BOS HIPAA BootCamp - Module 0 - Welcome-Introduction...
Transcript of BOS HIPAA BootCamp - Module 0 - Welcome-Introduction...
7/28/2014
© Clearwater Compliance LLC | All Rights Reserved | 1
© Clearwater Compliance LLC | All Rights Reserved
Copyright Notice
1
Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.
For reprint permission and information, please direct your inquiry to [email protected]
© Clearwater Compliance LLC | All Rights Reserved
Legal Disclaimer
2
Legal Disclaimer. This information does not constitute legal advice and is for educational purposes only. This information is based on current federal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.
7/28/2014
© Clearwater Compliance LLC | All Rights Reserved | 2
© Clearwater Compliance LLC | All Rights Reserved3
© Clearwater Compliance LLC | All Rights Reserved
HIPAA Compliance BootCamp™
Bob Chaput615‐656‐4299 or 800‐704‐[email protected] Compliance LLC
4
7/28/2014
© Clearwater Compliance LLC | All Rights Reserved | 3
© Clearwater Compliance LLC | All Rights Reserved
Welcome and Overview
5
© Clearwater Compliance LLC | All Rights Reserved
Welcome and Overview
6
1. Faculty
2. Objectives & Agenda
3. Logistics
7/28/2014
© Clearwater Compliance LLC | All Rights Reserved | 4
© Clearwater Compliance LLC | All Rights Reserved
About HIPAA‐HITECH Compliance
1. We are not practicing law!
2. The Omnibus has arrived!
3. Lots of different interpretations!
7
© Clearwater Compliance LLC | All Rights Reserved8
Yes No
HIPAA‐HITECH 101
Pause & Quick Poll
• Were you able to attend our HIPAA-HITECH 101 session?
7/28/2014
© Clearwater Compliance LLC | All Rights Reserved | 5
© Clearwater Compliance LLC | All Rights Reserved9
Gregory J. Ehardt, JD, LL.M.HIPAA/Assistant Compliance Officer - HCA Adjunct Professor Office of General CounselIdaho State University
Bob Chaput, CISSP, HCISPP, CIPP/US CEOClearwater Compliance
Expert Instructors
Elizabeth Warren, Esq.PartnerBass, Berry & Sims, PLC
Mary Chaput, MBA, HCISPP, CIPP/US, CHPCFO & Chief Compliance OfficerClearwater Compliance
Meredith Phillips, MHSA, CHC, CHPC Chief Information Privacy & Security Officer Henry Ford Health System
David Finn, CISA, CISM, CRISCHealth IT Officer Symantec Corporation
© Clearwater Compliance LLC | All Rights Reserved
Learning Objectives
Attendees Will Be Able To:1. Demonstrate a working knowledge of HIPAA
Privacy and Security Rules and HITECH Breach Notification Interim Final Rule
2. Teach colleagues key components of the OCR audits
10
3. Describe key sources and magnitude of liability and risk
4. Explain a step‐by‐step strategy for preparing for an OCR audit or investigation
5. Understand and use Privacy and Security regulatory terminology
6. Differentiate between HIPAA civil and criminal penalties, including the new Civil Monetary Penalty System
7. Explain the difference between a HIPAA Security Evaluation and a HIPAA Security Risk Analysis
8. Select or develop appropriate policies and procedures for HIPAA compliance
9. Prioritize compliance gaps in your HIPAA‐HITECH compliance program
10.Build your Compliance Remediation Plan
Help You Become Compliant and Avoid an OCR Enforcement
Action
Help Us All Improve Access to Care,
Timely Care & Higher Quality Care
7/28/2014
© Clearwater Compliance LLC | All Rights Reserved | 6
© Clearwater Compliance LLC | All Rights Reserved
Please Reference Agenda
Action‐Packed | Collaborative |
Practical, Actionable Info| Current 11
Lots of Tools
Provided!
© Clearwater Compliance LLC | All Rights Reserved
Logistics and Other Items
12
1. Breaks and Lunch
2. Rest Rooms
3. Cell Phones
4. Questions / Comments / Concerns
5. Basecamp
6. Course Evaluation
7. Your Objectives
8. Orientation to Student WorkBook
9. Supplemental Materials
10.Keep Your “Punch List”
7/28/2014
© Clearwater Compliance LLC | All Rights Reserved | 7
© Clearwater Compliance LLC | All Rights Reserved
Student Materials On Password‐Protected Web Page
13
1. Program Agenda / Syllabus
2. Presentation Slides
3. White Papers
4. ClearwaterCompliance.com website
5. Course Evaluation
6. Supplemental Resources
7. Continuing Education Units
8. Etc.
© Clearwater Compliance LLC | All Rights Reserved
• 30 Day Access, from today!
• Clearwater Expert
• Email | Phone | GoToMeeting
• All Clearwater HIPAA Compliance BootCamp™ Attendees
14
Clearwater HIPAA Mentor™
• Contact: Bob Chaput
– I’ll assist you or connect you with an Expert
7/28/2014
© Clearwater Compliance LLC | All Rights Reserved | 8
© Clearwater Compliance LLC | All Rights Reserved
Our Overarching Mission
15
1. Complaint2. Breach Notice3. SAG HITECH Action
4. FTC Action5. Whistleblower6. State Action (e.g., DHCS)
7. OCR Audithttp://www.hhs.gov/ocr/privacy/hipaa/enforcement/process/index.html
Avoid the following…
© Clearwater Compliance LLC | All Rights Reserved
Policy defines an
organization’s values & expected behaviors; establishes “good faith” intent
Peoplemust include
talented privacy & security & technical staff, engaged and supportive
management and trained/aware colleagues
following PnPs.
Procedures or
processes – documented ‐provide the actions required to deliver on organization’s values.
Safeguards includes the various families of administrative, physical or
technical security controls (including “guards, guns, and gates”, encryption, firewalls, anti‐malware,
intrusion detection, incident management tools, etc.)
BalancedCompliance
Program
Four Critical Dimensions
Clearwater Compliance Compass™16
7/28/2014
© Clearwater Compliance LLC | All Rights Reserved | 9
© Clearwater Compliance LLC | All Rights Reserved
9 Actions to Take Now
17
4. Complete a HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))
5. Complete a HIPAA Security Evaluation (= compliance assessment) (45 CFR
§ 164.308(a)(8))
6. Complete Technical Testing of Your Environment (45 CFR § 164.308(a)(8))
7. Implement a Strong, Proactive Business Associate / Management Program (45 CFR §164.502(e) and 45 CFR §164.308(b))
8. Complete Privacy Rule and Breach Rule compliance assessments (45 CFR
§164.530 and 45 CFR §164.400)
9. Document and act upon a remediation plan
1. Set Privacy and Security Risk Management & Governance Program in place (45 CFR § 164.308(a)(1))
2. Develop & Implement comprehensive HIPAA Privacy and Security and Breach Notification Policies & Procedures (45 CFR §164.530 and 45 CFR §164.316)
3. Train all Members of Your Workforce (45 CFR §164.530(b) and 45 CFR §164.308(a)(5))
Demonstrate Good Faith Effort!
© Clearwater Compliance LLC | All Rights Reserved
Agenda – HOW TO…Welcome, Introductions and Overview
1. How to Set Up Your Privacy and Security Risk Management & Governance Program
2. How to Assess Your Increased Liability Risk Under the Omnibus Final Rule
3. How to Develop & Implement Comprehensive HIPAA Privacy and Security and Breach Notification Policies & Procedures (PnPs)
Networking Break
4. How to Prepare for and Manage an OCR Investigation
5. How to Train all Members of Your Workforce
Lunch and Networking Break
6. Panel Discussion – How to Implement a Strong, Proactive Business Associate Management Program
7. How to Assess and Monitor Your Compliance with the HIPAA Privacy Rule and HITECH Breach Notification Rule
Networking Break
8. Presentation and Panel Discussion: How to Create a “Culture of Compliance”
9. How to Complete the HIPAA Security Rule Risk Analysis and Technical Testing Requirements
Reception and Networking18
HOW TO…
7/28/2014
© Clearwater Compliance LLC | All Rights Reserved | 10
© Clearwater Compliance LLC | All Rights Reserved
One last thing…
19
© Clearwater Compliance LLC | All Rights Reserved
Questions?
20
7/28/2014
© Clearwater Compliance LLC | All Rights Reserved | 11
© Clearwater Compliance LLC | All Rights Reserved
Accretive Health Case Study
21
© Clearwater Compliance LLC | All Rights Reserved
Accretive Share Price & Story
22
July 2011 - Accretive employee’s laptop computer, containing 20 million pieces
of information on 23,000 patients, was stolen from
the passenger compartment of the employee’s car
7/31/2012 $2.5M MN SAG Settlement
1/19/2012 MN SAG Suit
12/31/2013FTC Settle.
6/13/2013Class
Action Suit
03/14/2014De-Listed
NYSE
4/2/2013CEO
Replaced
8/26/2013CFO
Replaced
9/27/2013$14M Class Settlement
01/2014170 Job
Cuts
4/13/2013COO
Replaced