© 2010-12 clearwater compliance llc | all rights reserved copyright notice 1 copyright notice. all...
TRANSCRIPT
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Copyright Notice
1
Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content. For reprint permission and information, please direct your inquiry to [email protected]
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Legal Disclaimer
2
Legal Disclaimer. This information does not constitute legal advice and is for educational purposes only. This information is based on current federal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.
© 2010-12 Clearwater Compliance LLC | All Rights Reserved3
Welcome to today’s Live Event… we will begin shortly…
Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance…
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Webinar Slide Deck
http://clearwatercompliance.com/wp-content/uploads/2014/01/2014-01-17_How-To-Meet-HIPAA-HITECH-Encryption-Requirements_V3.pdf
4
Check “Chat” or “Question” area on GoToWebinar Control panel to copy/paste link and download materials
© 2010-12 Clearwater Compliance LLC | All Rights Reserved5
How to Meet HIPAA-HITECH Encryption Requirements & Beyond
WEBINAR
January 17, 2014
Stephen Treglia, JDLegal Counsel, Recovery SectionAbsolute Software Corporation(877) [email protected]
Bob Chaput, CISSP, CIPP-US, CHP, CHSSCEO & FounderClearwater Compliance LLC615-656-4299 or [email protected]
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
About HIPAA-HITECH Compliance
1.We are not attorneys!
2.The Omnibus has arrived!
3.Lots of different interpretations!
So there!
6
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
• Legal Counsel, Absolute’s Investigations & Recovery Section 2010 – present
• Prosecutor in New York 1980-2010
• Investigated/prosecuted Organized Crime 1985-1995
• Used computers, seized computers
• Started investigating/prosecuting computer crime 1996
• Created one of first Technology Crime Units 1997, headed it to 2010
• Started investigating/prosecuting Absolute cases in 2006
Stephen Treglia, JD
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Bob ChaputMA, CISSP, CIPP/US, CHP, CHSS
8
• President – Clearwater Compliance LLC• 30+ years in Business, Operations and Technology• 20+ years in Healthcare• Executive | Educator |Entrepreneur• Global Executive: GE, JNJ, HWAY• Responsible for largest healthcare datasets in world• Numerous Technical Certifications (MCSE, MCSA, etc)• Expertise and Focus: Healthcare, Financial Services, Retail, Legal
• Member: IAPP, ISC2, HIMSS, ISSA, HCCA, HCAA, CAHP, ACAP, ACHE, AHIMA, NTC, ACP, SIM, Chambers, Boards
http://www.linkedin.com/in/BobChaput
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Session Objectives1.Define and understand basic HIPAA-HITECH relevant terms and concepts
2.Review the specific requirements of HIPAA and HITECH for encryption
3.Provide practical, actionable next steps to take to meet HIPAA-HITECH encryption requirements
4.Address Why Encryption is Not Enough!
9
© 2010-12 Clearwater Compliance LLC | All Rights Reserved 10
1. Secure Your PHI Avoid the “Wall
of Shame” …Get Started Now
Answer Page!
2. Technology solutions are an important part, but only part of a balanced Security Program
4. Encryption is likely not enough; consider additional safeguards
3. Large or Small: Consider Getting Help (Tools, Experts, etc)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Oops! Missed That Safe Harbor Thingy!
11
AvMed, Inc. FL 1,220,000 12/10/2009 Theft LaptopCincinnati Children's Hospital Medical Center OH 60,998 3/27/2010 Theft LaptopPraxair Healthcare Services, Inc. CT 54,165 2/18/2010 Theft LaptopThomas Jefferson University Hospitals, Inc. PA 21,000 6/14/2010 Theft LaptopAultman Hospital OH 13,867 6/7/2010 Theft LaptopDepartment of Health Care Policy & Financing CO 105,470 5/17/2010 Theft Desktop ComputerMontefiore Medical Center NY 23,753 6/9/2010 Theft Desktop ComputerSt. Joseph Heritage Healthcare CA 22,012 3/6/2010 Theft Desktop ComputerUniversity of Oklahoma-Tulsa, Neurology ClinicOK 19,264 7/25/2010 Hacking/IT Incident Desktop ComputerMontefiore Medical Center NY 16,820 5/22/2010 Theft Desktop ComputerGeisinger Wyoming Valley Medical Center PA 2,928 11/6/2010 Unauthorized Access/DisclosureE-mailThe Children's Medical Center of Dayton OH 1,001 4/22/2010 Unauthorized Access/DisclosureE-mailSinai Hospital of Baltimore, Inc. MD 937 5/3/2010 Unauthorized Access/DisclosureE-mailReliant Rehabilitation Hospital North Houston TX 763 2/9/2010 Unauthorized Access/DisclosureE-mailBlue Cross Blue Shield of Tennessee TN 1,023,209 10/2/2009 Theft Hard DrivesProvidence Hospital MI 83,945 2/4/2010 Loss Hard DrivesPuerto Rico Department of Health PR 400,000 9/21/2010 Unauthorized Access/Disclosure, Hacking/IT IncidentNetwork ServerTriple-S Salud, Inc. PR 398,000 9/9/2010 Theft Network ServerSeacoast Radiology, PA NH 231,400 11/12/2010 Hacking/IT Incident Network ServerAnkle & foot Center of Tampa Bay, Inc. FL 156,000 11/10/2010 Hacking/IT Incident Network ServerSilicon Valley Eyecare Optometry and Contact LensesCA 40,000 4/2/2010 Theft Network Server
3,895,532
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Session Objectives
12
1.Define and understand basic HIPAA-HITECH relevant terms and concepts
2.Review the specific requirements of HIPAA and HITECH for encryption
3.Provide practical, actionable next steps to take to meet HIPAA-HITECH encryption requirements
4.Address Why Encryption is Not Enough!
© 2010-12 Clearwater Compliance LLC | All Rights Reserved13
Key Terms & Concepts1. Protected Health Information (PHI)
2. electronic PHI (ePHI)
3. Secured PHI
4. Unsecured PHI
5. Data Breach
6. Encryption
7. Destruction
8. Safe Harbor
9. Security Essentials
10. Required versus Addressable
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Protected Health Information• Protected Health
Information (PHI) is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual.
14
• PHI is interpreted rather broadly and includes any part of a patient’s medical record or payment history
• …and, that is linked to personal (18) identifiers
© 2010-12 Clearwater Compliance LLC | All Rights Reserved15
Data Breach• A breach is, generally, an
impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Don’t Panic!Event
16
Incident
Breach
?
?
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Unsecured PHI• Unsecured PHI is PHI that has
not been rendered unusable, unreadable, or indecipherable
• CEs and BAs must only provide the required notification if the breach involved unsecured protected health information.
17
© 2010-12 Clearwater Compliance LLC | All Rights Reserved18
Encryption Encryption means the use
of an algorithmic
process to transform
data into a form in
which there is a low
probability of assigning
meaning without use of
a confidential process
or key.1
145 C.F.R. § 164.304 Definitions
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Safe Harbor“This guidance is intended to describe the technologies and methodologies that can be used to render PHI unusable, unreadable, or indecipherable to unauthorized individuals.
While covered entities and business associates are not required to follow the guidance, the specified technologies and methodologies, if used, create the functional equivalent of a safe harbor, and thus, result in covered entities and business associates not being required to provide the notification otherwise required by section 13402 in the event of a breach.”1
19
1 DEPARTMENT OF HEALTH AND HUMAN SERVICES 45 CFR Parts 160 and 164 Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009; Request for Information
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Session Objectives
20
1.Define and understand basic HIPAA-HITECH relevant terms and concepts
2.Review the specific requirements of HIPAA and HITECH for encryption
3.Provide practical, actionable next steps to take to meet HIPAA-HITECH encryption requirements
4.Address Why Encryption is Not Enough!
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Security Rule & Encryption
Privacy Rule Reasonable Safeguards for all PHI
Physical Safeguards for EPHI
Technical Safeguards for EPHI
Administrative Safeguards for EPHI
• Security Management Process• Security Officer• Workforce Security• Information Access Mgmt• Security Training• Security Incident Process• Contingency Plan• Evaluation• Business Associate Contracts
• Access Control• Audit Control• Integrity• Person or Entity Authentication• Transmission Security
• Facility Access Control• Workstation Use• Workstation Security• Device & Media Control
21
HIPAA ACTUALLY SAYS LITTLE ABOUT ENCRYPTION!
22 Security Standards
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
45 C.F.R. §164.312(a)(1)Standard: Access Control.
(i) Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in Sec.164.308(a)(4).
…
(2) Implementation specifications: (iv) Encryption and Decryption. (Addressable). Implement a
mechanism to encrypt and decrypt electronic protected health information.
22
Access Control (think Data at Rest)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
45 C.F.R. §164.312(e)(1)Standard: Transmission Security.
(i) Transmission Security -Section 164.312(e)(1) - Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
(2) Implementation specifications: (ii) Encryption (Addressable). Implement a mechanism to
encrypt electronic protected health information whenever deemed appropriate.
23
Transmission Security (think Data in Motion)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
The Security RuleRequired vs. Addressable1
(i) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity’s electronic protected health information; and
(ii) As applicable to the entity—(A) Implement the implementation specification if reasonable and appropriate; or(B) If implementing the implementation specification is not reasonable and appropriate—
(1) Document why it would not be reasonable and appropriate to implement the implementation specification; and
(2) Implement an equivalent alternative measure if reasonable and appropriate.
24
ADDRESSABLE
≠OPTIONAL
145 CFR 164.306(d)(3)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved25
MU Stage 2 Requirements Objective: Protect electronic health information created or maintained by the Certified EHR Technology through the implementation of appropriate technical capabilities
Measure: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data at rest in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider's risk management process.
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
The HITECH Act
THREE absolute “game changers”:
1) More Enforcement2) Bigger fines3) Wider Net Cast
26
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
HIPAA Rules Fall short… HITECH Addressed
• No definition of Secured or Unsecured PHI in HIPAA!
• The HITECH Act Secretary of Health and Human Services must issue guidance
27
• Securing PHI as defined in the new guidance is important because secured PHI is not subject to the breach notification requirements of the HITECH Act.
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Encryption Definition45 CFR 164.304 Definitions
• Encryption means the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.
28
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
HHS / OCR Guidance1
• Two methodologies to secure PHI by making it unusable, unreadable or indecipherable to unauthorized persons: • Encryption• Destruction
• May be used to secure data in four commonly
recognized data states: 1. data in motion2. data at rest3. data in use4. data disposed
29
1 DEPARTMENT OF HEALTH AND HUMAN SERVICES 45 CFR Parts 160 and 164 Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009; Request for Information
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Encryption GuidanceBased on HHS/OCR Guidance1…
• Valid encryption processes for data at rest are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.
30
• Valid encryption processes for data in motion are those which comply, as appropriate, with:• NIST SP800-52
, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations;
• NIST SP800-77, Guide to IPsec VPNs; • NIST SP800-113, Guide to SSL VPNs, • or others Federal Information Processing Standards (FIPS) 140-2 validated.1http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Destruction Guidance• Must shred or destroy paper,
film or other media
• Electronic media cleared, purged or destroyed consistent with NIST SP 800-88, Guidelines for Media Sanitization
31
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
2012 OCR Audit Protocol
32
Audit Procedures1. Inquire of management as to whether an encryption mechanism
is in place to protect ePHI. 2. Obtain and review formal or informal policies and procedures
and evaluate the content relative to the specified criteria to determine that encryption standards exist to protect ePHI. Based on the complexity of the entity, elements to consider include but are not limited to:
a. Type(s) of encryption used.b. How encryption keys are protected.c. Access to modify or create keys is restricted to appropriate
personnel.d. How keys are managed.
3. If the covered entity has chosen not to fully implement this specification, the entity must have documentation on where they have chosen not to fully implement this specification and their rationale for doing so. Evaluate this documentation if applicable.
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Policy defines an organization’s values & expected behaviors; establishes “good faith” intent
People must include talented privacy &
security & technical staff, engaged and supportive
management and trained/aware colleagues
following PnPs.
Procedures or processes – documented - provide the actions required to deliver on organization’s values.
Safeguards includes the various families of administrative, physical or
technical security controls (including “guards, guns, and gates”,
encryption, firewalls, anti-malware, intrusion detection, incident
management tools, etc.)
BalancedCompliance
Program
Balanced Compliance Program
Clearwater Compliance Compass™33
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Session Objectives
34
1.Define and understand basic HIPAA-HITECH relevant terms and concepts
2.Review the specific requirements of HIPAA and HITECH for encryption
3.Provide practical, actionable next steps to take to meet HIPAA-HITECH encryption requirements
4.Address Why Encryption is Not Enough!
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Next Actions to Meet Requirements1. Get Educated on Encryption2. Determine Regulations that
Apply to You3. Include ALL “ePHI homes”4. Decide If Encryption is Enough5. Establish Selection Criteria6. Identify Alternatives for
Secure PHI
35
7. Test Top Alternatives Don’t Create Bricks!
8. Ensure Fit Into an Overall HIPAA Compliance Plan
9. Put BAs and Subcontractors on Notice10.Seek Help, If Needed
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Session Objectives
36
1.Define and understand basic HIPAA-HITECH relevant terms and concepts
2.Review the specific requirements of HIPAA and HITECH for encryption
3.Provide practical, actionable next steps to take to meet HIPAA-HITECH encryption requirements
4.Address Why Encryption is Not Enough!
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Is Encryption Enough?
37
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Graphical representation of state laws
• NM, SD, Kentucky, Alabama lack statutes
• Darker colors – tougher laws
• Virginia considered toughest because of highest penalties
• California started this with law passed in 2002, effective 2003
• Generally applies to government agencies and businesses
• Some States also cover healthcare
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
What even constitutes a breach requiring notification?
• Again, varies State by State• Typically, the release of a name
and some other identifier• Address, SSN, account number• Some States have a harm
requirement; some don’t• Some require a minimum #
breached before notification required
• Some make encryption a safe harbor; some don’t
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
But does encryption always = “Safe Harbor”?• Those who claim encryption is a safe harbor to
HIPAA regulation should read 74 Federal Register 79 – issued 4/27/09
• Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals
• At page 19009 – “(a) Electronic PHI has been encrypted as specified in the HIPAA Security Rule by ‘the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key’ and such confidential process or key that might enable decryption has not been breached.”
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
New York General Business Law § 899-aaPrior statute:• "Personal identifying information"
means personal information consisting of any information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted, or encrypted with an encryption key that is included in the same record as the encrypted personal information or data element:
Current statute:• "Private information" shall
mean personal information consisting of any information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted, or encrypted with an encryption key that has also been acquired:
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Several States do allow encryption to be a safe harbor
Arizona 44-7501A• 44-7501. Notification of breach of security system;
enforcement; civil penalty; preemption; exceptions; definitionsA. When a person that conducts business in this state and that owns or licenses unencrypted computerized data that includes personal information becomes aware of an incident of unauthorized acquisition and access to unencrypted or unredacted computerized data that includes an individual's personal information, the person shall conduct a reasonable investigation to promptly determine if there has been a breach of the security system. If the investigation results in a determination that there has been a breach in the security system, the person shall notify the individuals affected.
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
What does all this volatility mean to you?
• Causes the most problems for multi-state entities
• How do compliance officers respond?
• They comply with “highest-denominator”
• Means they comply with the toughest State statues to play it safe
• If in compliance with the toughest• They’re in compliance with the rest• Why is staying compliant
important?
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Consider More Robust Technology
44
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Many Services/Many Solutions/Even Unique Ones
• Computrace/Lojack for Laptops/Patented Persistence – Unique to the industry
• Many devices/one solution – Also unique
• Recovery staff of 43 ex-law enforcement officers/over 1000 years experience – Also unique
• Encrypted devices/Encryption Reports
• Device Freeze/Data Delete
• Geo-fencing/Data Loss Prevention
• Forensic/Investigative Services
• Can tell what data is and isn’t seen/Report generated
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Compliance is important way beyond HIPAA penalties & fines
• Think as an ambulance-chasing attorney for a moment
• Each listing of a breached healthcare system is > 500 identities
• Generally, breached identity is valued at a minimum of $1000
• Class action lawsuit just waiting to happen
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Shooting fish in a barrel
Shooting sitting ducks (from a blind that’s not all that blind)
Apropos analogies?
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
A $4.9 BILLION Lawsuit
• U.S. Dept. of Defense defendant for theft of computer tape from car driven by employee of the subcontractor of one of its Business Associates
• Records of 4.9 million members of military on the tape
• $1000 per victim = $4.9 billion
• Business Associate also a defendant, but not the subcontractor (sue the entities with the biggest pockets)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Another $4 BILLION Lawsuit ???
49
Failing to use Encryption
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Share Price
50
July 2011 - Accretive employee’s laptop
computer, containing 20 million pieces of
information on 23,000 patients, was stolen from
the passenger compartment of the
employee’s car
7/31/2012 $2.5M MN SAG Settlement
1/19/2012 MN SAG Suit
12/31/2013FTC Settle.
6/13/2013Class Suit
9/27/2013$14M Class Settlement
http://finance.yahoo.com/echarts?s=AH+Interactive#symbol=ah;range=5y;compare=;indicator=volume;charttype=area;crosshair=on;ohlcvalues=0;logscale=off;source=undefined;
4/2/2013CEO
Replaced
8/26/2013CFO
Replaced
© 2010-12 Clearwater Compliance LLC | All Rights Reserved 51
1. Secure Your PHI Avoid the “Wall
of Shame” …Get Started Now
Summary
2. Technology solutions are an important part, but only part of a balanced Security Program
3. Large or Small: Consider Getting Help (Tools, Experts, etc)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved52
ResourcesRisk Analysis Buyer’s Guide:
http://abouthipaa.com/about-hipaa/hipaa-risk-analysis-resources/hipaa-risk-analysis-buyers-guide-checklist
/
Encryption & Risk Analysis Information:
http://abouthipaa.com/about-hipaa/hipaa-hitech-resources/
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Register For Upcoming Live HIPAA-HITECH Webinars at:
http://clearwatercompliance.com/live-educational-webinars/
53
Resources
View pre-recorded Webinars like this one at:
http://clearwatercompliance.com/on-demand-webinars/
© 2010-12 Clearwater Compliance LLC | All Rights Reserved54
Clearwater HIPAA Compliance BootCamp™ Events
Take Your HIPAA Privacy and Security Program to a Better
Place, Faster
Other 2014 Plans – Virtual, Web-Based Events (3, 3-hr sessions): • May 14-21-28• August 13-20-27• November 5-12-19
Other 2014 Plans - Live, In-Person Events (9-hours): • March 17 – Detroit• April 24 - San Francisco• July 24 – Boston• October 16 - Los Angeles
March 17| Live HIPAA BootCamp™ | Detroit
February 12, 19, 26 | HIPAA Virtual BootCamp™
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
HIPAA Compliance BootCamp™Welcome, Introductions and Overview1. How to Set Up Your Privacy and Security Risk Management & Governance Program 2. How to Assess Your Increased Liability Risk Under the Omnibus Final Rule3. How to Develop & Implement Comprehensive HIPAA Privacy and Security and
Breach Notification Policies & Procedures (PnPs)Networking Break4. How to Prepare for and Manage an OCR Investigation5. How to Train all Members of Your WorkforceNetworking Luncheon & Refresh6. Panel Discussion – How to Implement a Strong, Proactive Business Associate
Management Program7. How to Complete All HIPAA Security Rule Assessment RequirementsNetworking Break8. Presentation and Panel Discussion: How to Create a “Culture of Compliance”9. How to Assess and Monitor Your Compliance with the HIPAA Privacy Rule and
HITECH Breach Notification RuleBuffer Time, Q&A, Final RemarksAttendee Reception (optional)
55
HOW TO…
© 2010-12 Clearwater Compliance LLC | All Rights Reserved56
Gregory J. Ehardt, JD, LL.M.HIPAA/Assistant Compliance Officer - HCA Adjunct Professor Office of General CounselIdaho State University
Bob Chaput, CISSP, CIPP/US CHP, CHSSCEOClearwater Compliance
Expert Instructors
Elizabeth Warren, Esq.PartnerBass, Berry & Sims, PLC
Mary Chaput, MBA, CIPP/US, CHPCFO & Chief Compliance OfficerClearwater Compliance
Meredith Phillips, MHSA, CHC, CHPC Chief Information Privacy & Security Officer Henry Ford Health System
David Finn, CISA, CISM, CRISCHealth IT Officer Symantec Corporation
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
57
Contact
Stephen Treglia, JDLegal Counsel, Recovery SectionAbsolute Software Corporation(877) [email protected]
Bob Chaput, CISSP, CIPP-US, CHP, CHSSCEO & FounderClearwater Compliance LLC615-656-4299 or [email protected]
© 2010-12 Clearwater Compliance LLC | All Rights Reserved