitor Your Compliance with the HIPAA Privacy Rule and
HITECH Breach Notification Rule
Buffer Time, Q&A, Final Remarks
Attendee Reception (optional)
HOW TO…
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
55
Expert Instructors
Mary Chaput, MBA, CIPP/US, CHP
CFO & Chief Compliance Officer
Clearwater Compliance
Meredith Phillips, MHSA, CHC, CHPC Chief
Information Privacy & Security Officer
Henry Ford Health System
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Elizabeth Warren, Esq.
Partner
Bass, Berry & Sims, PLC
Bob Chaput, CISSP, CIPP/US CHP,
CHSS
CEO
Clearwater Compliance
David Finn, CISA, CISM, CRISC
Health IT Officer
Symantec Corporation
Gregory J. Ehardt, JD, LL.M.
HIPAA/Assistant Compliance
Officer - HCA Adjunct Professor
Office of General Counsel
Idaho State University
56
Contact
Bob Chaput, CISSP, CIPP-US, CHP, CHSS
CEO & Founder
Clearwater Compliance LLC
615-656-4299 or 800-704-3394
bob.chaput@ClearwaterCompliance.com
Stephen Treglia, JD
Legal Counsel, Recovery Section
Absolute Software Corporation
(877) 600-2293
streglia@absolute.com
57
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
© 2010-12 Clearwater Compliance LLC | All Rights Reserved