Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2010-12 Clearwater Compliance LLC | All Rights Reserved Copyright Notice 1 Copyright Notice. All materials contained within this document are protected.

Published byLester Horton Modified over 8 years ago

Similar presentations

Presentation on theme: "© 2010-12 Clearwater Compliance LLC | All Rights Reserved Copyright Notice 1 Copyright Notice. All materials contained within this document are protected."— Presentation transcript:

1 © 2010-12 Clearwater Compliance LLC | All Rights Reserved Copyright Notice 1 Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content. For reprint permission and information, please direct your inquiry to bob.chaput@clearwatercompliance.com bob.chaput@clearwatercompliance.com

2 © 2010-12 Clearwater Compliance LLC | All Rights Reserved Legal Disclaimer 2 Legal Disclaimer. This information does not constitute legal advice and is for educational purposes only. This information is based on current federal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.

3 © 2010-12 Clearwater Compliance LLC | All Rights Reserved 3 Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance…

4 © 2010-12 Clearwater Compliance LLC | All Rights Reserved Webinar Slide Deck http://clearwatercompliance.com/wp-content/uploads/2014/01/2014- 01-17_How-To-Meet-HIPAA-HITECH-Encryption-Requirements_V3.pdf 4 Check “Chat” or “Question” area on GoToWebinar Control panel to copy/paste link and download materials

5 © 2010-12 Clearwater Compliance LLC | All Rights Reserved 5 How to Meet HIPAA-HITECH Encryption Requirements & Beyond WEBINAR January 17, 2014 Stephen TregliaStephen Treglia, JD Legal Counsel, Recovery Section Absolute Software Corporation (877) 600-2293 streglia@absolute.com Bob ChaputBob Chaput, CISSP, CIPP-US, CHP, CHSS CEO & Founder Clearwater Compliance LLC 615-656-4299 or 800-704-3394 bob.chaput@ClearwaterCompliance.com

6 © 2010-12 Clearwater Compliance LLC | All Rights Reserved About HIPAA-HITECH Compliance 1. We are not attorneys! 2. The Omnibus has arrived! 3. Lots of different interpretations! So there! 6

7 © 2010-12 Clearwater Compliance LLC | All Rights Reserved Legal Counsel, Absolute’s Investigations & Recovery Section 2010 – present Prosecutor in New York 1980-2010 Investigated/prosecuted Organized Crime 1985-1995 Used computers, seized computers Started investigating/prosecuting computer crime 1996 Created one of first Technology Crime Units 1997, headed it to 2010 Started investigating/prosecuting Absolute cases in 2006 Stephen Treglia, JD

8 © 2010-12 Clearwater Compliance LLC | All Rights Reserved Bob Chaput MA, CISSP, CIPP/US, CHP, CHSS 8 President – Clearwater Compliance LLCClearwater Compliance LLC 30+ years in Business, Operations and Technology 20+ years in Healthcare Executive | Educator |Entrepreneur Global Executive: GE, JNJ, HWAY Responsible for largest healthcare datasets in world Numerous Technical Certifications (MCSE, MCSA, etc) Expertise and Focus: Healthcare, Financial Services, Retail, Legal Member: IAPP, ISC 2, HIMSS, ISSA, HCCA, HCAA, CAHP, ACAP, ACHE, AHIMA, NTC, ACP, SIM, Chambers, Boards http://www.linkedin.com/in/BobChaput

9 © 2010-12 Clearwater Compliance LLC | All Rights Reserved Session Objectives 1.Define and understand basic HIPAA- HITECH relevant terms and concepts 2.Review the specific requirements of HIPAA and HITECH for encryption 3.Provide practical, actionable next steps to take to meet HIPAA-HITECH encryption requirements 4.Address Why Encryption is Not Enough! 9

10 © 2010-12 Clearwater Compliance LLC | All Rights Reserved 10 1.Secure Your PHI  Avoid the “Wall of Shame” … Get Started Now Answer Page! 2.Technology solutions are an important part, but only part of a balanced Security Program 4.Encryption is likely not enough; consider additional safeguards 3.Large or Small: Consider Getting Help (Tools, Experts, etc)

11 © 2010-12 Clearwater Compliance LLC | All Rights Reserved Oops! Missed That Safe Harbor Thingy! 11

12 © 2010-12 Clearwater Compliance LLC | All Rights Reserved Session Objectives 12 1.Define and understand basic HIPAA- HITECH relevant terms and concepts 2.Review the specific requirements of HIPAA and HITECH for encryption 3.Provide practical, actionable next steps to take to meet HIPAA-HITECH encryption requirements 4.Address Why Encryption is Not Enough!

13 © 2010-12 Clearwater Compliance LLC | All Rights Reserved 13 Key Terms & Concepts 1.Protected Health Information (PHI) 2.electronic PHI (ePHI) 3.Secured PHI 4.Unsecured PHI 5.Data Breach 6.Encryption 7.Destruction 8.Safe Harbor 9.Security Essentials 10.Required versus Addressable

14 © 2010-12 Clearwater Compliance LLC | All Rights Reserved Protected Health Information Protected Health Information (PHI) is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. 14 PHI is interpreted rather broadly and includes any part of a patient’s medical record or payment history …and, that is linked to personal (18) identifiers

15 © 2010-12 Clearwater Compliance LLC | All Rights Reserved 15 Data Breach A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.

16 © 2010-12 Clearwater Compliance LLC | All Rights Reserved Don’t Panic! Event 16 Incident Breach ? ?

17 © 2010-12 Clearwater Compliance LLC | All Rights Reserved Unsecured PHI Unsecured PHI is PHI that has not been rendered unusable, unreadable, or indecipherable CEs and BAs must only provide the required notification if the breach involved unsecured protected health information. 17

18 © 2010-12 Clearwater Compliance LLC | All Rights Reserved 18 Encryption Encryption means the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key. 1 1 45 C.F.R. § 164.304 Definitions

19 © 2010-12 Clearwater Compliance LLC | All Rights Reserved Safe Harbor “This guidance is intended to describe the technologies and methodologies that can be used to render PHI unusable, unreadable, or indecipherable to unauthorized individuals. While covered entities and business associates are not required to follow the guidance, the specified technologies and methodologies, if used, create the functional equivalent of a safe harbor, and thus, result in covered entities and business associates not being required to provide the notification otherwise required by section 13402 in the event of a breach.” 1 19 1 DEPARTMENT OF HEALTH AND HUMAN SERVICES 45 CFR Parts 160 and 164 Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009; Request for Information

20 © 2010-12 Clearwater Compliance LLC | All Rights Reserved Session Objectives 20 1.Define and understand basic HIPAA- HITECH relevant terms and concepts 2.Review the specific requirements of HIPAA and HITECH for encryption 3.Provide practical, actionable next steps to take to meet HIPAA-HITECH encryption requirements 4.Address Why Encryption is Not Enough!

21 © 2010-12 Clearwater Compliance LLC | All Rights Reserved Security Rule & Encryption Privacy Rule  Reasonable Safeguards for all PHI Physical Safeguards for EPHI Technical Safeguards for EPHI Administrative Safeguards for EPHI Security Management Process Security Officer Workforce Security Information Access Mgmt Security Training Security Incident Process Contingency Plan Evaluation Business Associate Contracts Access Control Audit Control Integrity Person or Entity Authentication Transmission Security Facility Access Control Workstation Use Workstation Security Device & Media Control 21 HIPAA ACTUALLY SAYS LITTLE ABOUT ENCRYPTION! 22 Security Standards

22 © 2010-12 Clearwater Compliance LLC | All Rights Reserved 45 C.F.R. §164.312(a)(1) Standard: Access Control. (i)Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in Sec.164.308(a)(4). … (2) Implementation specifications: (iv)Encryption and Decryption. (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information. 22 Access Control (think Data at Rest)

23 © 2010-12 Clearwater Compliance LLC | All Rights Reserved 45 C.F.R. §164.312(e)(1) Standard: Transmission Security. (i)Transmission Security -Section 164.312(e)(1) - Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. (2) Implementation specifications: (ii)Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. 23 Transmission Security (think Data in Motion)

24 © 2010-12 Clearwater Compliance LLC | All Rights Reserved The Security Rule Required vs. Addressable 1 (i)Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity’s electronic protected health information; and (ii) As applicable to the entity— (A) Implement the implementation specification if reasonable and appropriate; or (B) If implementing the implementation specification is not reasonable and appropriate— (1)Document why it would not be reasonable and appropriate to implement the implementation specification; and (2)Implement an equivalent alternative measure if reasonable and appropriate. 24 ADDRESSABLE≠OPTIONAL 1 45 CFR 164.306(d)(3)

25 © 2010-12 Clearwater Compliance LLC | All Rights Reserved 25 MU Stage 2 Requirements Objective: Protect electronic health information created or maintained by the Certified EHR Technology through the implementation of appropriate technical capabilities Measure: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data at rest in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider's risk management process.

26 © 2010-12 Clearwater Compliance LLC | All Rights Reserved The HITECH Act THREE absolute “game changers”: 1)More Enforcement 2)Bigger fines 3)Wider Net Cast 26

27 © 2010-12 Clearwater Compliance LLC | All Rights Reserved HIPAA Rules Fall short… HITECH Addressed HITECH Addressed No definition of Secured or Unsecured PHI in HIPAA! The HITECH Act  Secretary of Health and Human Services must issue guidance 27 Securing PHI as defined in the new guidance is important because secured PHI is not subject to the breach notification requirements of the HITECH Act.

28 © 2010-12 Clearwater Compliance LLC | All Rights Reserved Encryption Definition 45 CFR 164.304 Definitions Encryption means the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key. 28

29 © 2010-12 Clearwater Compliance LLC | All Rights Reserved HHS / OCR Guidance 1 Two methodologies to secure PHI by making it unusable, unreadable or indecipherable to unauthorized persons: Encryption Destruction May be used to secure data in four commonly recognized data states: 1.data in motion 2.data at rest 3.data in use 4.data disposed 29 1 DEPARTMENT OF HEALTH AND HUMAN SERVICES 45 CFR Parts 160 and 164 Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009; Request for InformationDEPARTMENT OF HEALTH AND HUMAN SERVICES 45 CFR Parts 160 and 164 Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009; Request for Information

30 © 2010-12 Clearwater Compliance LLC | All Rights Reserved Encryption Guidance Based on HHS/OCR Guidance 1 … Valid encryption processes for data at rest are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices 30 Valid encryption processes for data in motion are those which comply, as appropriate, with: NIST SP800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations;NIST SP800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations NIST SP800-77, Guide to IPsec VPNs;NIST SP800-77, Guide to IPsec VPNs NIST SP800-113, Guide to SSL VPNs,NIST SP800-113, Guide to SSL VPNs or others Federal Information Processing Standards (FIPS) 140-2 validated.Federal Information Processing Standards (FIPS) 140-2 1 http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html

31 © 2010-12 Clearwater Compliance LLC | All Rights Reserved Destruction Guidance Must shred or destroy paper, film or other media Electronic media  cleared, purged or destroyed consistent with NIST SP 800- 88, Guidelines for Media SanitizationNIST SP 800- 88, Guidelines for Media Sanitization 31

32 © 2010-12 Clearwater Compliance LLC | All Rights Reserved 2012 OCR Audit Protocol 32 Audit Procedures 1.Inquire of management as to whether an encryption mechanism is in place to protect ePHI. 2.Obtain and review formal or informal policies and procedures and evaluate the content relative to the specified criteria to determine that encryption standards exist to protect ePHI. Based on the complexity of the entity, elements to consider include but are not limited to: a.Type(s) of encryption used. b.How encryption keys are protected. c.Access to modify or create keys is restricted to appropriate personnel. d.How keys are managed. 3.If the covered entity has chosen not to fully implement this specification, the entity must have documentation on where they have chosen not to fully implement this specification and their rationale for doing so. Evaluate this documentation if applicable.

33 © 2010-12 Clearwater Compliance LLC | All Rights Reserved Policy defines an organization’s values & expected behaviors; establishes “good faith” intent People must include talented privacy & security & technical staff, engaged and supportive management and trained/aware colleagues following PnPs. Procedures or processes – documented - provide the actions required to deliver on organization’s values. Safeguards includes the various families of administrative, physical or technical security controls ( including “guards, guns, and gates”, encryption, firewalls, anti-malware, intrusion detection, incident management tools, etc.) Balanced Compliance Program Balanced Compliance Program Clearwater Compliance Compass™ 33

34 © 2010-12 Clearwater Compliance LLC | All Rights Reserved Session Objectives 34 1.Define and understand basic HIPAA- HITECH relevant terms and concepts 2.Review the specific requirements of HIPAA and HITECH for encryption 3.Provide practical, actionable next steps to take to meet HIPAA-HITECH encryption requirements 4.Address Why Encryption is Not Enough!

35 © 2010-12 Clearwater Compliance LLC | All Rights Reserved Next Actions to Meet Requirements 1. Get Educated on Encryption 2. Determine Regulations that Apply to You 3. Include ALL “ePHI homes” 4. Decide If Encryption is Enough 5. Establish Selection Criteria 6. Identify Alternatives for Secure PHI 35 7.Test Top Alternatives  Don’t Create Bricks! 8.Ensure Fit Into an Overall HIPAA Compliance Plan 9. Put BAs and Subcontractors on Notice 10. Seek Help, If Needed

36 © 2010-12 Clearwater Compliance LLC | All Rights Reserved Session Objectives 36 1.Define and understand basic HIPAA- HITECH relevant terms and concepts 2.Review the specific requirements of HIPAA and HITECH for encryption 3.Provide practical, actionable next steps to take to meet HIPAA-HITECH encryption requirements 4.Address Why Encryption is Not Enough!

37 © 2010-12 Clearwater Compliance LLC | All Rights Reserved Is Encryption Enough? 37

38 © 2010-12 Clearwater Compliance LLC | All Rights Reserved Graphical representation of state laws NM, SD, Kentucky, Alabama lack statutes Darker colors – tougher laws Virginia considered toughest because of highest penalties California started this with law passed in 2002, effective 2003 Generally applies to government agencies and businesses Some States also cover healthcare

39 © 2010-12 Clearwater Compliance LLC | All Rights Reserved What even constitutes a breach requiring notification? Again, varies State by State Typically, the release of a name and some other identifier Address, SSN, account number Some States have a harm requirement; some don’t Some require a minimum # breached before notification required Some make encryption a safe harbor; some don’t

40 © 2010-12 Clearwater Compliance LLC | All Rights Reserved But does encryption always = “Safe Harbor”? Those who claim encryption is a safe harbor to HIPAA regulation should read 74 Federal Register 79 – issued 4/27/09 Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals At page 19009 – “(a) Electronic PHI has been encrypted as specified in the HIPAA Security Rule by ‘the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key’ and such confidential process or key that might enable decryption has not been breached.”

41 © 2010-12 Clearwater Compliance LLC | All Rights Reserved New York General Business Law § 899-aa Prior statute: "Personal identifying information" means personal information consisting of any information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted, or encrypted with an encryption key that is included in the same record as the encrypted personal information or data element: Current statute: "Private information" shall mean personal information consisting of any information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted, or encrypted with an encryption key that has also been acquired:

42 © 2010-12 Clearwater Compliance LLC | All Rights Reserved Several States do allow encryption to be a safe harbor Arizona 44-7501A 44-7501. Notification of breach of security system; enforcement; civil penalty; preemption; exceptions; definitions A. When a person that conducts business in this state and that owns or licenses unencrypted computerized data that includes personal information becomes aware of an incident of unauthorized acquisition and access to unencrypted or unredacted computerized data that includes an individual's personal information, the person shall conduct a reasonable investigation to promptly determine if there has been a breach of the security system. If the investigation results in a determination that there has been a breach in the security system, the person shall notify the individuals affected.

43 © 2010-12 Clearwater Compliance LLC | All Rights Reserved What does all this volatility mean to you? Causes the most problems for multi-state entities How do compliance officers respond? They comply with “highest- denominator” Means they comply with the toughest State statues to play it safe If in compliance with the toughest They’re in compliance with the rest Why is staying compliant important?

44 © 2010-12 Clearwater Compliance LLC | All Rights Reserved Consider More Robust Technology 44

45 © 2010-12 Clearwater Compliance LLC | All Rights Reserved Many Services/Many Solutions/Even Unique Ones Computrace/Lojack for Laptops/Patented Persistence – Unique to the industry Many devices/one solution – Also unique Recovery staff of 43 ex-law enforcement officers/over 1000 years experience – Also unique Encrypted devices/Encryption Reports Device Freeze/Data Delete Geo-fencing/Data Loss Prevention Forensic/Investigative Services Can tell what data is and isn’t seen/Report generated

46 © 2010-12 Clearwater Compliance LLC | All Rights Reserved Compliance is important way beyond HIPAA penalties & fines Think as an ambulance-chasing attorney for a moment Each listing of a breached healthcare system is > 500 identities Generally, breached identity is valued at a minimum of $1000 Class action lawsuit just waiting to happen

47 © 2010-12 Clearwater Compliance LLC | All Rights Reserved Shooting fish in a barrel Shooting sitting ducks (from a blind that’s not all that blind) Apropos analogies?

48 © 2010-12 Clearwater Compliance LLC | All Rights Reserved A $4.9 BILLION Lawsuit U.S. Dept. of Defense defendant for theft of computer tape from car driven by employee of the subcontractor of one of its Business Associates Records of 4.9 million members of military on the tape $1000 per victim = $4.9 billion Business Associate also a defendant, but not the subcontractor (sue the entities with the biggest pockets)

49 © 2010-12 Clearwater Compliance LLC | All Rights Reserved Another $4 BILLION Lawsuit ??? 49 Failing to use Encryption

50 © 2010-12 Clearwater Compliance LLC | All Rights Reserved Share Price 50 July 2011 - Accretive employee’s laptop computer, containing 20 million pieces of information on 23,000 patients, was stolen from the passenger compartment of the employee’s car 7/31/2012 $2.5M MN SAG Settlement 1/19/2012 MN SAG Suit 12/31/2013 FTC Settle. 6/13/2013 Class Suit 9/27/2013 $14M Class Settlement http://finance.yahoo.com/echarts?s=AH+I nteractive#symbol=ah;range=5y;compare =;indicator=volume;charttype=area;cross hair=on;ohlcvalues=0;logscale=off;source =undefinedhttp://finance.yahoo.com/echarts?s=AH+I nteractive#symbol=ah;range=5y;compare =;indicator=volume;charttype=area;cross hair=on;ohlcvalues=0;logscale=off;source =undefined; 4/2/2013 CEO Replaced 8/26/2013 CFO Replaced

51 © 2010-12 Clearwater Compliance LLC | All Rights Reserved 51 1.Secure Your PHI  Avoid the “Wall of Shame” … Get Started Now Summary 2.Technology solutions are an important part, but only part of a balanced Security Program 3.Large or Small: Consider Getting Help (Tools, Experts, etc)

52 © 2010-12 Clearwater Compliance LLC | All Rights Reserved 52Resources Risk Analysis Buyer’s Guide: http://abouthipaa.com/about-hipaa/hipaa-risk- analysis-resources/hipaa-risk-analysis-buyers- guide-checklist/ http://abouthipaa.com/about-hipaa/hipaa-risk- analysis-resources/hipaa-risk-analysis-buyers- guide-checklist/ Encryption & Risk Analysis Information: http://abouthipaa.com/about-hipaa/hipaa- hitech-resources/ http://abouthipaa.com/about-hipaa/hipaa- hitech-resources/

53 © 2010-12 Clearwater Compliance LLC | All Rights Reserved Register For Upcoming Live HIPAA-HITECH Webinars at: Register For Upcoming Live HIPAA-HITECH Webinars at: http://clearwatercompliance.com /live-educational-webinars/ http://clearwatercompliance.com /live-educational-webinars/ 53 Resources View pre-recorded Webinars like this one at: http://clearwatercompliance.com/on- demand-webinars/

54 © 2010-12 Clearwater Compliance LLC | All Rights Reserved 54 Clearwater HIPAA Compliance BootCamp™ Events Take Your HIPAA Privacy and Security Program to a Better Place, Faster Other 2014 Plans – Virtual, Web- Based Events (3, 3-hr sessions): May 14-21-28 August 13-20-27 November 5-12-19 Other 2014 Plans - Live, In- Person Events (9-hours): March 17 – Detroit April 24 - San Francisco July 24 – Boston October 16 - Los Angeles March 17| Live HIPAA BootCamp™ | Detroit Live HIPAA BootCamp™ |Live HIPAA BootCamp™ | February 12, 19, 26 | HIPAA Virtual BootCamp™ February 12, 19, 26 | HIPAA Virtual BootCamp™

55 © 2010-12 Clearwater Compliance LLC | All Rights Reserved HIPAA Compliance BootCamp™ Welcome, Introductions and Overview 1.How to Set Up Your Privacy and Security Risk Management & Governance Program 2.How to Assess Your Increased Liability Risk Under the Omnibus Final Rule 3.How to Develop & Implement Comprehensive HIPAA Privacy and Security and Breach Notification Policies & Procedures (PnPs) Networking Break 4.How to Prepare for and Manage an OCR Investigation 5.How to Train all Members of Your Workforce Networking Luncheon & Refresh 6.Panel Discussion – How to Implement a Strong, Proactive Business Associate Management Program 7.How to Complete All HIPAA Security Rule Assessment Requirements Networking Break 8.Presentation and Panel Discussion: How to Create a “Culture of Compliance” 9.How to Assess and Monitor Your Compliance with the HIPAA Privacy Rule and HITECH Breach Notification Rule Buffer Time, Q&A, Final Remarks Attendee Reception (optional) 55 HOW TO…

56 © 2010-12 Clearwater Compliance LLC | All Rights Reserved 56 Gregory J. Ehardt, JD, LL.M. HIPAA/Assistant Compliance Officer - HCA Adjunct Professor Office of General Counsel Idaho State University Bob Chaput, CISSP, CIPP/US CHP, CHSS CEO Clearwater Compliance Expert Instructors Elizabeth Warren, Esq. Partner Bass, Berry & Sims, PLC Mary Chaput, MBA, CIPP/US, CHP CFO & Chief Compliance Officer Clearwater Compliance Meredith Phillips, MHSA, CHC, CHPC Chief Information Privacy & Security Officer Henry Ford Health System David Finn, CISA, CISM, CRISC Health IT Officer Symantec Corporation

57 © 2010-12 Clearwater Compliance LLC | All Rights Reserved 57 Contact Stephen TregliaStephen Treglia, JD Legal Counsel, Recovery Section Absolute Software Corporation (877) 600-2293 streglia@absolute.com Bob ChaputBob Chaput, CISSP, CIPP-US, CHP, CHSS CEO & Founder Clearwater Compliance LLC 615-656-4299 or 800-704-3394 bob.chaput@ClearwaterCompliance.com

58 © 2010-12 Clearwater Compliance LLC | All Rights Reserved

Download ppt "© 2010-12 Clearwater Compliance LLC | All Rights Reserved Copyright Notice 1 Copyright Notice. All materials contained within this document are protected."

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.

“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.

HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.
Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.

Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
Privacy, Security, Confidentiality, and Legal Issues

Privacy, Security, Confidentiality, and Legal Issues
© Clearwater Compliance LLC | All Rights Reserved Copyright Notice 1 Copyright Notice. All materials contained within this document are protected by United.

© Clearwater Compliance LLC | All Rights Reserved Copyright Notice 1 Copyright Notice. All materials contained within this document are protected by United.
© Clearwater Compliance LLC | All Rights Reserved Copyright Notice 1 Copyright Notice. All materials contained within this document are protected by United.

© Clearwater Compliance LLC | All Rights Reserved Copyright Notice 1 Copyright Notice. All materials contained within this document are protected by United.

Similar presentations

Ads by Google