legal disclaimer - clearwater · 5/26/2016 · the evaluation standard § 164.308(a)(8) requires...
TRANSCRIPT
![Page 1: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/1.jpg)
© Clearwater Compliance | All Rights Reserved
1
Legal Disclaimer
The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.
This information does not constitute legal advice and is for educational purposes only. This information is based on currentfederal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than thefederal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND RECOMMENDATIONS PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE.
Copyright NoticeAll materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.
![Page 2: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/2.jpg)
The Critical Difference - HIPAA Security Compliance Evaluation vs.
HIPAA Security Risk Analysis
May 26, 2016
![Page 3: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/3.jpg)
© Clearwater Compliance | All Rights Reserved
3
MA, CISSP, HCISPP, CRISC, CIPP/USBob Chaput
• CEO & Founder – Clearwater Compliance LLC• 35+ years in Business, Operations and Technology• 25+ years in Healthcare• Executive | Educator |Entrepreneur• Global Healthcare Executive: GE, JNJ, HWAY• Responsible for largest healthcare datasets in world• Industry Expertise and Focus: Healthcare Covered Entities
and Business Associates• Member: ACAP, CHIME/AEHIS, CAHP, IAPP, ISC2, HIMSS,
ISSA, ISACA, HCCA
http://www.linkedin.com/in/BobChaput
![Page 4: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/4.jpg)
© Clearwater Compliance | All Rights Reserved
4
Some Ground Rules
1. Slide materialsA. Check your Inbox and / or “Handouts” area on
GoToWebinar Control to download materials now
2. Questions in “Question Area” on GTW Control Panel
3. In case of technical issues, check “Chat Area”
4. All Attendees are in Listen Only Mode5. Please complete Exit Survey, when you
leave session6. Recorded version and final slides within 48
hours
![Page 5: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/5.jpg)
© Clearwater Compliance | All Rights Reserved
5
Pause and Quick Poll
Business Associate
Other Covered
EntityHospital or
Health System Don’t Know
Hybrid
What type of organization do you represent?
![Page 6: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/6.jpg)
© Clearwater Compliance | All Rights Reserved
6
Our Passion
We’re excited about what we do because…
…we’re helping organizations improve patient safety and the quality of care by safeguarding the very personal and private healthcare information of millions of fellow Americans…
… And, keeping those same organizations off the Wall of
Shame…!
![Page 7: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/7.jpg)
© Clearwater Compliance | All Rights Reserved
7
Connect the Dots! Cyber Risk Management & Patient Safety
Timely Care
Access toCare
Quality and Safe Care
AvailabilityIntegrityConfidentiality
https://clearwatercompliance.com/industry-insights/white-papers/
![Page 8: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/8.jpg)
© Clearwater Compliance | All Rights Reserved
8
Awards and Recognition
2015 & 2016
Exclusive
Industry Resource Provider
Software Used by NSA/CAEs
Sole Source Provider
#11 – 2015 & 2016
![Page 9: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/9.jpg)
© Clearwater Compliance | All Rights Reserved
9
We are not attorneys! Ensure Competent Counsel
The Omnibus has arrived!Welcome Aboard, BAs!
Lots of different interpretations! Please, Ask Lots of Questions!
But FIRST!
![Page 10: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/10.jpg)
© Clearwater Compliance | All Rights Reserved
10
How many Clearwater Compliance webinars have you attended before?
Pause and Quick Poll
![Page 11: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/11.jpg)
© Clearwater Compliance | All Rights Reserved
11
We Treat Compliance and Cyber Risks as Business Risks
Cyber and Compliance Risk Management is Not ”an IT Problem”
Damage to
Brand
Financial
Third Party
LiabilityCyber
Compliance
Business Interruption
Patient Safety
Competition
Talent Acquisition
![Page 12: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/12.jpg)
© Clearwater Compliance | All Rights Reserved
12
Mega Session Objective 1:
Help you understand and address three very specific AND different HIPAA Security Rule assessment requirements…
![Page 13: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/13.jpg)
© Clearwater Compliance | All Rights Reserved
13
Mega Session Objective 2:
Explain Why Security Opinions (e.g., SSAE Soc2) or
“Certifications” (e.g., HITRUST) Have ABSOLUTELY NOTHING to do
with HIPAA Compliance
![Page 14: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/14.jpg)
© Clearwater Compliance | All Rights Reserved
14
OCR FAQ on 3rd Party CertificationsAre we required to “certify” our organization’s compliance with the standards of the Security Rule?
http://www.hhs.gov/hipaa/for-professionals/faq/2003/are-we-required-to-certify-our-organizations-compliance-with-the-standards/index.html
Answer:No, there is no standard or implementation specification that requires a covered entity to “certify” compliance. The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that establishes the extent to which an entity’s security policies and procedures meet the security requirements. The evaluation can be performed internally by the covered entity or by an external organization that provides evaluations or “certification” services. A covered entity may make the business decision to have an external organization perform these types of services.
It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered
entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a
security violation.
![Page 15: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/15.jpg)
© Clearwater Compliance | All Rights Reserved
15
03
01
02
Discussion Flow
Review specific HIPAA Security Assessment Regulations
Understand HIPAA Security Rule
Assessment Essentials
Learn how to Complete These
Assessments
![Page 16: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/16.jpg)
© Clearwater Compliance | All Rights Reserved
16
Three Pillars of HIPAA-HITECH Compliance…
HITECH
HIPAA
Privacy Final Rule• 75 pages / 27K words• 56 Standards• 54 Implementation Specs
Security Final Rule• 18 pages / 4.5K words• 22 Standards• 50 Implementation Specs
Breach Notification IFR• 6 pages / 2K words• 4 Standards• 9 Implementation Specs
OMNIBUS FINAL RULE
View HIPAA 101 On DemandView HIPAA Security Rule
![Page 17: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/17.jpg)
© Clearwater Compliance | All Rights Reserved
17
Assessments and Audits Are Central to Compliance & Security
• Establishing good policy and procedures is not enough…
• Comprehensive business processes are not enough…
• Deploying leading technology solutions and systems controls is not enough…
Regular assessments are crucial in establishing and maintaining effective compliance |Regular assessments are controls
![Page 18: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/18.jpg)
© Clearwater Compliance | All Rights Reserved
18
Types of Assessments1. Compliance Assessments (Security Evaluation - Non-Technical, at 45 CFR §164.308(a)(8))
• Where do we stand?• How well are we achieving ongoing compliance?
2. Technical Assessments (Security Evaluation – Technical , at 45 CFR §164.308(a)(8))• How effective are the safeguards we have implemented? • Are the safeguards working?
3. Risk Assessment (Risk Analysis, at 45 CFR §164.308(a)(1)(ii)(A))• What is the exposure to information assets (e.g., ePHI)? • What do we need to do to mitigate risks?
4. Risk-of-Harm Breach Risk Assessment (Breach-related, in HITECH parlance)• Have we caused legal, reputational, etc harm?• Is there low probability of compromise of PHI?
Each Assessment Has Its Role and Proper Time
![Page 19: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/19.jpg)
© Clearwater Compliance | All Rights Reserved
19
All Three Are Required!
![Page 20: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/20.jpg)
© Clearwater Compliance | All Rights Reserved
2020
“9. Please submit a copy of XYZ Hospital’s most recent risk analysis, as well as a copy of all risk analyses performed for or by copy XYZ Hospital within the past 6 years pursuant to 45 C.F.R. §164.308(a)(l)(ii)(A). If no risk analysis has been performed, please state so.
Evidence of Risk Analysis is Always Requested
![Page 21: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/21.jpg)
© Clearwater Compliance | All Rights Reserved
2121
“B) Risk Assessment1) Please provide complete copies of any security risk analyses that were performed to comply with 45 C.F.R. §164.308(a)(l)(ii)(A) prior to the security breach incident.”
Evidence of Risk Analysis is Always Requested
![Page 22: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/22.jpg)
© Clearwater Compliance | All Rights Reserved
22
02
Discussion Flow
Review specific HIPAA Security Assessment Regulations
![Page 23: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/23.jpg)
© Clearwater Compliance | All Rights Reserved
23
45 C.F.R. §164.308(a)(8)Standard: Evaluation. Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an entity's security policies and procedures meet the requirements of this subpart.
Security Evaluation v. Risk Analysis
45 C.F.R. §164.308(a)(1)(i) Standard: Security Management Process(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.(ii) Implementation specifications:
(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
![Page 24: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/24.jpg)
© Clearwater Compliance | All Rights Reserved
24
New Audit Protocol is Here• “Still validating contact information”• “Definitely this summer”• “A total of between 200 and 250
organizations - including both covered entities and business associates 10-25 ‘full scale’ onsite audits” http://www.healthcareinfosecurity.com/interviews/ocrs-deven-mcgraw-on-hipaa-audit-preparation-i-3178
• "We've done a lot of work to try to make it much more comprehensive”• "For example, time and again we see that entities are not doing a
security risk assessment that are enterprise-wide ... that take into account all the electronic protected health information that is in their environments.”
May 18, 2016 Interview
![Page 25: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/25.jpg)
© Clearwater Compliance | All Rights Reserved
25
Phase 2 OCR Audits• Only documentation submitted on time is reviewed• All documentation must be current as of the date of
the request• Auditors will not be able to contact the entity for
clarifications or ask for additional information• Critical that documentation accurately reflects the
program• OCR wants a diverse pool of CEs and BAs to audit –
varying size, geographical location, what they do etc…
2016 Covered Entity Desk Audit Scope• Security—Risk Analysis and risk
management• Breach—Content and timeliness of breach
notifications• Privacy—Notice of Privacy Practices and
Access2016 Business Associate Desk Audit Scope• Security—Risk Analysis and risk
management• Breach—Breach reporting to covered entities
One Shot! | Fast Turn-Around Best Be Super Ready
![Page 26: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/26.jpg)
© Clearwater Compliance | All Rights Reserved
26
03
Discussion Flow
Learn how to Complete These
Assessments
![Page 27: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/27.jpg)
© Clearwater Compliance | All Rights Reserved
27
Three Dimensions of HIPAA Security Rule Business Risk Management
TEST & AUDIT
45 CFR §164.308(a)(1)(ii)(A)
Risk Analysis
45 CFR §164.308(a)(8)Non-Technical
Compliance Assessment
45 CFR §164.308(a)(8) Technical Testing &
Audits
![Page 28: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/28.jpg)
© Clearwater Compliance | All Rights Reserved
28
Security Evaluation| 2016 Audit Protocol | 1.Audit Type
Section Key Activity Established Performance Criteria
Audit Inquiry
Security §164.308(a) (8)
Evaluation §164.308(a)(8): Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which a covered entity's or business associate’s security policies and procedures meet the requirements of this subpart.
Does the entity have policies and procedures in place to perform periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes or newly recognized risk affecting the security of ePHI?
Does the entity perform periodic technical and nontechnical evaluation in response to environmental or operational changes or newly recognized risk affecting the security of ePHI?
![Page 29: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/29.jpg)
© Clearwater Compliance | All Rights Reserved
29
Security Evaluation| 2016 Audit Protocol | 2.Audit Type
Section Key Activity Established Performance Criteria
Audit Inquiry
Security §164.308(a) (8)
Evaluation §164.308(a)(8): Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which a covered entity's or business associate’s security policies and procedures meet the requirements of this subpart.
Determine if such policies and procedures identifies how the evaluation of findings, remediation options and recommendations, and remediation decisions are documented; specifies that evaluations will be repeated on a periodic basis and/or when environmental and operations changes are made and/or newly recognized risk affects the security of ePHI; and identifies the frequency of when to evaluate and update the current policy and procedures.
![Page 30: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/30.jpg)
© Clearwater Compliance | All Rights Reserved
30
Security Evaluation| 2016 Audit Protocol | 3.Audit Type
Section Key Activity Established Performance Criteria
Audit Inquiry
Security §164.308(a) (8)
Evaluation §164.308(a)(8): Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which a covered entity's or business associate’s security policies and procedures meet the requirements of this subpart.
Elements to review may include but are not limited to:• Workforce members’ roles and responsibilities in
the technical and nontechnical evaluation• Management involvement in the process and
approval of technical and nontechnical evaluation• Coordination of technical and nontechnical
evaluation among departments• Specification of how technical and nontechnical
evaluation will be conducted• How technical and nontechnical evaluation findings
will be addressed
![Page 31: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/31.jpg)
© Clearwater Compliance | All Rights Reserved
31
Security Evaluation| 2016 Audit Protocol | 4.Audit Type
Section Key Activity
Established Performance Criteria
Audit Inquiry
Security §164.308(a) (8)
Evaluation §164.308(a)(8): Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which a covered entity's or business associate’s security policies and procedures meet the requirements of this subpart.
Evaluate and determine if the such evaluation appropriately evaluates ePHI security measures; addresses evaluation findings associated with noncompliant security measures; identifies and measures risks associated with noncompliant security measures; and that evaluation findings are reviewed and certified by appropriate management.
Obtain and review documentation of plans related to risk management or mitigation efforts in response to evaluations conducted due to a major technology change which affected the security of ePHI. Evaluate and determine if the identified risks associated with noncompliant security measures are addressed in a plan related to risk management or mitigation efforts.
![Page 32: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/32.jpg)
© Clearwater Compliance | All Rights Reserved
People Are Not Trained and / orNot Following PnPs
Thinking Like a Compliance AnalystPolicies & Procedures (PNPs)
DO NOT EXIST or ARE INCOMPLETEOr OUT OF DATE
Compliance Risk exists when….
Clearwater’s Methodology is Based on OCR Investigation Process and Audit Protocol
Reasonable & Appropriate ActionsAre Not Taken and / or
Safeguards Are Not Implemented
![Page 33: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/33.jpg)
© Clearwater Compliance | All Rights Reserved
33
3 Dimensions of HIPAA Non-Technical Security Evaluationa.k.a. Compliance Gap Assessment a.k.a. Mock Audit
Is it documented?Policies, Procedures and Documentation
Are you doing it?Using, Applying, Practicing, Enforcing
Is it Reasonable and Appropriate?Comply with the implementation specification
1
2
3
Think: Performance Audit≠
Risk Analysis
![Page 34: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/34.jpg)
© Clearwater Compliance | All Rights Reserved
34
Use 2012 OCR Audit Document Request List
Are you prepared to quickly assemble and submit all
necessary policies, procedures and documentation?
![Page 35: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/35.jpg)
© Clearwater Compliance | All Rights Reserved
35
For Example, Self-Audit of Sanction Standards
(1) Standard. A covered entity or business associate must have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of this subpart.
(2) Implementation specification: Documentation. As required by paragraph (j) of this section, a covered entity or business associate must document the sanctions that are applied, if any.
Administrative Requirements §164.530 (e)
(C) Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.
Administrative safeguards.§ 164.308 (a)(1)(ii)
![Page 36: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/36.jpg)
© Clearwater Compliance | All Rights Reserved
36
Demonstrate Complete Coverage
Must rigorously cover every • Area
• Standard• Implementation
Spec or Requirement
![Page 37: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/37.jpg)
© Clearwater Compliance | All Rights Reserved
37
Examine Three Critical Self-Audit Questions
Enforcing them?
Reasonable and Appropriate?
Policies/Procedures?
![Page 38: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/38.jpg)
© Clearwater Compliance | All Rights Reserved
Pause and Quick Poll
Has Your Organization Completed a HIPAA “Non-technical” Security Evaluation (= compliance assessment) (45 CFR § 164.308(a)(8)) ?
![Page 39: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/39.jpg)
© Clearwater Compliance | All Rights Reserved
39
Three Dimensions of HIPAA Security Rule Business Risk Management
TEST & AUDIT
45 CFR §164.308(a)(1)(ii)(A)
Risk Analysis
45 CFR §164.308(a)(8)Non-Technical
Compliance Assessment
45 CFR §164.308(a)(8) Technical Testing &
Audits
![Page 40: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/40.jpg)
© Clearwater Compliance | All Rights Reserved
40
HIPAA Security Technical Evaluation
• External Vulnerability Assessment & Pen Testing• Internal Vulnerability Assessment & Pen Testing• Web Application Assessment• Wireless Security Assessment• Security Awareness Assessment• Sensitive Data Discovery Scans
Think: Test of Efficacy and Effectiveness of Controls≠
Risk Analysis
![Page 41: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/41.jpg)
© Clearwater Compliance | All Rights Reserved
41
References
41
http://clearwatercompliance.com/wp-content/uploads/2014/01/NIST-SP800-53A-rev1-final_Guide_for_Assessing_the_Security_Controls_in_Federal_Information_Systems_and_Organizations-Building_Effective_SAPs.pdf
http://clearwatercompliance.com/wp-content/uploads/2013/12/SP800-115-Technical-Guide-to-Information-Security-Testing-and-Assessment.pdf
![Page 42: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/42.jpg)
© Clearwater Compliance | All Rights Reserved
Pause and Quick Poll
Has Your Organization Completed the Technical Evaluation (=Testing) of Your Environment (45 CFR § 164.308(a)(8))?
![Page 43: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/43.jpg)
© Clearwater Compliance | All Rights Reserved
43
Three Dimensions of HIPAA Security Rule Business Risk Management
TEST & AUDIT
45 CFR §164.308(a)(1)(ii)(A)
Risk Analysis
45 CFR §164.308(a)(8)Non-Technical
Compliance Assessment
45 CFR §164.308(a)(8) Technical Testing &
Audits
![Page 44: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/44.jpg)
© Clearwater Compliance | All Rights Reserved
44
Risk Analysis | 2016 Audit Protocol | 1.Audit Type
Section Key Activity Established Performance Criteria
Audit Inquiry
Security §164.308(a)(1)(ii)(A)
Security Management Process -- Risk Analysis
§164.308(a)(1)(ii)(A): Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.
Does the entity have policies and procedures in place to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all the electronic protected health information (ePHI) it creates, receives, maintains, or transmits?
Has the entity conducted an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all the ePHI it creates, receives, maintains, or transmits?
![Page 45: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/45.jpg)
© Clearwater Compliance | All Rights Reserved
45
Risk Analysis | 2016 Audit Protocol | 2.Audit Type
Section Key Activity Established Performance Criteria
Audit Inquiry
Security §164.308(a)(1)(ii)(A)
Security Management Process -- Risk Analysis
§164.308(a)(1)(ii)(A): Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.
Determine how the entity has implemented the requirements.
Obtain and review risk analysis policies and procedures. Evaluate and determine if written policies and procedures were developed to address the purpose and scope of the risk analysis, workforce member roles and responsibilities, management involvement in risk analysis and how frequently the risk analysis will be reviewed and updated.
![Page 46: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/46.jpg)
© Clearwater Compliance | All Rights Reserved
46
Risk Analysis | 2016 Audit Protocol | 3.Audit Type
Section Key Activity Established Performance Criteria
Audit Inquiry
Security §164.308(a)(1)(ii)(A)
Security Management Process -- Risk Analysis
§164.308(a)(1)(ii)(A): Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.
Obtain and review the written risk analysis or other record(s) that documents that an accurate and thorough assessment of the risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI was been conducted.
Evaluate and determine whether the risk analysis or other documentation contains:• A defined scope that identifies all of its systems that
create, transmit, maintain, or transmit ePHI• Details of identified threats and vulnerabilities• Assessment of current security measures• Impact and likelihood analysis• Risk rating
![Page 47: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/47.jpg)
© Clearwater Compliance | All Rights Reserved
47
Risk Analysis | 2016 Audit Protocol | 4.Audit Type
Section Key Activity Established Performance Criteria
Audit Inquiry
Security §164.308(a)(1)(ii)(A)
Security Management Process -- Risk Analysis
§164.308(a)(1)(ii)(A): Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.
Obtain and review documentation regarding the written risk analysis or other documentation that immediately preceded the current risk analysis or other record, if any.
Evaluate and determine if the risk analysis has been reviewed and updated on a periodic basis, in response to changes in the environment and/or operations, security incidents, or occurrence of a significant event.
![Page 48: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/48.jpg)
© Clearwater Compliance | All Rights Reserved
48
Risk Analysis | 2016 Audit Protocol | 5.Audit Type
Section Key Activity Established Performance Criteria
Audit Inquiry
Security §164.308(a)(1)(ii)(A)
Security Management Process -- Risk Analysis
§164.308(a)(1)(ii)(A): Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.
If there is no prior risk analysis or other record, obtain and review the two (2) most recent written updates to the risk analysis or other record, if any.
If the original written risk analysis or other records have not been updated since they were originally conducted and/or drafted, obtain and review an explanation as to the reason why.
![Page 49: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/49.jpg)
© Clearwater Compliance | All Rights Reserved
49
Risk Analysis
Identify, Rate and Prioritize All Risks
1. What is our exposure of our information assets (e.g. ePHI)?
2. What are all the ways in which the confidentiality, integrity or availability of ePHI might be compromised?
![Page 50: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/50.jpg)
© Clearwater Compliance | All Rights Reserved
VULNERABILITY IN PROTECTING AN ASSET
Thinking Like a Risk AnalystTHREAT (Actor)
Security Risk exists when and only when….
IMPACT (LOSS OF OR HARM to ASSETS)
MUST HAVE A “TRIPLE” TO HAVE RISK =
ASSET – THREAT –VULNERABILITY!
Clearwater’s Methodology is Based on HHS/OCR Guidance and NIST SP800-30
![Page 51: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/51.jpg)
© Clearwater Compliance | All Rights Reserved
51
Risk Analysis IS:
…the process of identifying, prioritizing, and estimating risks
to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, …, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses,
and considers mitigations provided by security controls planned or in place1.
1NIST SP800-30
![Page 52: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/52.jpg)
© Clearwater Compliance | All Rights Reserved
52
Controls Help Address Vulnerabilities
Controls• Policies & Procedures
• Training & Awareness
• Cable lock down
• Strong passwords
• Encryption• Remote wipe
• Data Backup
Threat Source• Burglar who may steal
Laptop with ePHI
Vulnerabilities• Device is portable• Weak password• ePHI is not encrypted• ePHI is not backed up
Threat Action• Steal Laptop
Information Asset• Laptop with ePHI
![Page 53: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/53.jpg)
© Clearwater Compliance | All Rights Reserved
53
HHS / OCR Guidance on Risk Analysis Requirements under the HIPAA Security Rule1
1. Include all Sensitive Information in Scope of the Analysis 2. Collect and Document Data About All Information Assets3. Identify and Document Potential Threats and Vulnerabilities4. Assess Current Security Measures5. Determine the Likelihood of Threat Occurrence6. Determine the Potential Impact of Threat Occurrence7. Determine the Level of Risk8. Finalize Documentation 9. Periodically Review and Update the Risk Assessment
1 http://clearwatercompliance.com/wp-content/uploads/OCR_Risk-Analysis_Final_guidance.pdf
![Page 54: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/54.jpg)
© Clearwater Compliance | All Rights Reserved
54
Consider Asset-Threat-Vulnerability Triples Determine Level of Risk for Each
54
Asset Threat Source / Action Vulnerability
Laptop Burglar steals laptop No encryption
Laptop Burglar steals laptop Weak passwords
Laptop Burglar steals laptop No tracking
Laptop Shoulder Surfer views No privacy screen
Laptop Careless User Drops No data backup
Laptop Lightning Strike No surge protection
etc
Likelihood
High (5)
High (5)
High (5)
Low (1)
Medium (3)
Low (1)
Impact Risk Level
High (5) 25
High (5) 25
High (5) 25
Medium (3) 3
High (5) 15
High (5) 5
![Page 55: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/55.jpg)
© Clearwater Compliance | All Rights Reserved
55
Risk Management GuidanceGuidance on Risk Analysis Requirements under the HIPAA Security Rule Final
55
• NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments• NIST SP800-34 Contingency Planning Guide for Federal Information Systems• NIST SP800-37, Guide for Applying the Risk Management Framework to Federal
Information Systems: A Security Life Cycle Approach• NIST SP800-39-final_Managing Information Security Risk• NIST SP800-53 Revision 3 Final, Recommended controls for Federal Information
Systems and Organizations• NIST SP800-53A, Rev 1, Guide for Assessing the Security Controls in Federal
Information Systems and Organizations: Building Effective Security Assessment Plans
![Page 56: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/56.jpg)
© Clearwater Compliance | All Rights Reserved
56
Risk Analysis Method - HHS OCR Guidance on Risk Analysis• Scope of the Analysis - all ePHI must be included in risk analysis• Data Collection – it must be documented
Identify and Document Potential Threats and Vulnerabilities
Assess Current Security Measures
Determine the Likelihood of Threat Occurrence
Determine the Impact of Threat Occurrence
Determine the Level of Risk
The System Enables-• Finalize Documentation• Periodic Review and Updates
Show your work!
![Page 57: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/57.jpg)
© Clearwater Compliance | All Rights Reserved
57
Risk Register
Publish Your Risk Register
Generally, Avoid, Mitigate or Transfer
Generally, Accept
![Page 58: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/58.jpg)
© Clearwater Compliance | All Rights Reserved
58
Not a Once & Done
“9. Please submit a copy of XYZ Hospital’s most recent risk analysis, as well as a copy of all risk analyses performed for or by copy XYZ Hospital within the past 6 years pursuant to 45 C.F.R. §164.308(a)(l)(ii)(A). If no risk analysis has been performed, please state so.
![Page 59: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/59.jpg)
© Clearwater Compliance | All Rights Reserved
59
Really?
You Must Get Specific on Media, Threat Sources, Threat Actions, Vulnerabilities, etc.
![Page 60: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/60.jpg)
© Clearwater Compliance | All Rights Reserved
60
Recent OCR Follow Up We’ve Seen
"OCR has determined that the risk analysis submitted by your organization as part of its October xx,
2015 response does not meet the requirement set forth at 45 CFR § 164.308(a)(1)(ii)(A). Please review
OCR’s guidance on the Security Rule’s risk analysis requirement located at
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalintro.html.
For additional information, you may also wish to consult the National Institute of Standards and
Technology’s SP 800-30 Rev. 1 “Guide for Conducting Risk Assessments,” located at
http://csrc.nist.gov/publications/drafts/800-30-rev1/SP800-30-Rev1-ipd.pdf”
Recommend You Must Follow OCR Guidance and NIST SP800-30
![Page 61: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/61.jpg)
© Clearwater Compliance | All Rights Reserved
Pause and Quick Poll
Has Your Organization Completed a bona fide, comprehensive HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))?
![Page 62: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/62.jpg)
© Clearwater Compliance | All Rights Reserved
62
Three Dimensions of HIPAA Security Rule Business Risk Management
TEST & AUDIT
45 CFR §164.308(a)(1)(ii)(A)
Risk Analysis
45 CFR §164.308(a)(8)Non-Technical
Compliance Assessment
45 CFR §164.308(a)(8) Technical Testing &
Audits
![Page 63: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/63.jpg)
© Clearwater Compliance | All Rights Reserved
63
Download Whitepaper
Harnessing the Power of NIST
Your Practical Guide to Effective Information Risk Management
https://clearwatercompliance.com/thought-leadership/white-papers/harnessing-the-power-of-the-
nist-framework/
![Page 64: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/64.jpg)
© Clearwater Compliance | All Rights Reserved
64
Other Helpful Resources:
Recorded Webinars at https://clearwatercompliance.com/on-demand-webinars/
o How To Conduct a Bona Fide HIPAA Security Risk Analysis
o How to Conduct the Periodic Security Evaluation Required by HIPAA Security Rule
o What Business Associates Need to Know about HIPAA
Blog Post
HIPAA Audit Tips – Don’t Confuse HIPAA Security Evaluation and Risk Analysis
![Page 65: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/65.jpg)
© Clearwater Compliance | All Rights Reserved
65
Industry-leading HIPAA compliance software: Suite
Gap AssessmentAgainst all HIPAA Security Standards
Audit SimulationAgainst HHS Audit protocols
Automated expert remediation planRecommendations
Managed accountability and due datesAssign Work
Dashboards & ReportsDisplay period-to-period compliance progress
Understand significant threats and vulnerabilitiesInsight
Determine if you have the right controls in placeControls
View critical risks on intuitive dashboards and reportsRisk Rating
Automate the management of risk information across complex enterprises
Manage Complexity
Plan a course of action to reduce critical risks Plan and Evaluate
Against all HIPAA Privacy standardsGap Assessment
Compliance w/Breach Notification under HITECHBreach Preparation
Audit SimulationAgainst HHS Audit protocols
Automated expert remediation planRecommendations
Dashboards & ReportsDisplay period-to-period compliance progress
![Page 66: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/66.jpg)
© Clearwater Compliance | All Rights Reserved
66
Clearwater’s Customer Engagement Model
Clearwater teaches Customer how to perform gap assessments and risk analyses AND to measure information risk management maturity levels to establish continuous process improvement.
“We do it with you” “We train you to do it”“We do it for you”
Clearwater provides content, strategy, leadership, tools, software and resources to complete program evaluations, policies, procedures, gap assessments, risk analyses, risk response plans, etc. Customer reviews recommendations.
Clearwater and Customer teams perform gap assessments and risk analyses, validate findings, observations and recommendations, prioritize remediation items and develop recommendations.
Customer RoleClearwater’s Role
Our goal at Clearwater is to help Your Organization become as self-sufficient as you would like to be, as quickly as you would like to be.
![Page 67: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/67.jpg)
© Clearwater Compliance | All Rights Reserved
67
Clearwater HIPAA and Cybersecurity BootCamp™
Take Your HIPAA Privacy and Security Program to a Better
Place, Faster …
Earn up to 10.8 CPE Credits!
http://clearwatercompliance.com/bootcamps/
Designed for busy professionals, the Clearwater HIPAA and Cybersecurity BootCamp™ distills into one action-packed day, the critical information you need to know about the HIPAA Privacy and Security Final Rules and the HITECH Breach Notification Rule.
Join us for our next virtual, web-based events…Three, 3hr sessions:
• August 4th, 11th, 18th - 2016• November 3rd, 10th, 17th – 2016• February 9th, 16th, 23rd - 2017 • May 4th, 11th, 18th - 2017
![Page 68: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/68.jpg)
© Clearwater Compliance | All Rights Reserved
68
Other Upcoming Clearwater Events
Visit https://clearwatercompliance.com/webinars/for more info!
June 9, 2016Complimentary
WebinarHow to Conduct a
HIPAA Security Compliance Self Audit
June 14, 2016Complimentary
Software Guided TourIRM|Analysis™
June 2, 2016Complimentary
WebinarHow to Develop your
HIPAA Policies and Procedures
June 7, 2016Complimentary
Software Guided TourIRM|Analysis™: Risk
Response Module
![Page 69: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/69.jpg)
© Clearwater Compliance | All Rights Reserved
69
Why Our Customers Say They Choose Us
01Our Credibility
03
Our Customers
02
Our Capability
04Our Commitment
Case studies, testimonials and references from 100s of hospitals and health systems across the USA
American Hospital Association exclusively endorsement and numerous other industry recognitions
Dedication to the healthcare industry and education to
support organizations building their own competencies
Unique, risk-based business approach to compliance and
cyber risks; not “an IT problem”
![Page 70: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/70.jpg)
© Clearwater Compliance | All Rights Reserved
70
Clearwater’s Net Promoter Score1
Strong Customer Satisfaction Drives Strong and Lasting Relationships
• Net Promoter Scores are a quick topline view of how businesses are performing2
• Strong Customer Satisfaction creates partnership opportunities and a win-win relationship
1 Net Promoter Industry Benchmarks2 Industry Leaders Net Promoter Scores
2
![Page 71: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/71.jpg)
© Clearwater Compliance | All Rights Reserved
71
Summary and Next Steps1. There are two kinds of risk to assess:
1. Compliance Risk2. Security Risk
2. Both can trigger huge Financial Risk3. Stay Business Risk Management and
Patient/Member/Customer-Focused4. Not ‘once and done’!5. Large or Small: Get Help (Tools, Experts, etc)6. Don’t Fall For SOC2 or HITRUST “Checklists” They
Don’t Help with Compliance / They Don’t Help With Security
…Simply Makes Good Business Sense…
![Page 72: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/72.jpg)
© Clearwater Compliance | All Rights Reserved
72
Bob Chaput, CISSP, HCISPP, CRISC, CIPP/UShttp://[email protected]
Phone: 800-704-3394 or 615-656-4299Clearwater Compliance LLC
Contact
Exit Survey, Please
![Page 73: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/73.jpg)
© Clearwater Compliance | All Rights Reserved
73
As Seen In…
![Page 74: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/74.jpg)
© Clearwater Compliance | All Rights Reserved
74
Learning Outcomes… Attendees Will Be Able To:Explain what OCR looks for in an audit or investigation regarding Security Evaluation and Risk Analysis
Take practical steps to complete Security Evaluations and Risk Analyses
Explain how Security Evaluations and Risk Analyses fit into an overall HIPAA Compliance Program
Articulate and cite explicit HIPAA Security
Rule requirements
Explain Why Security Evaluation is Not a Risk Analysis and vice versa
Resources will be provided at the end of the session and all registrants will receive a copy of all slide materials & the recorded webinar
![Page 75: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/75.jpg)
© Clearwater Compliance | All Rights Reserved
75
References / Articles for Your Own HITRUST Due Diligence
• HITRUST or High Risk? The Health Information Trust Alliance’s Common Security• An Open Letter to the HITRUST Alliance• HITRUST Breaches Lay the Welcome Mat for Hackers and Paydirt• Should Business Associates Be HiTrust Certified?• HITRUST, CSF and Mandatory Certification• 20+ Due Diligence Questions about the HITRUST Certification• Research HITRUST Board companies on:
HHS Wall of Shame ProPublica’s HIPAAHelper Privacy Violations, Breaches and Complaints page
We have never seen the OCR ever ask for Security Opinions (e.g., SSAE SOC2) or “HITRUST Certifications”
As of mid-May 2016, HITRUST Alliance Board Members’ ten (10) organizations have 26 listings on
the HHS Wall of Shame, with responsibility for 122MM of
156MM records [79%]) and 852 mentions on ProPublica’s HIPAAHelper web site for
complaints / breaches. Three organizations are in the HIPAAHelper "Top 10”.
![Page 76: Legal Disclaimer - Clearwater · 5/26/2016 · The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that](https://reader035.vdocuments.site/reader035/viewer/2022070915/5fb58ec8da6b194e8d62d564/html5/thumbnails/76.jpg)
WWW.CLEARWATERCOMPLIANCE.COM
(800) 704-3394http://www.linkedin.com/in/bobchaput/
@clearwaterhipaa
ClearwaterCompliance
Clearwater Compliance