© Clearwater Compliance LLC | All Rights Reserved Copyright Notice 1 Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content. For reprint permission and information, please direct your inquiry to
© Clearwater Compliance LLC | All Rights Reserved Legal Disclaimer 2 Legal Disclaimer. This information does not constitute legal advice and is for educational purposes only. This information is based on current federal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.
© Clearwater Compliance LLC | All Rights Reserved Instructional Module 8: How to Create a Culture of Compliance 3
© Clearwater Compliance LLC | All Rights Reserved Module 8. Overview 4 3.Learning Objectives Addressed In This Module – Describe real breach experiences that motivate organizations – Articulate the Breach Notification process and how to operate efficiently and effectively – Develop a plan to take advantage of Breach as an opportunity to engage senior management – Learn and understand that privacy, security and compliance are, ultimately, people issues – Recognize that culture drives practice - - not tools and rules – Know that you can lead from anywhere and that only sustainable change actually transforms people and processes 1.“How to Create a Culture of Compliance” 2.Instructional Module Duration = 60 minutes
© Clearwater Compliance LLC | All Rights Reserved Policy defines an organization’s values & expected behaviors; establishes “good faith” intent People must include talented privacy & security & technical staff, engaged and supportive management and trained/aware colleagues following PnPs. Procedures or processes – documented - provide the actions required to deliver on organization’s values. Safeguards includes the various families of administrative, physical or technical security controls ( including “guards, guns, and gates”, encryption, firewalls, anti-malware, intrusion detection, incident management tools, etc.) Balanced Compliance Program Four Critical Dimensions Clearwater Compliance Compass™ 5
© Clearwater Compliance LLC | All Rights Reserved 9 Actions to Take Now 6 4.Complete a HIPAA Security Risk Analysis (45 CFR § (a)(1)(ii)(A)) 5.Complete a HIPAA Security Evaluation (= compliance assessment) (45 CFR § (a)(8)) 6.Complete Technical Testing of Your Environment (45 CFR § (a)(8)) 7.Implement a Strong, Proactive Business Associate / Management Program (45 CFR § (e) and 45 CFR § (b)) 8.Complete Privacy Rule and Breach Rule compliance assessments (45 CFR § and 45 CFR § ) 9.Document and act upon a remediation plan 1.Set Privacy and Security Risk Management & Governance Program in place (45 CFR § (a)(1)) 2.Develop & Implement comprehensive HIPAA Privacy and Security and Breach Notification Policies & Procedures (45 CFR § and 45 CFR § ) 3.Train all Members of Your Workforce (45 CFR § (b) and 45 CFR § (a)(5)) Demonstrate Good Faith Effort!
© Clearwater Compliance LLC | All Rights Reserved How to Build a Culture of Compliance 7
© Clearwater Compliance LLC | All Rights Reserved What is a Culture of Compliance? 8 The backdrop, the standard, the expectation ‘Guardrails’ placed by society, employers, peers.
© Clearwater Compliance LLC | All Rights Reserved Where does it come from? 9 From the top down – It is learned – Applies to everyone – Consistently – Enforced by ALL – Real sanctions And the bottom up – If you are doing it right
© Clearwater Compliance LLC | All Rights Reserved Why A Culture of Compliance? Anyone can make something happen... But you have to keep it happening. This is how sustainable change happens – Personally – Organizationally No one can do it alone – Every member of your work force has to a Privacy and Security Officer 10
© Clearwater Compliance LLC | All Rights Reserved Good Culture is Good Business 11 Breaches cost money – Total net cost of 10,000 records lost w/breach insurance at 80% of direct costs = $1,560,000 1 Loss of Reputation Loss of Patients Loss of Quality of Care Building culture – Requires consistency – “Is like a Chinese water torture” Asking Questions/Making Suggestions There is a return on Investment for good privacy and security 1 American National Standards Institute: “The Financial Management of Cyber Risk”
© Clearwater Compliance LLC | All Rights Reserved Then and Now David’s world Pre-HIPAA (Privacy issued pre- compliance; Security no published No burning platform Little awareness of Privacy and Security issues, concerns Senior leadership: Not our problem Under staffed, under budgeted The old healthcare paradigm Meredith’s world Post-HIPAA, Post Omnibus Enforcement, fines, media attention Everyone knows what can happen Senior leadership: I’ll hire someone to take care of it Under staffed, under budgeted Drastic changes in care delivery models and reimbursement Incredible new pressures on providers 12
© Clearwater Compliance LLC | All Rights Reserved And what hasn’t changed This is a people issue... Not technological This is about behaviors and habits... Not rules This is about understanding what you can and can’t do and how to do it... Not keeping people from doing what they need to do This is, ultimately about taking care of people (patients, staff, workforce, physicians/caregivers) 13