© Clearwater Compliance LLC | All Rights Reserved Copyright Notice 1 Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content. For reprint permission and information, please direct your inquiry to

© Clearwater Compliance LLC | All Rights Reserved Legal Disclaimer 2 Legal Disclaimer. This information does not constitute legal advice and is for educational purposes only. This information is based on current federal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.

© Clearwater Compliance LLC | All Rights Reserved 3 Welcome to today’s Live Event… we will begin shortly… Please feel free to use the “Q&A” area to pose any ‘burning’ questions you may have in advance…

© Clearwater Compliance LLC | All Rights Reserved How the Omnibus Final Rule Raised the Ante for HIPAA Compliance How the Omnibus Final Rule Raised the Ante for HIPAA Compliance November 21, Bob Chaput, MA, CISSP, CIPP/US, CHP, CHSS or Clearwater Compliance LLC

© Clearwater Compliance LLC | All Rights Reserved About HIPAA-HITECH Compliance 1. We are not attorneys! 2. The Omnibus has arrived! 3. Lots of different interpretations! So there! 5

© Clearwater Compliance LLC | All Rights Reserved Poll #1 – What type of organization? 6

© Clearwater Compliance LLC | All Rights Reserved Bob Chaput MA, CISSP, CIPP/US, CHP, CHSS 7 President – Clearwater Compliance LLCClearwater Compliance LLC 30+ years in Business, Operations and Technology 20+ years in Healthcare Executive | Educator |Entrepreneur Global Executive: GE, JNJ, HWAY Responsible for largest healthcare datasets in world Numerous Technical Certifications (MCSE, MCSA, etc) Expertise and Focus: Healthcare, Financial Services, Retail, Legal Member: IAPP, ISC 2, HIMSS, ISSA, HCCA, HCAA, CAHP, ACAP, ACHE, AHIMA, NTC, ACP, SIM, Chambers, Boards

© Clearwater Compliance LLC | All Rights Reserved Our Passion 8 … And, keeping those same organizations off the Wall of Shame…! …we’re helping organizations safeguard the very personal and private healthcare information of millions of fellow Americans… We’re excited about what we do because…

© Clearwater Compliance LLC | All Rights Reserved

Session Agenda 1.Why? 2.What? 3.When? 4.Now What? 5.How? 6.Resources

© Clearwater Compliance LLC | All Rights Reserved Nationwide Health Information Network (NwHIN) Vision 11

© Clearwater Compliance LLC | All Rights Reserved NwHIN and Privacy & Security 12 What if my Protected Health Information is not complete, up-to- date and accurate? What if my Protected Health Information is shared? With whom? How? What if my Protected Health Information is not there when it is needed? My PHI / ePHI Privacy & security are essential to NwHIN healthcare vision CONFIDENTIALITY INTEGRITY AVAILABILITY

© Clearwater Compliance LLC | All Rights Reserved What’s The Big Deal 1 ? Street cost for a stolen Record Medical:$50 vs SSN:$1 Payout for identity theft Medical:$20,000 vs Regular: $2,000 Medical records can be exploited 4x longer Credit cards can be cancelled; medical records can’t 13 1 RSA Report on Cybercrime and the Healthcare Industry  Medical Record Abuse consequences  Prescription Fraud  Embarrassment  Financial Fraud  Personal Data Resale  Blackmail / Extortion  Medical Claims Fraud  Job loss / Reputational Majority of clinical fraud? Obtain prescription narcotics for illegitimate use ~5% of clinical fraud: Free health care

© Clearwater Compliance LLC | All Rights Reserved Session Agenda 1.Why? 2.What? 3.When? 4.Now What? 5.How? 6.Resources

© Clearwater Compliance LLC | All Rights Reserved Three Pillars of HIPAA-HITECH Compliance… 15 PrivacySecurityBreachNotification …… HITECH HIPAA Breach Notification IFR 6 pages / 2K words 4 Standards 9 Implementation Specs Privacy Final Rule 75 pages / 27K words 56 Standards ~ 54 “dense” Implementation Specs Security Final Rule 18 pages / 4.5K words 22 Standards ~50 Implementation Specs OMNIBUS FINAL RULE

© Clearwater Compliance LLC | All Rights Reserved 16 Regulatory “Field Trip” Part 164Part 160 Omnibus Final Rule  Big Changes in 160 & 164

© Clearwater Compliance LLC | All Rights Reserved

Bottom Line Up Front THREE absolute “game changers”: 1)More Enforcement 2)Bigger Penalties 3)Wider Net Cast 18

© Clearwater Compliance LLC | All Rights Reserved Health Information Technology for Economic and Clinical Health Act HITECH = Hey It’s Time to End your Compliance Holiday 19

© Clearwater Compliance LLC | All Rights Reserved Business Associate and Subcontractor Provisions - 45 CFR § After Omnibus Create, receive, maintain or transmit PHI All prior organizations AND, Health Information Organizations e-prescribing gateways Transmits and has access Personal Health Record vendors for CEs SUBCONTRACTORS Physical storage facilities and electronic storage vendors that maintain PHI CE to healthcare provider; NOT BA GHP to Plan Sponsor; NOT BA Much Wider Net  More Risks & Liabilities  More Monitoring by All Before Omnibus Performs or assists in the performance of any function TPAs Analytics firms Billing companies IT consultants Accountants Etc

© Clearwater Compliance LLC | All Rights Reserved Applicability of Privacy Rule and Security Rule to Business Associates - 45 CFR § After Omnibus BAs to comply with the Privacy Rule and the Security Rule  direct liability BAs subject to CMPs and criminal penalties for a violation of the Privacy Rule or Security Rule. Remember: subcontractors are BAs! BAs  More Risks & Liabilities  More Monitoring by Upstream CEs and BAs  Get Going on Compliance Program Now! Before Omnibus Privacy Rule and Security Rule directly apply only to CEs BAs and their subcontractors are only indirectly subject to Rules contractually through BAAs

© Clearwater Compliance LLC | All Rights Reserved Enforcement: Applicability of Enforcement Rule to Business Associates - 45 CFR § After Omnibus BAs directly liable These sections will add “business associate” to implement HITECH §13401 and §13404: §§ ; ; (a) and (c); ; ; ; ; ; ; (b); ; (c) and (d); and (a) and (c). BAs MUST GET SERIOUS NOW  Policies, Procedures, People & Safeguards Before Omnibus BAs not directly subject to the HIPAA civil and criminal penalty scheme CEs were required to impose certain privacy and security obligations in BAAs

© Clearwater Compliance LLC | All Rights Reserved Business Associate Agreement Provisions Required by Privacy Rule - 45 CFR § (e) After Omnibus ALL PLUS… Report breaches of BAA Report breaches of unsecured PHI Comply with the Security Rule Enter into a compliant downstream agreement with any subcontractor New Provision If BA is to carry out a covered entity’s obligation under the Privacy Rule  BAA must require the BA to accrue CE’s Privacy Rule BAs and CEs must update BAAs; Grace period for certain BAAs Before Omnibus Establish the permitted and required uses and disclosures of PHI by the business associate. Limit further use or disclosure Use appropriate safeguards Report use or disclosure Ensure agents / subs protect Ensure access, amendment, accounting, etc. Destroy upon termination Etc.

© Clearwater Compliance LLC | All Rights Reserved Definition of Breach - 45 CFR § After Omnibus Added a regulatory presumption that any acquisition, access, use or disclosure of PHI in violation of the Privacy Rule is a breach “Compromise Assessment” Burden of Proof for CE …demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment Burden of Proof for BA …all notifications have been made More Reportable Breaches  More Pressure on CEs and BAs Before Omnibus “Harm Standard” “Secured PHI” Burden of Proof for CE …compromises the security or privacy of the protected health information means poses a significant risk of financial, reputational, or other harm to the individual.

© Clearwater Compliance LLC | All Rights Reserved 1.Reasonable diligence means the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances. 2.Reasonable cause means an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect. NEW! 3.Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated. 25 Three Terms to Memorize CFR Definitions Give Your CEO and Outside Counsel Something to Work With!

© Clearwater Compliance LLC | All Rights Reserved (C)(ii) Willful Neglect – Not Corrected $50,000$1,500,000 Discretion to Use $50K at Any Level  CEs & BAs  Act Swiftly in Case of Breach Enforcement: Amount of CMP - 45 CFR § Violation Category - Section 1176(a)(1) Penalty Range for Each Violation All Such Violations of an Identical Provision in a Calendar Year (A) Reasonable Diligence (Did Not Know) $100 - $50,000$1,500,000 (B) Reasonable Cause$1,000 - $50,000$1,500,000 (C)(i) Willful Neglect – Corrected $10,000 - $50,000$1,500,000

© Clearwater Compliance LLC | All Rights Reserved 27 Some OCR Corrective Action Plans Corrective Action Plan (CAP) Requirement $1.2M AHP $1.7M WLP $400K ISU $50K HONI $1.5M MEEI $2.3M CVS $1.0M Rite- Aid $1.5M BCBS TN $1.0M MGH $100K PHX $865K UCLA $1.7M AK DHSS Establish a Comprehensive Information Security Program xx Designate an accountable Security Owner xx Develop Privacy and Security policies and procedures x xxxxxx Document authorized access to ePHI x Distribute and update policies and procedures xxxxxxx Document Process for responding to security incidents x xx xxxxxx Implement training and sanctions for non-compliance xxxxxxx Conduct Risk Analysis / Establish Risk Management Process xx xxxxxxxxxx Implement Reasonable Safeguards to control risks xxxxxxxxxx Regularly review records of information system activity x Implement reasonable steps to select service providers x Testing and monitor security controls following changes xxxxxxxx Obtain assessments from qualified independent 3rd party xxxxxxxx Retain required documentation xxxxxxxxxx $13.5+M

© Clearwater Compliance LLC | All Rights Reserved Enforcement: OCR Investigations and Compliance Reviews - 45 CFR §§ , , Increased Enforcement  Don’t Wait  Gap Assessments, Risk Analyses, PnPs, Training, etc. After Omnibus OCR required to conduct an investigation or compliance review when a preliminary investigation of the facts indicate a possible violation due to willful neglect (i.e., the third and fourth culpability levels under the civil money penalty provisions). Final Rule permits, but does not require, OCR to attempt to resolve by informal means investigations Before Omnibus OCR may, but is not required to, conduct complaint investigations or compliance reviews OCR required to attempt to resolve by informal means investigations

© Clearwater Compliance LLC | All Rights Reserved New “Arrows” in HHS/OCR Enforcement Quiver New Civil Monetary Penalty System SAG Jurisdiction OCR Audits Wider Net Breach Notification Rule “Wall of Shame” CMS MU Attestation Audits FCA? 29

© Clearwater Compliance LLC | All Rights Reserved HIPAA is only a “floor” of federal privacy protections – There are legal consequences if you fail to meet the federal “floor” of protections – Significance of “willful neglect” Essential for civil penalties HHS MUST formally investigate any complaint if facts indicate “possible violation due to willful neglect”, HITECH section HHS MUST impose a civil penalty “Willful Neglect” =conscious, intentional failure or reckless indifference to legal requirements, section Key Things To Remember

© Clearwater Compliance LLC | All Rights Reserved Texas HB300 CEs 31 HIPAA-HITECH CEs What Happens If I Don't Comply? Federal Civil Monetary Penalty System and Criminal Penalties PLUS… State of Texas Penalties, Disciplinary Actions and Audits Civil Monetary Penalty System Criminal Penalties Additional Texas Civil Penalties of $5,000 - $1.5 Million per violation Based on… 1.Seriousness of the violation; 2.Entity's compliance history; 3.Harm done to individuals; and 4.Efforts made to correct violations.

© Clearwater Compliance LLC | All Rights Reserved Session Agenda 1.Why? 2.What? 3.When? 4.Now What? 5.How? 6.Resources

© Clearwater Compliance LLC | All Rights Reserved Omnibus Timing 1 January 17, 2013 Release January 25, 2013 Publication March 26, 2013 Effective Date September 23, 2013 Compliance Date 1 Subject to BAA Transition Provisions

© Clearwater Compliance LLC | All Rights Reserved Session Agenda 1.Why? 2.What? 3.When? 4.Now What? 5.How?

© Clearwater Compliance LLC | All Rights Reserved Now What? 35 1.Breathe Deeply 2.Continue Education 3.Leverage Resources 4.Think Peer Working Group 5.Think Executive Sponsor 6.Assess Current Situation 7.Think Program, Not Project

© Clearwater Compliance LLC | All Rights Reserved Policy defines an organization’s values & expected behaviors; establishes “good faith” intent People must include talented privacy & security & technical staff, engaged and supportive management and trained/aware colleagues following PnPs. Procedures or processes – documented - provide the actions required to deliver on organization’s values. Safeguards includes the various families of administrative, physical or technical security controls ( including “guards, guns, and gates”, encryption, firewalls, anti-malware, intrusion detection, incident management tools, etc.) Balanced Compliance Program Balanced Compliance Program Clearwater Compliance Compass™ 36

© Clearwater Compliance LLC | All Rights Reserved Session Agenda 1.Why? 2.What? 3.When? 4.Now What? 5.How? 6.Resources

© Clearwater Compliance LLC | All Rights Reserved 8 Actions to Take Now 38 3.Complete a HIPAA Security Risk Analysis (45 CFR § (a)(1)(ii)(A)) 4.Complete a HIPAA Security Evaluation (= compliance assessment) (45 CFR § (a)(8)) 5.Complete Technical Testing of Your Environment (45 CFR § (a)(8)) 6.Implement a Strong, Proactive Business Associate / Management Program (45 CFR § (e) and 45 CFR § (b)) 7.Complete Privacy Rule and Breach Rule compliance assessments (45 CFR § and 45 CFR § ) 8.Document and act upon a remediation plan 1.Set Privacy and Security Risk Management & Governance Program in place (45 CFR § (a)(1)) 2.Develop & Implement comprehensive HIPAA Privacy and Security and Breach Notification Policies & Procedures (45 CFR § and 45 CFR § ) Demonstrate Good Faith Effort!

© Clearwater Compliance LLC | All Rights Reserved 39 Three Industry- Leading SaaS Solutions … to address all regulatory requirements … to operationalize your program

© Clearwater Compliance LLC | All Rights Reserved 40 Investment Assurance Three Ways to Engage… to meet your budget and assurance requirements

© Clearwater Compliance LLC | All Rights Reserved Session Agenda 1.Why? 2.What? 3.When? 4.Now What? 5.How? 6.Resources

© Clearwater Compliance LLC | All Rights Reserved HIPAA-HITECH Compliance Resources 1.HIPAA-HITECH Risk Management eNewsletter 2.OCR Audit Resources 3.HIPAA-HITECH Resources 4.HIPAA Risk Analysis Resources 5.HIPAA Privacy Rule Resources 42

© Clearwater Compliance LLC | All Rights Reserved Clearwater CE Omnibus ReadinessCheck™: Clearwater CE Omnibus ReadinessCheck™: entity-omnibus-readinesscheck/ entity-omnibus-readinesscheck/ 43 Helpful Resources Clearwater BA Omnibus ReadinessCheck™: associate-omnibus-readinesscheck/

© Clearwater Compliance LLC | All Rights Reserved 44 Helpful Resources Risk Analysis Buyer’s Guide: analysis-resources/hipaa-risk-analysis-buyers- guide-checklist/ AboutHIPAA.com Risk Analysis Resources: analysis-resources/

© Clearwater Compliance LLC | All Rights Reserved 45 Clearwater HIPAA Compliance BootCamp™ Events Take Your HIPAA Privacy and Security Program to a Better Place, Faster Other 2014 Plans – Virtual, Web- Based Events (3, 3-hr sessions): May August November Other 2014 Plans - Live, In- Person Events (9-hours): March 17 – Detroit April 24 - San Francisco July 24 – Boston October 16 - Los Angeles December 11 | Live HIPAA BootCamp™ | St. Louis Live HIPAA BootCamp™ |Live HIPAA BootCamp™ | January 16| Live HIPAA BootCamp™ | Austin Live HIPAA BootCamp™ |Live HIPAA BootCamp™ | February 12, 19, 26 | HIPAA Virtual BootCamp™ February 12, 19, 26 | HIPAA Virtual BootCamp™

© Clearwater Compliance LLC | All Rights Reserved 46 Gregory J. Ehardt, JD, LL.M. HIPAA/Assistant Compliance Officer - HCA Adjunct Professor Office of General Counsel Idaho State University Bob Chaput, CISSP, CIPP/US CHP, CHSS CEO Clearwater Compliance Expert Instructors James C. Pyles, Esq. Principal Powers Pyles Sutter & Verville PC Mary Chaput, MBA, CIPP/US, CHP CFO & Chief Compliance Officer Clearwater Compliance Meredith Phillips, MHSA, CHC, CHPC Chief Information Privacy & Security Officer Henry Ford Health System David Finn, CISA, CISM, CRISC Health IT Officer Symantec Corporation

© Clearwater Compliance LLC | All Rights Reserved In Summary - You Should Care 47 1.It’s the Law and Regs (many laws and Regs) … HIPAA & HITECH! 2.Your stakeholders trust and expect you to do this… and, may be liable, if you don’t! 3.Your revenues, assets and reputation depends on it!

© Clearwater Compliance LLC | All Rights Reserved Bob Chaput, MA, CISSP, CIPP/US Bob Chaput, MA, CISSP, CIPP/US Phone: or Clearwater Compliance LLC Bob Chaput, MA, CISSP, CIPP/US 48 Contact

© Clearwater Compliance LLC | All Rights Reserved Questions? 49