Presentation is loading. Please wait.

Presentation is loading. Please wait.

4/20/2017 Copyright Notice Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be.

Published byClinton Taylor Modified over 8 years ago

Similar presentations

Presentation on theme: "4/20/2017 Copyright Notice Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be."— Presentation transcript:

1 4/20/2017 Copyright Notice Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content. For reprint permission and information, please direct your inquiry to Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content. For reprint permission and information, please direct your inquiry to © Clearwater Compliance LLC | All Rights Reserved |

2 HIPAA-HITECH 101 Legal Disclaimer Legal Disclaimer. This information does not constitute legal advice and is for educational purposes only. This information is based on current federal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC. Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content. For reprint permission and information, please direct your inquiry to © Clearwater Compliance | All Rights Reserved

3 Instructional Module 5: How to Train All Members of Your Workforce
4/20/2017 Instructional Module 5: How to Train All Members of Your Workforce © Clearwater Compliance LLC | All Rights Reserved |

4 Module 5. Overview “How to Train all Members of Your Workforce”
4/20/2017 “How to Train all Members of Your Workforce” Instructional Module Duration = 30 minutes Learning Objectives Addressed In This Module Cite and explain the explicit HIPAA requirements for Training Explain the difference between training on the regulations and training on your own PnPs Describe why it is necessary for training to be job/role specific Describe a framework for an ongoing Privacy and Security Reminder program © Clearwater Compliance LLC | All Rights Reserved |

5 Four Critical Dimensions
People must include talented privacy & security & technical staff, engaged and supportive management and trained/aware colleagues following PnPs. Policy defines an organization’s values & expected behaviors; establishes “good faith” intent Balanced Compliance Program Procedures or processes – documented - provide the actions required to deliver on organization’s values. Safeguards includes the various families of administrative, physical or technical security controls (including “guards, guns, and gates”, encryption, firewalls, anti-malware, intrusion detection, incident management tools, etc.) Clearwater Compliance Compass™

6 Demonstrate Good Faith Effort!
9 Actions to Take Now Set Privacy and Security Risk Management & Governance Program in place (45 CFR § (a)(1)) Develop & Implement comprehensive HIPAA Privacy and Security and Breach Notification Policies & Procedures (45 CFR § and 45 CFR § ) Train all Members of Your Workforce (45 CFR § (b) and 45 CFR § (a)(5)) Complete a HIPAA Security Risk Analysis (45 CFR § (a)(1)(ii)(A)) Complete a HIPAA Security Evaluation (= compliance assessment) (45 CFR § (a)(8)) Complete Technical Testing of Your Environment (45 CFR § (a)(8)) Implement a Strong, Proactive Business Associate / Management Program (45 CFR § (e) and 45 CFR § (b)) Complete Privacy Rule and Breach Rule compliance assessments (45 CFR § and 45 CFR § ) Document and act upon a remediation plan Demonstrate Good Faith Effort! 6

7 Session Objectives Understand The Case for Action
Review specific HIPAA Training Regulations Learn how to Train All Members of Your Workforce ©Clearwater Compliance LLC | All Rights Reserved |

8 Some OCR Corrective Action Plans
Corrective Action Plan (CAP) Requirement $150K AP DERM $1.2M AHP $1.7M WLP $400K ISU $50K HONI $1.5M MEEI $2.3M CVS $1.0M Rite-Aid BCBS TN MGH $100K PHX $865K UCLA AK DHSS Establish a Comprehensive Information Security Program x Designate an accountable Security Owner Develop Privacy and Security policies and procedures Document authorized access to ePHI Distribute and update policies and procedures Document Process for responding to security incidents X Implement training and sanctions for non-compliance Conduct Risk Analysis / Establish Risk Management Process Implement Reasonable Safeguards to control risks Regularly review records of information system activity Implement reasonable steps to select service providers Testing and monitor security controls following changes Obtain assessments from qualified independent 3rd party Retain required documentation HIPAA-HITECH 101 $13.5+M Some OCR Corrective Action Plans (C) Clearwater Compliance | All Rights Reserved |

9 Case for Action 9 out of every 10 breaches affecting 500 or more individuals published on the HHS Website* were caused by people in the organization Virtually every complaint of privacy violations investigated by the Office for Civil Rights (“OCR”) and resulting in a corrective actions involved violations by people in the organization** * **

10 Case for Action – Recent HHS ‘Wall of Shame’ Data
*

11 2012 OCR Audit Protocol OCR Audit Established Performance Criteria:
HIPAA Security Rule OCR Audit Established Performance Criteria: § (a)(5)Security Awareness and Training - Implement a security awareness and training program for all members of its workforce (including management). OCR Audit Key Activities Develop and Approve a Training Strategy and a Plan. Develop Appropriate Awareness and Training Content, Materials, and Methods. Implement the Training. Monitor and Evaluate Training Plan.

12 2012 OCR Audit Protocol - Example
Develop and Approve a Training Strategy and a Plan. OCR Audit Protocol Procedures 1: Inquire of management as to whether security awareness and training programs address the specific required HIPAA policies. Obtain and review a list of security awareness and training programs and evaluate the content in relation to the specified criteria. Determine if the specific HIPAA policies are addressed in these courses. Determine if the security awareness and training programs are provided to the entire organization. If the covered entity has chosen not to fully implement this specification, the entity must have documentation on why they have chosen not to fully implement this specification and their rationale for doing so. OCR Audit Established Performance Criteria: § (a)(5)Security Awareness and Training - Implement a security awareness and training program for all members of its workforce (including management). OCR Audit Key Activity 1: Develop and Approve a Training Strategy and a Plan. OCR Audit Protocol Procedures 1: Inquire of management as to whether security awareness and training programs address the specific required HIPAA policies. Obtain and review a list of security awareness and training programs and evaluate the content in relation to the specified criteria. Determine if the specific HIPAA policies are addressed in these courses. Determine if the security awareness and training programs are provided to the entire organization. If the covered entity has chosen not to fully implement this specification, the entity must have documentation on where they have chosen not to fully implement this specification and their rationale for doing so. OCR Audit Key Activity 2: OCR Audit Protocol Procedures 2: Inquire of management as to whether security awareness and training programs outline the scope of the program. Obtain and review a sample of security awareness and training programs and evaluate the content in relation to the specified criteria. Determine if security awareness and training programs have been reviewed and approved. If the covered entity has chosen not to fully implement this specification, the entity must have documentation on their rational as to why and where they have chosen not to fully implement this specification. Evaluate this documentation if applicable. OCR Audit Key Activity 3: Develop Appropriate Awareness and Training Content, Materials, and Methods. OCR Audit Protocol Procedures 3: Inquire of management as to whether training materials incorporate relevant current IT security topics. Obtain and review a sample of training materials and determine if training materials are updated with relevant and current information. Determine if training materials are reviewed to ensure relevant and current information is included. If the covered entity has chosen not to fully implement this specification, the entity must have documentation on where they have chosen not to fully implement this specification and their rationale for doing so. OCR Audit Key Activity 4: Implement the Training. OCR Audit Protocol Procedures 4: Inquire of management as to whether employees receive all required training. Obtain and review a list of required training. Determine if required training courses are designed to help employees fulfill their security responsibilities. Determine if training courses are provided to employees to fulfill their security responsibilities. If the covered entity has chosen not to fully implement this specification, the entity must have documentation on where they have chosen not to fully implement this specification and their rationale for doing so. OCR Audit Key Activity 5: Monitor and Evaluate Training Plan. OCR Audit Protocol Procedures 5: Inquire of management as to whether security policies and procedures are updated periodically. Obtain and review security policies and procedures. Determine if security policies and procedures are approved and updated on a periodic basis. If the covered entity has chosen not to fully implement this specification, the entity must have documentation on where they have chosen not to fully implement this specification and their rationale for doing so. ©Clearwater Compliance LLC

13 2012 OCR Audit Protocol OCR Audit Established Performance Criteria:
§ Administrative Requirements § (b)(1) A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity. § (b)(2)(i)(A) Training must be provided to each member of the covered entity's workforce by no later than the compliance date for the covered entity; (B) thereafter, to each new member of the workforce within a reasonable period of time after the person joins the covered entity's workforce; and (C) to each member of the covered entity's workforce whose functions are affected by a material change in the policies or procedures required by this subpart within a reasonable amount of time. HIPAA Privacy Rule

14 2012 OCR Audit Protocol OCR Audit Procedures
Inquire of management as to whether training is provided to the entity's workforce on HIPAA Privacy Standards. Obtain and review documentation to determine if a training process is in place for HIPAA privacy standards. Obtain and review documentation to determine if a monitoring process is in place to help ensure all members of the workforce receive training on HIPAA privacy standards as mandated by § (b)(1) and § (b)(2)(i). For a selection of new hires within the audit period, obtain and review documentation showing training on HIPAA privacy compliance has been completed.

15 Session Objectives Understand The Case for Action
Review specific HIPAA Training Regulations Learn how to Train All Members of Your Workforce ©Clearwater Compliance LLC | All Rights Reserved |

16 Training!! … rather than controls
Basic HIPAA Requirements HIPAA SECURITY RULE 45 C.F.R. § Administrative Safeguards. (a)(5)(i) Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management). (ii) Implementation specifications. Implement: Security reminders (Addressable). Periodic security updates. Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software. Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies. Password management (Addressable). Procedures for creating, changing, and safeguarding passwords. Training!! … rather than controls

17 HIPAA Requirements on a CE/BA
HIPAA PRIVACY FINAL RULE 45 C.F.R. § (b) Training. (1) Standard: Training. A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity. (2) Implementation specifications: Training. (i) A covered entity must provide training that meets the requirements of paragraph (b)(1) of this section, as follows: (A) To each member of the covered entity's workforce by no later than the compliance date for the covered entity; (B) Thereafter, to each new member of the workforce within a reasonable period of time after the person joins the covered entity's workforce; and (C) To each member of the covered entity's workforce whose functions are affected by a material change in the policies or procedures required by this subpart or subpart D of this part, within a reasonable period of time after the material change becomes effective in accordance with paragraph (i) of this section. (ii) A covered entity must document that the training as described in paragraph (b)(2)(i) of this section has been provided, as required by paragraph (j) of this section. 17

18 Pause & Quick Poll Do you have formal PnPs on HIPAA Privacy, Security and HITECH Breach Notification training? Is your training up to date to include Omnibus Final Rule changes? Do you have a formal program for ongoing privacy and security reminders? YES NO DON’T KNOW PnPs on Training? Training Omnibus-ized? Ongoing Program?

19 Session Objectives Understand The Case for Action
Review specific HIPAA Training Regulations Learn How to Train All Members of Your Workforce ©Clearwater Compliance LLC | All Rights Reserved |

20 How to Train All Members of Your Workforce
Form A Cross-functional Task Force – Make It A Team Sport Set Business Risk Management Goals – How Many by What Dates, Get Educated – Learn The Requirements And The Consequences Complete Training Upon Hire And On Ongoing Basis - Ongoing Privacy And Security Reminders Make It Job/Role Specific - Make It Personal Make It Fun - Use Skits / Drama Keep It Visible - Hold Events Make Sure “Suits” Are Present and Participate Use Breach Events As Learning Opportunities Use Cartoons – See Have A Plan And Record All Training Train on Event-Incident-Breach Train from Cases – Use Investigations And Audits Vary Modalities - Online, Live Classroom, Team Projects, Workshops

21 HHS Free HIPAA Training Resources
OCR offers free training on compliance with the HIPAA Privacy and Security Rules for Continuing Medical Education (CME) credit at HIPAA Enforcement Training for State Attorneys General at: Clearwater Free HIPAA Training Resources Live Webinar Events: On Demand Webinar Events: Clearwater HIPAA-HITECH Blue Ribbon Panel™ Web Events:

22 OCR Privacy & Security ListServs

23 Certification Programs
From ISC2… CISSP -  beyond; .g., CISSP-ISSMP) HCISPP -  From IAPP… CIPP/US -  CIPP/IT -   From ISACA… CISA -  CISM -  CRISC -  From AHIMA … CHPS -  CHTS -  From HCCA … CHC -   CHPC -  

24 Some Best Practices Specific Examples With Day-to-day Activities
Daily Or Weekly Privacy & Security Rounds By Senior Staff Posters In All Workforce Areas Splash Screens At Logon Periodic Privacy And Security Reminder s Script Cards Visible Sanctions Formal Lessons Learned Join The Right Associations

25 Supplemental Materials
5-1. Sample “HIPAA and Identity Theft Protection Poster High Res” (PDF) OCR HIPAA Audit Program Protocol on Security Training (Word) 5-3. Texas House Bill 300 (PDF) 5-4.Clearwater HIPAA Privacy and Security Reminders

26 Questions?

Download ppt "4/20/2017 Copyright Notice Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be."

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Minimum Necessary Standard Version 1.0

Minimum Necessary Standard Version 1.0
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.

Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.

Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.
WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides certain protections for any of your health information.

WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides certain protections for any of your health information.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Are you ready for HIPPO??? Welcome to HIPAA

Are you ready for HIPPO??? Welcome to HIPAA
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
© Clearwater Compliance LLC | All Rights Reserved Copyright Notice 1 Copyright Notice. All materials contained within this document are protected by United.

© Clearwater Compliance LLC | All Rights Reserved Copyright Notice 1 Copyright Notice. All materials contained within this document are protected by United.
© Clearwater Compliance LLC | All Rights Reserved Copyright Notice 1 Copyright Notice. All materials contained within this document are protected by United.

© Clearwater Compliance LLC | All Rights Reserved Copyright Notice 1 Copyright Notice. All materials contained within this document are protected by United.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards

Similar presentations

Ads by Google