Copyright Notice All materials contained within this document
- Slides: 26
Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content. For reprint permission and information, please direct your inquiry to bob. chaput@clearwatercompliance. com 1 © Clearwater Compliance LLC | All Rights Reserved
Legal Disclaimer. This information does not constitute legal advice and is for educational purposes only. This information is based on current federal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC. 2 © Clearwater Compliance LLC | All Rights Reserved
Instructional Module 5: How to Train All Members of Your Workforce 3 © Clearwater Compliance LLC | All Rights Reserved
Module 5. Overview 1. “How to Train all Members of Your Workforce” 2. Instructional Module Duration = 30 minutes 3. Learning Objectives Addressed In This Module – Cite and explain the explicit HIPAA requirements for Training – Explain the difference between training on the regulations and training on your own Pn. Ps – Describe why it is necessary for training to be job/role specific – Describe a framework for an ongoing Privacy and Security Reminder program 4 © Clearwater Compliance LLC | All Rights Reserved
Four Critical Dimensions People must include Policy defines an organization’s values & expected behaviors; establishes “good faith” intent Procedures or processes – documented provide the actions required to deliver on organization’s values. Balanced Compliance Program talented privacy & security & technical staff, engaged and supportive management and trained/aware colleagues following Pn. Ps. Safeguards includes the various families of administrative, physical or technical security controls (including “guards, guns, and gates”, encryption, firewalls, anti-malware, intrusion detection, incident management tools, etc. ) Clearwater Compliance Compass™ © Clearwater Compliance LLC | All Rights Reserved 5
9 Actions to Take Now 1. Set Privacy and Security Risk Management & Governance Program in place 2. Develop & Implement comprehensive HIPAA Privacy and Security and Breach Notification Policies & Procedures (45 CFR § 164. 308(a)(1)) (45 CFR § 164. 530 and 45 CFR § 164. 316) 3. Train all Members of Your Workforce (45 CFR § 164. 530(b) and 45 CFR § 164. 308(a)(5)) 4. Complete a HIPAA Security Risk Analysis (45 CFR § 164. 308(a)(1)(ii)(A)) 5. Complete a HIPAA Security Evaluation (= compliance assessment) (45 CFR § 164. 308(a)(8)) 6. Complete Technical Testing of Your Environment (45 CFR § 164. 308(a)(8)) 7. Implement a Strong, Proactive Business Associate / Management Program (45 CFR § 164. 502(e) and 45 CFR § 164. 308(b)) 8. Complete Privacy Rule and Breach Rule compliance assessments (45 CFR § 164. 530 and 45 CFR § 164. 400) 9. Document and act upon a remediation plan Demonstrate Good Faith Effort! © Clearwater Compliance LLC | All Rights Reserved 6
Session Objectives 1. Understand The Case for Action 2. Review specific HIPAA Training Regulations 3. Learn how to Train All Members of Your Workforce © Clearwater Compliance LLC | All Rights Reserved 7
Corrective Action Plan (CAP) Requirement Establish a Comprehensive Information Security Program $150 K $1. 2 M $1. 7 M $400 K $50 K $1. 5 M $2. 3 M $1. 0 M $1. 5 M $1. 0 M $100 K $865 K $1. 7 M AP Rite- BCBS AK DERM AHP WLP ISU HONI MEEI CVS Aid TN MGH PHX UCLA DHSS x x $13. 5+M Some OCR Corrective Action Plans x Develop Privacy and Security policies and procedures x x x x x x x Designate an accountable Security Owner x x Document authorized access to e. PHI Distribute and update policies and procedures Document Process for responding to security incidents X x x Implement training and sanctions for noncompliance Conduct Risk Analysis / Establish Risk Management Process x x x x x Implement Reasonable Safeguards to control risks x x x x x Regularly review records of information system activity x x Implement reasonable steps to select service providers x Testing and monitor security controls following changes x x x x Obtain assessments from qualified independent 3 rd party x x x x 8 Retain required documentation © Clearwater Compliance LLC | All Rights Reserved x x x
Case for Action • 9 out of every 10 breaches affecting 500 or more individuals published on the HHS Website* were caused by people in the organization • Virtually every complaint of privacy violations investigated by the Office for Civil Rights (“OCR”) and resulting in a corrective actions involved violations by people in the organization** *http: //www. hhs. gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool. html **http: //www. hhs. gov/ocr/privacy/hipaa/complaints/ © Clearwater Compliance LLC | All Rights Reserved 9
Case for Action – Recent HHS ‘Wall of Shame’ Data *http: //www. hhs. gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool. html © Clearwater Compliance LLC | All Rights Reserved 10
2012 OCR Audit Protocol OCR Audit Established Performance Criteria: § 164. 308(a)(5)Security Awareness and Training - Implement a security awareness and training program for all members of its workforce (including management). HIPAA Security Rule OCR Audit Key Activities 1. Develop and Approve a Training Strategy and a Plan. 2. Develop Appropriate Awareness and Training Content, Materials, and Methods. 3. Implement the Training. 4. Monitor and Evaluate Training Plan. © Clearwater Compliance LLC | All Rights Reserved 11
2012 OCR Audit Protocol Example Develop and Approve a Training Strategy and a Plan. OCR Audit Protocol Procedures 1: 1. Inquire of management as to whether security awareness and training programs address the specific required HIPAA policies. 2. Obtain and review a list of security awareness and training programs and evaluate the content in relation to the specified criteria. 3. Determine if the specific HIPAA policies are addressed in these courses. 4. Determine if the security awareness and training programs are provided to the entire organization. 5. If the covered entity has chosen not to fully implement this specification, the entity must have documentation on why they have chosen not to fully implement this specification and their rationale for doing so. © Clearwater Compliance LLC | All Rights Reserved 12
2012 OCR Audit Protocol OCR Audit Established Performance Criteria: § 164. 530 - Administrative Requirements • § 164. 530(b)(1) A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity. HIPAA Privacy Rule • § 164. 530(b)(2)(i)(A) Training must be provided to each member of the covered entity's workforce by no later than the compliance date for the covered entity; (B) thereafter, to each new member of the workforce within a reasonable period of time after the person joins the covered entity's workforce; and (C) to each member of the covered entity's workforce whose functions are affected by a material change in the policies or procedures required by this subpart within a reasonable amount of time. © Clearwater Compliance LLC | All Rights Reserved 13
2012 OCR Audit Protocol OCR Audit Procedures 1. Inquire of management as to whether training is provided to the entity's workforce on HIPAA Privacy Standards. 2. Obtain and review documentation to determine if a training process is in place for HIPAA privacy standards. 3. Obtain and review documentation to determine if a monitoring process is in place to help ensure all members of the workforce receive training on HIPAA privacy standards as mandated by § 164. 530(b)(1) and § 164. 530(b)(2)(i). 4. For a selection of new hires within the audit period, obtain and review documentation showing training on HIPAA privacy compliance has been completed. © Clearwater Compliance LLC | All Rights Reserved 14
Session Objectives 1. Understand The Case for Action 2. Review specific HIPAA Training Regulations 3. Learn how to Train All Members of Your Workforce © Clearwater Compliance LLC | All Rights Reserved 15
Basic HIPAA Requirements HIPAA SECURITY RULE 45 C. F. R. § 164. 308 Administrative Safeguards. (a)(5)(i) Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management). (ii) Implementation specifications. Implement: A. Security reminders (Addressable). Periodic security updates. B. Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software. C. Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies. D. Password management (Addressable). Procedures for creating, changing, and safeguarding passwords. © Clearwater Compliance LLC | All Rights Reserved Training!! … rather than controls 16
HIPAA Requirements on a CE/BA HIPAA PRIVACY FINAL RULE 45 C. F. R. § 164. 530(b) Training. (1) Standard: Training. A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity. (2) Implementation specifications: Training. (i) A covered entity must provide training that meets the requirements of paragraph (b)(1) of this section, as follows: (A) To each member of the covered entity's workforce by no later than the compliance date for the covered entity; (B) Thereafter, to each new member of the workforce within a reasonable period of time after the person joins the covered entity's workforce; and (C) To each member of the covered entity's workforce whose functions are affected by a material change in the policies or procedures required by this subpart or subpart D of this part, within a reasonable period of time after the material change becomes effective in accordance with paragraph (i) of this section. (ii) A covered entity must document that the training as described in paragraph (b)(2)(i) of this section has been provided, as required by paragraph (j) of this section. © Clearwater Compliance LLC | All Rights Reserved 17
Pause & Quick Poll • Do you have formal Pn. Ps on HIPAA Privacy, Security and HITECH Breach Notification training? • Is your training up to date to include Omnibus Final Rule changes? • Do you have a formal program for ongoing privacy and security reminders? YES NO DON’T KNOW Pn. Ps on Training? Training Omnibusized? Ongoing Program? © Clearwater Compliance LLC | All Rights Reserved 18
Session Objectives 1. Understand The Case for Action 2. Review specific HIPAA Training Regulations 3. Learn How to Train All Members of Your Workforce © Clearwater Compliance LLC | All Rights Reserved 19
How to Train All Members of Your Workforce 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. Form A Cross-functional Task Force – Make It A Team Sport Set Business Risk Management Goals – How Many by What Dates, Get Educated – Learn The Requirements And The Consequences Complete Training Upon Hire And On Ongoing Basis - Ongoing Privacy And Security Reminders Make It Job/Role Specific - Make It Personal Make It Fun - Use Skits / Drama Keep It Visible - Hold Events Make Sure “Suits” Are Present and Participate Use Breach Events As Learning Opportunities Use Cartoons – See http: //HIPAAcartoons. Com Have A Plan And Record All Training Train on Event-Incident-Breach Train from Cases – Use Investigations And Audits Vary Modalities - Online, Live Classroom, Team Projects, Workshops 20 © Clearwater Compliance LLC | All Rights Reserved
HHS Free HIPAA Training Resources 1. OCR offers free training on compliance with the HIPAA Privacy and Security Rules for Continuing Medical Education (CME) credit at http: //www. medscape. org/sites/advances/patients-rights. 2. HIPAA Enforcement Training for State Attorneys General at: http: //www. hhshipaasagtraining. com/ Clearwater Free HIPAA Training Resources 1. Live Webinar Events: http: //clearwatercompliance. com/liveeducational-webinars/ 2. On Demand Webinar Events: http: //clearwatercompliance. com/ondemand-webinars/ 3. Clearwater HIPAA-HITECH Blue Ribbon Panel™ Web Events: http: //clearwatercompliance. com/hipaa-hitech-blue-ribbon-panel/ 21 © Clearwater Compliance LLC | All Rights Reserved
OCR Privacy & Security List. Servs • https: //list. nih. gov/cgi-bin/wa. exe? SUBED 1=OCR-PRIVACYLIST&A=1 • https: //list. nih. gov/cgi-bin/wa. exe? SUBED 1=OCR-SECURITYLIST&A=1 © Clearwater Compliance LLC | All Rights Reserved 22
Certification Programs From ISC 2… • • CISSP - https: //www. isc 2. org/CISSP/Default. aspx (and beyond; . g. , CISSP-ISSMP) HCISPP - https: //www. isc 2. org/hcispp/default. aspx From IAPP… • • CIPP/US - https: //www. privacyassociation. org/certification/cipp_certification_programs CIPP/IT - https: //www. privacyassociation. org/certification/cipp_certification_programs/cipp_it From ISACA… • • • CISA - http: //www. isaca. org/CERTIFICATION/CISA-CERTIFIED-INFORMATION-SYSTEMSAUDITOR/Pages/default. aspx CISM - http: //www. isaca. org/certification/cism-certified-information-securitymanager/Pages/default. aspx CRISC - http: //www. isaca. org/CERTIFICATION/CRISC-CERTIFIED-IN-RISK-ANDINFORMATION-SYSTEMS-CONTROL/Pages/default. aspx From AHIMA … • • CHPS - http: //www. ahima. org/certification/chps CHTS - http: //www. ahima. org/certification/chts From HCCA … • • CHC - http: //www. compliancecertification. org/CHC/Certifiedin. Healthcare. Compliance. aspx CHPC http: //www. compliancecertification. org/CHPC/Certifiedin. Healthcare. Privacy. Compliance. aspx 23 © Clearwater Compliance LLC | All Rights Reserved
Some Best Practices • Specific Examples With Day-to-day Activities • Daily Or Weekly Privacy & Security Rounds By Senior Staff • Posters In All Workforce Areas • Splash Screens At Logon • Periodic Privacy And Security Reminder Emails • Script Cards • Visible Sanctions • Formal Lessons Learned • Join The Right Associations © Clearwater Compliance LLC | All Rights Reserved 24
Supplemental Materials 5 -1. Sample “HIPAA and Identity Theft Protection Poster High Res” (PDF) 5 -2. 2012 OCR HIPAA Audit Program Protocol on Security Training (Word) 5 -3. Texas House Bill 300 (PDF) 5 -4. Clearwater HIPAA Privacy and Security Reminders © Clearwater Compliance LLC | All Rights Reserved 25
Questions? © Clearwater Compliance LLC | All Rights Reserved 26
Copyright notice on powerpoint slides
Copyright notice
Copyright notice
Copyright notice
Name all rays
Javascript document.write(document.cookie)
Natural materials and man made materials
Useful materials at home
Man made materials
Differentiate adopting materials and adapting materials
Direct materials budget with multiple materials
Copyright 2015 all rights reserved
Copyright © 2015 all rights reserved
Dell all rights reserved copyright 2009
Copyright © 2018 all rights reserved
Bless the lord oh my soul and all that is within me
The presence of coal in antarctica indicates that
A sample of gas is contained in a closed rigid cylinder
Why must an arcing device be contained
Which colonial region contained rocky soil and cold climate
Earths early atmosphere contained
Contained rock asphalt mat
Epub contained by
Self contained regime
Figure of speech they do not lie awake in the dark
The potion contained fruit biscuits and glue
Self contained underwater breathing apparatus
