4/20/2017 Copyright Notice Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.   For reprint permission and information, please direct your inquiry to bob.chaput@clearwatercompliance.com Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.   For reprint permission and information, please direct your inquiry to bob.chaput@clearwatercompliance.com © Clearwater Compliance LLC | All Rights Reserved |

HIPAA-HITECH 101 Legal Disclaimer Legal Disclaimer. This information does not constitute legal advice and is for educational purposes only. This information is based on current federal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC. Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.   For reprint permission and information, please direct your inquiry to bob.chaput@clearwatercompliance.com © Clearwater Compliance | All Rights Reserved

Instructional Module 5: How to Train All Members of Your Workforce 4/20/2017 Instructional Module 5: How to Train All Members of Your Workforce © Clearwater Compliance LLC | All Rights Reserved |

Module 5. Overview “How to Train all Members of Your Workforce” 4/20/2017 “How to Train all Members of Your Workforce” Instructional Module Duration = 30 minutes Learning Objectives Addressed In This Module Cite and explain the explicit HIPAA requirements for Training Explain the difference between training on the regulations and training on your own PnPs Describe why it is necessary for training to be job/role specific Describe a framework for an ongoing Privacy and Security Reminder program © Clearwater Compliance LLC | All Rights Reserved |

Four Critical Dimensions People must include talented privacy & security & technical staff, engaged and supportive management and trained/aware colleagues following PnPs. Policy defines an organization’s values & expected behaviors; establishes “good faith” intent Balanced Compliance Program Procedures or processes – documented - provide the actions required to deliver on organization’s values. Safeguards includes the various families of administrative, physical or technical security controls (including “guards, guns, and gates”, encryption, firewalls, anti-malware, intrusion detection, incident management tools, etc.) Clearwater Compliance Compass™

Demonstrate Good Faith Effort! 9 Actions to Take Now Set Privacy and Security Risk Management & Governance Program in place (45 CFR § 164.308(a)(1)) Develop & Implement comprehensive HIPAA Privacy and Security and Breach Notification Policies & Procedures (45 CFR §164.530 and 45 CFR §164.316) Train all Members of Your Workforce (45 CFR §164.530(b) and 45 CFR §164.308(a)(5)) Complete a HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A)) Complete a HIPAA Security Evaluation (= compliance assessment) (45 CFR § 164.308(a)(8)) Complete Technical Testing of Your Environment (45 CFR § 164.308(a)(8)) Implement a Strong, Proactive Business Associate / Management Program (45 CFR §164.502(e) and 45 CFR §164.308(b)) Complete Privacy Rule and Breach Rule compliance assessments (45 CFR §164.530 and 45 CFR §164.400) Document and act upon a remediation plan Demonstrate Good Faith Effort! 6

Session Objectives Understand The Case for Action Review specific HIPAA Training Regulations Learn how to Train All Members of Your Workforce ©Clearwater Compliance LLC | All Rights Reserved |

Some OCR Corrective Action Plans Corrective Action Plan (CAP) Requirement $150K AP DERM $1.2M AHP $1.7M WLP $400K ISU $50K HONI $1.5M MEEI $2.3M CVS $1.0M Rite-Aid BCBS TN MGH $100K PHX $865K UCLA AK DHSS Establish a Comprehensive Information Security Program x   Designate an accountable Security Owner Develop Privacy and Security policies and procedures Document authorized access to ePHI Distribute and update policies and procedures Document Process for responding to security incidents X Implement training and sanctions for non-compliance Conduct Risk Analysis / Establish Risk Management Process Implement Reasonable Safeguards to control risks Regularly review records of information system activity Implement reasonable steps to select service providers Testing and monitor security controls following changes Obtain assessments from qualified independent 3rd party Retain required documentation HIPAA-HITECH 101 $13.5+M Some OCR Corrective Action Plans (C) Clearwater Compliance | All Rights Reserved |

Case for Action 9 out of every 10 breaches affecting 500 or more individuals published on the HHS Website* were caused by people in the organization Virtually every complaint of privacy violations investigated by the Office for Civil Rights (“OCR”) and resulting in a corrective actions involved violations by people in the organization** *http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html **http://www.hhs.gov/ocr/privacy/hipaa/complaints/

Case for Action – Recent HHS ‘Wall of Shame’ Data *http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

2012 OCR Audit Protocol OCR Audit Established Performance Criteria: HIPAA Security Rule OCR Audit Established Performance Criteria: §164.308(a)(5)Security Awareness and Training - Implement a security awareness and training program for all members of its workforce (including management). OCR Audit Key Activities Develop and Approve a Training Strategy and a Plan. Develop Appropriate Awareness and Training Content, Materials, and Methods. Implement the Training. Monitor and Evaluate Training Plan.

2012 OCR Audit Protocol - Example Develop and Approve a Training Strategy and a Plan. OCR Audit Protocol Procedures 1: Inquire of management as to whether security awareness and training programs address the specific required HIPAA policies. Obtain and review a list of security awareness and training programs and evaluate the content in relation to the specified criteria. Determine if the specific HIPAA policies are addressed in these courses. Determine if the security awareness and training programs are provided to the entire organization. If the covered entity has chosen not to fully implement this specification, the entity must have documentation on why they have chosen not to fully implement this specification and their rationale for doing so. OCR Audit Established Performance Criteria: §164.308(a)(5)Security Awareness and Training - Implement a security awareness and training program for all members of its workforce (including management). OCR Audit Key Activity 1: Develop and Approve a Training Strategy and a Plan. OCR Audit Protocol Procedures 1: Inquire of management as to whether security awareness and training programs address the specific required HIPAA policies. Obtain and review a list of security awareness and training programs and evaluate the content in relation to the specified criteria. Determine if the specific HIPAA policies are addressed in these courses. Determine if the security awareness and training programs are provided to the entire organization. If the covered entity has chosen not to fully implement this specification, the entity must have documentation on where they have chosen not to fully implement this specification and their rationale for doing so. OCR Audit Key Activity 2: OCR Audit Protocol Procedures 2: Inquire of management as to whether security awareness and training programs outline the scope of the program. Obtain and review a sample of security awareness and training programs and evaluate the content in relation to the specified criteria. Determine if security awareness and training programs have been reviewed and approved. If the covered entity has chosen not to fully implement this specification, the entity must have documentation on their rational as to why and where they have chosen not to fully implement this specification. Evaluate this documentation if applicable. OCR Audit Key Activity 3: Develop Appropriate Awareness and Training Content, Materials, and Methods. OCR Audit Protocol Procedures 3: Inquire of management as to whether training materials incorporate relevant current IT security topics. Obtain and review a sample of training materials and determine if training materials are updated with relevant and current information. Determine if training materials are reviewed to ensure relevant and current information is included. If the covered entity has chosen not to fully implement this specification, the entity must have documentation on where they have chosen not to fully implement this specification and their rationale for doing so. OCR Audit Key Activity 4: Implement the Training. OCR Audit Protocol Procedures 4: Inquire of management as to whether employees receive all required training. Obtain and review a list of required training. Determine if required training courses are designed to help employees fulfill their security responsibilities. Determine if training courses are provided to employees to fulfill their security responsibilities. If the covered entity has chosen not to fully implement this specification, the entity must have documentation on where they have chosen not to fully implement this specification and their rationale for doing so. OCR Audit Key Activity 5: Monitor and Evaluate Training Plan. OCR Audit Protocol Procedures 5: Inquire of management as to whether security policies and procedures are updated periodically. Obtain and review security policies and procedures. Determine if security policies and procedures are approved and updated on a periodic basis. If the covered entity has chosen not to fully implement this specification, the entity must have documentation on where they have chosen not to fully implement this specification and their rationale for doing so. ©Clearwater Compliance LLC

2012 OCR Audit Protocol OCR Audit Established Performance Criteria: §164.530 - Administrative Requirements §164.530(b)(1) A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity. §164.530(b)(2)(i)(A) Training must be provided to each member of the covered entity's workforce by no later than the compliance date for the covered entity; (B) thereafter, to each new member of the workforce within a reasonable period of time after the person joins the covered entity's workforce; and (C) to each member of the covered entity's workforce whose functions are affected by a material change in the policies or procedures required by this subpart within a reasonable amount of time. HIPAA Privacy Rule

2012 OCR Audit Protocol OCR Audit Procedures Inquire of management as to whether training is provided to the entity's workforce on HIPAA Privacy Standards. Obtain and review documentation to determine if a training process is in place for HIPAA privacy standards. Obtain and review documentation to determine if a monitoring process is in place to help ensure all members of the workforce receive training on HIPAA privacy standards as mandated by §164.530(b)(1) and §164.530(b)(2)(i). For a selection of new hires within the audit period, obtain and review documentation showing training on HIPAA privacy compliance has been completed.

Session Objectives Understand The Case for Action Review specific HIPAA Training Regulations Learn how to Train All Members of Your Workforce ©Clearwater Compliance LLC | All Rights Reserved |

Training!! … rather than controls Basic HIPAA Requirements HIPAA SECURITY RULE 45 C.F.R. §164.308 Administrative Safeguards. (a)(5)(i) Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).   (ii) Implementation specifications. Implement: Security reminders (Addressable). Periodic security updates. Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software. Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies. Password management (Addressable). Procedures for creating, changing, and safeguarding passwords. Training!! … rather than controls

HIPAA Requirements on a CE/BA HIPAA PRIVACY FINAL RULE 45 C.F.R. §164.530(b) Training. (1) Standard: Training. A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity. (2) Implementation specifications: Training. (i) A covered entity must provide training that meets the requirements of paragraph (b)(1) of this section, as follows: (A) To each member of the covered entity's workforce by no later than the compliance date for the covered entity; (B) Thereafter, to each new member of the workforce within a reasonable period of time after the person joins the covered entity's workforce; and (C) To each member of the covered entity's workforce whose functions are affected by a material change in the policies or procedures required by this subpart or subpart D of this part, within a reasonable period of time after the material change becomes effective in accordance with paragraph (i) of this section. (ii) A covered entity must document that the training as described in paragraph (b)(2)(i) of this section has been provided, as required by paragraph (j) of this section. 17

Pause & Quick Poll Do you have formal PnPs on HIPAA Privacy, Security and HITECH Breach Notification training? Is your training up to date to include Omnibus Final Rule changes? Do you have a formal program for ongoing privacy and security reminders? YES NO DON’T KNOW PnPs on Training? Training Omnibus-ized? Ongoing Program?

Session Objectives Understand The Case for Action Review specific HIPAA Training Regulations Learn How to Train All Members of Your Workforce ©Clearwater Compliance LLC | All Rights Reserved |

How to Train All Members of Your Workforce Form A Cross-functional Task Force – Make It A Team Sport Set Business Risk Management Goals – How Many by What Dates, Get Educated – Learn The Requirements And The Consequences Complete Training Upon Hire And On Ongoing Basis - Ongoing Privacy And Security Reminders Make It Job/Role Specific - Make It Personal Make It Fun - Use Skits / Drama Keep It Visible - Hold Events Make Sure “Suits” Are Present and Participate Use Breach Events As Learning Opportunities Use Cartoons – See http://HIPAAcartoons.Com Have A Plan And Record All Training Train on Event-Incident-Breach Train from Cases – Use Investigations And Audits Vary Modalities - Online, Live Classroom, Team Projects, Workshops

HHS Free HIPAA Training Resources OCR offers free training on compliance with the HIPAA Privacy and Security Rules for Continuing Medical Education (CME) credit at http://www.medscape.org/sites/advances/patients-rights. HIPAA Enforcement Training for State Attorneys General at: http://www.hhshipaasagtraining.com/ Clearwater Free HIPAA Training Resources Live Webinar Events: http://clearwatercompliance.com/live-educational-webinars/ On Demand Webinar Events: http://clearwatercompliance.com/on-demand-webinars/ Clearwater HIPAA-HITECH Blue Ribbon Panel™ Web Events: http://clearwatercompliance.com/hipaa-hitech-blue-ribbon-panel/

OCR Privacy & Security ListServs https://list.nih.gov/cgi-bin/wa.exe?SUBED1=OCR-PRIVACY-LIST&A=1 https://list.nih.gov/cgi-bin/wa.exe?SUBED1=OCR-SECURITY-LIST&A=1

Certification Programs From ISC2… CISSP - https://www.isc2.org/CISSP/Default.aspx (and beyond; .g., CISSP-ISSMP) HCISPP - https://www.isc2.org/hcispp/default.aspx From IAPP… CIPP/US - https://www.privacyassociation.org/certification/cipp_certification_programs CIPP/IT -  https://www.privacyassociation.org/certification/cipp_certification_programs/cipp_it From ISACA… CISA - http://www.isaca.org/CERTIFICATION/CISA-CERTIFIED-INFORMATION-SYSTEMS-AUDITOR/Pages/default.aspx CISM - http://www.isaca.org/certification/cism-certified-information-security-manager/Pages/default.aspx CRISC - http://www.isaca.org/CERTIFICATION/CRISC-CERTIFIED-IN-RISK-AND-INFORMATION-SYSTEMS-CONTROL/Pages/default.aspx From AHIMA … CHPS - http://www.ahima.org/certification/chps  CHTS - http://www.ahima.org/certification/chts  From HCCA … CHC - http://www.compliancecertification.org/CHC/CertifiedinHealthcareCompliance.aspx   CHPC - http://www.compliancecertification.org/CHPC/CertifiedinHealthcarePrivacyCompliance.aspx  

Some Best Practices Specific Examples With Day-to-day Activities Daily Or Weekly Privacy & Security Rounds By Senior Staff Posters In All Workforce Areas Splash Screens At Logon Periodic Privacy And Security Reminder Emails Script Cards Visible Sanctions Formal Lessons Learned Join The Right Associations

Supplemental Materials 5-1. Sample “HIPAA and Identity Theft Protection Poster High Res” (PDF) 5-2. 2012 OCR HIPAA Audit Program Protocol on Security Training (Word) 5-3. Texas House Bill 300 (PDF) 5-4.Clearwater HIPAA Privacy and Security Reminders

Questions?