The majority of changes to HIPAA have been introduced and strengthened by the recent passage of the HITECH and Omni-bus rules. ControlCase HIPAA Compliance as a Service (CaaS) is an Integration of services, software and compliance management and reporting for HIPAA, PCI, ISO 27001/2, SSAE16 and SAP through our cloud-based GRC.

1. Healthcare Insurance Portability
and Accountability Act (HIPAA)
By Hugh Kominars, VP - ControlCase

2. Agenda
• Introduction
• What is HIPAA today?
• How does Omnibus and HITECH tie into and mean in
the context of HIPAA
• High level requirements of the HIPAA Privacy,
Security and Breach Notification Rules for covered
entities and business associates
• Lessons Learned - Demonstrating Compliance
• Maintaining effective compliance with CaaS
• Q&A
2/23

3. Introduction
• Global Reach
› Serving more than 400 clients in 40 countries and rapidly growing
• Certified Resources
› Shared Assessment/BITS FISAP Assessor
› PCI DSS Qualified Security Assessor (QSA)
› QSA for Point-to-Point Encryption (QSA P2PE)
› Certified ASV vendor
› Certified ISO 27001 Assessor
› EI3PA Assessor
› SSAE16, SOC1, SOC2, SOC3 Audits
› HITRUST and HIPAA
3/23

4. What is HIPAA today?
Health Insurance Portability & Accountability Act
of 1996 & HIPAA Omnibus Rule:
• Establishes administrative, physical and technical
security and privacy standards
• Applies to both healthcare providers and business
associates (3rd parties)
• Attributes responsibility for monitoring HIPAA
compliance of business associates to healthcare
providers
• Assessment of compliance of business associates
due 09/23/13
4/23

5. HIPAA, HITECH and the Omni-bus Rule
5 / 23
HITECH
• Specifically extends security, privacy
and breach notification requirements
to Business Associates (BA)
• Establishes mandatory penalties for
‘willful neglect’
• Imposes data breach notification
requirements for unauthorized uses
and disclosures of "unsecured PHI.“
• Institutes third party management
and monitoring as ‘due diligences
and ‘due care’ provisions
• Establishes the right for patients to
obtain their PHI in an electronic
format (i.e. ePHI)
Omni-bus Rule
• Finalization of interim rules outlined
in the HITECH act
• Formalizes enforcement provisions
for breaches
• Expands definition of BA to include
subcontractors of BA (BA of BA)
• Clarifies that HHS will determine the
actual maximum for penalties
• Covered Entities (CE) and BA are
liable for the acts of BA and their
subcontractors
• Requires a on-going monitoring
process for the organization’s
security programs and processes.

6. HIPAA Enforcement
• HHS’ Office of Civil Rights (OCR) is responsible for enforcing
the Privacy and Security Rule
› Performing investigations of complaints (95,588 reported since 2003; 22,497
investigated by OCR)
› Random sampling of organizations, (115 performed in 2012)
› Assessment of risk/exposure based on transaction volumes (CEs and BAs)
• OCR resolution options
› Voluntary compliance,
› Corrective action, and/or
› Resolution agreement
• OCR referrals to Department of Justice (DOJ)
› Cases involving knowingly disclosing or obtaining PHI
› 526 cases have been referred to date
• HHS determines penalties (Federal)
› Additional penalties levied by individual States Attorneys’ for affected residents
› Funds approximately half of OCR audit operations cost from fines
6 /23

7. Fines/Penalties
HIPAA Violation Minimum Penalty Maximum Penalty
Individual did not know (and by
exercising reasonable diligence
would not have known) that
he/she violated HIPAA
$100 per violation, with an annual
maximum of $25,000 for repeat
violations (Note: maximum that
can be imposed by State Attorneys
General regardless of the type of
violation)
$50,000 per violation, with an
annual maximum of $1.5 million
HIPAA violation due to reasonable
cause and not due to willful
neglect
$1,000 per violation, with an
annual maximum of $100,000 for
repeat violations
$50,000 per violation, with an
annual maximum of $1.5 million
HIPAA violation due to willful
neglect but violation is corrected
within the required time period
$10,000 per violation, with an
annual maximum of $250,000 for
repeat violations
$50,000 per violation, with an
annual maximum of $1.5 million
HIPAA violation is due to willful
neglect and is not corrected
$50,000 per violation, with an
annual maximum of $1.5 million
$50,000 per violation, with an
annual maximum of $1.5 million
7 / 23
Source:
http://www.ama-assn.org//ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-
insurance/hipaahealth-insurance-portability-accountability-act/hipaa-violations-enforcement.page

8. Enforcement Results
Organization
Penalty
(Federal)
Nature of Violation
CIGNET $4,300,000 Online database application error.
Alaska Department of Health and Human
Services
$1,700,000
Unencrypted USB hard drive stolen, poor policies and risk
analysis.
WellPoint $1,700,000
Did not have technical safeguards in place to verify the
person/entity seeking access to PHI in the database. Failed
to conduct a tech eval in response to software upgrade.
Blue Cross Blue Shield of Tennessee $1,500,000 57 unencrypted hard drives stolen.
Massachusetts Eye and Ear Infirmary and
Massachusetts Eye and Ear Associates
$1,500,000 Unencrypted laptop stolen, poor risk analysis, policies.
Affinity Health Plan $1,215,780 Returned photocopiers without erasing the hard drives.
South Shore Hospital $750,000 Backup tapes went missing on the way to contractor.
Idaho State University $400,000 Breach of unsecured ePHI.
Shasta Regional Medical Center $275,000
Inadequate safeguarding of PHI from impermissible uses
and disclosures.
Phoenix Cardiac Surgery $100,000 Internet calendar, poor policies, training.
The Hospice of Northern Idaho $50,000
Breach of unsecured ePHI. Unencrypted laptop stolen, no
risk analysis.
8 / 23
Source: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html

9. Looking Forward….
• Leon Rodriguez (HHS OCR Director)
› "I think all these (17) cases really powerfully articulate those expectations and
the fact that we will be holding people accountable,"
› “…those numbers are expected to go up, especially when the official audit
program goes live this year. ”
› When asked regarding root cause or biggest misstep, Rodriguez pointed to risk
analysis inadequacies, for business associates and covered entities alike. It’s
the "failure to perform a comprehensive, thorough risk analysis and then to
apply the results of that analysis,"
• Onshore/Offshore BAs and their BAs
› Enforcement actions on BAs with onshore business units is clear cut
› For BAs with only offshore business units; enforcement actions levied through
CEs.
9 / 23

10. HIPAA Requirements – Privacy Rule
Privacy Rule Main Points:
• Requires appropriate safeguards to protect the privacy of personal health
information
• Sets limits and conditions on the uses and disclosures that may be made of
such information without patient authorization
• Gives patients rights over their health information, including rights to
examine and obtain a copy of their health records, and to request
corrections
• Requires compliance with the Security Rule
For BAs
• Requires breach notification to the Covered Entity
• Requires either the individual or the Covered Entity access to PHI
• Requires reporting the disclosure of PHI to the Secretary of HHS
• Provide an accounting of disclosures.
Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html
10/23

11. HIPAA Requirements – Security Rule
Administrative Safeguards:
Security Management Process (Risk Analysis (required), Risk Management (required), Sanction Policy (required),
Information Systems Activity Reviews (required), Assigned Security Responsibility - Officers (required), Workforce
Security - Employee Oversight (addressable), Information Access Management - Multiple Organizations (required)
and ePHI Access (addressable); Security Awareness and Training - Security Reminders (addressable), Protection
Against Malware (addressable), Login Monitoring (addressable); Password Management (addressable), Security
Incident Procedures - Response and Reporting (required), Contingency Plans (required); Evaluations (required);
Business Associate Agreements (required)
Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html
Technical Safeguards:
Access Control - Unique User Identification (required), Emergency Access Procedure (required), Automatic Logoff
(addressable), Encryption and Decryption (addressable); Audit Controls (required); Integrity - Mechanism to
Authenticate ePHI (addressable); Authentication (required); Transmission Security - Integrity Controls
(addressable), Encryption (addressable)
Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf
Physical Safeguards:
Facility Access Controls - Contingency Operations (addressable), Facility Security Plan (addressable), Access
Control and Validation Procedures (addressable), Maintenance Records (addressable), Workstation Security
(required), Device and Media Controls - Disposal (required), Media Re-Use (required), Data Backup and Storage
(addressable)
Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/physsafeguards.pdf
11/23

12. HIPAA Requirements – Breach Notification
Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html
12/23
Definition of Breach
A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the
security or privacy of the protected health information.
Unsecure PHI
Transition and Storage: NIST Special Publication 800-111, NIST Special Publications 800-52, 800-77 or
Federal Information Processing Standards (FIPS) 140-2 validated
Destruction: Specifies physical and electronic PHI, for electronic, NIST Special Publication 800-88
Breach Notification
Methods: By email or first class mail, to the media, posting the notice on the home page of its web site
for at least 90 days, If BA, to the CE, within 60 days of determination
Notification Thresholds
> 500 records: notify HHS, to individuals and media, within 60 days
< 500 records: notify HHS, annually consolidated listing
Burden of Proof
CEs/BAs required to prove that they have notified the affected parties within the time periods specified
or face penalties

13. HIPAA Requirements – BAs and subcontractors
• Comply directly with the HIPAA Regulation
• Business associates must identify, assess and monitor their
supporting business associates (BAs of BAs) and provide
regular updates to the respective CE
• BAs must establish and define (contractually) security
requirements, right to audit, incident reporting clauses with
their service providers
• BAs must implement an effective monitoring/assessment
process based on the nature of the data exchanged with
service providers
• Be able to show due diligence/due care with respect to
monitoring their supplier’s security compliance
13/23

14. Lessons Learned - Demonstrating Compliance -
14 / 23
• Risk Assessments
– Not performed/not updated or
documented
– Limited scope: facilities,
processing environment,
personnel, software,
– Not aligned with controls or
monitoring
• Inventories (Asset Management)
– Out of date/not documented
hardware, software, interfaces,
dataflow diagrams/process
descriptions, removable media,
teleworkers (remote), BAs and
subcontractors
• No BA/Vendor Management
program
• Policies, procedures and
standards (Governance)
• Hardening and patch
management
– None or not implemented
– Not monitored/No follow-up
– End-of-life
• Vulnerability Management
– Inconsistent/incomplete
internal vulnerability and
penetration testing for
networks and applications
– Remediation gaps
– No Internet content restrictions

15. Lessons Learned (continued)
15 / 23
• System Logging and
Monitoring
– Not implemented/inconsistent
– Not retained or analyzed
– Lack of oversight and approval
• None or inconsistent
encryption of data in
transmission or storage
• Media management and
tracking gaps
• Untested incident and
breach response processes
for PHI related disclosures
• User Provisioning
– Excessive privileges/accesses
– No formal documentation of
rationale
– Lack of oversight and approval
• Training and awareness
– Not HIPAA oriented
– No refresh
– Lack of evidence of attendance
• Inadequate business
continuity and disaster
recover
• Failure to monitor external
maintenance personnel

16. Root Causes
16/23
• Operational Conflicts of Interest
– Maintaining versus securing
– Capacity and focus
– Lack of resources for monitoring and maintaining compliance after achieving initial
compliance
• No assignment of accountability
• Personnel turnover
• Lack of expertise and objectivity
• Process disconnects between HR, change management, IT and
Systems acquisition
• Lack of resources for monitoring and maintaining compliance
after achieving initial compliance

17. The Path Forward and Beyond
17/23
• Risk Assessments – complete, detailed, controls aligned to mitigate risk, and a
program to monitor the effectiveness of those controls
• Inventories (Asset Management) – documented, covering all hardware,
software, interfaces (internally and externally), process documentation (DFD) with
narratives, removable media (with method of encryption), teleworkers and BAs and
subcontractors (including what PHI is shared and how is it protected)
• BA Management Program – identifies in-scope and out-of-scope
organizations, the data that is shared, an assessment of risk, the method to monitor
and track HIPAA compliance, results of monitoring.
• Policies, procedures and standards (Governance) – complete to include
Sanction/Corrective Action policies and evidence that it is implemented
• Hardening and patch management – covers all assets that process PHI;
tied to asset management and verified by internal/external vulnerability scans
• Vulnerability Management – covers all assets that process PHI, includes
remediation and retesting to verify remediation effectiveness.
• System Logging and Monitoring – covers all systems, databases and
applications that process, transmit and store PHI

18. The Path Forward and Beyond
18/23
• Data Encryption – in transit and at rest, tied to DFD and process narratives
• Media Management and Tracking – covers removable encrypted media,
tied to DFD and process narratives
• Incident and Breach Response Processes – defined and tested to
address breach and disclosure of PHI, understanding of who is impacted, and who
needs to be notified
• User Provisioning – to specific system/applications, two manager review
(business and IT Security)
• Training and awareness – covers new hire with annual retraining,
maintaining a roster of completion and non-compliance.
• Business Continuity and Disaster Recover – must show that PHI
would be available after a disaster
• Personnel Monitoring – cover employees, contractors and third parties that
have access to PHI (physical and electronic)

19. • Compliance as a Service (CaaS)
› Integration of services, software and compliance management
and reporting for HIPAA, PCI, ISO 27001/2, SSAE16 and SAP
through our cloud-based GRC
› Allows clients to easily assess, monitor and maintain compliance
not only with HIPAA, but across multiple standards
› Services Include
• Gap and Risk assessments (initial and on-going)
• Automated data discovery for the 18 PHI identifiers
• Policy and procedures
• Training and awareness; records
• External and internal vulnerability assessments for networks and
applications
• External and internal penetration tests for networks and applications
• BA/Supplier identification, management and assessments
• Logging and Monitoring
How ControlCase Supports CEs and BAs
19/23

20. How ControlCase Supports CEs and BAs
19/23

21. How ControlCase Supports CEs and BAs
19/23

22. Mapping CaaS to HIPAA
20/23

23. Mapping CaaS to HIPAA
20/23

24. Fines and Penalties
http://www.ama-assn.org//ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth-
insurance-portability-accountability-act/hipaa-violations-enforcement.page
Enforcement Results
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html
HIPAA Privacy
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html
HIPAA Security
Administrative Safeguards: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf
Technical Safeguards: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf
Physical Safeguards: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/physsafeguards.pdf
HIPAA Breach Notification
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html
Factors that OCR considers when investigating a complaint
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/process/whatocrconsiders.html
Breach Notification Information http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html
Factors considered when levying civil penalties (fines)
http://www.hipaasurvivalguide.com/hipaa-regulations/160-408.php
24 / 23
External Resources

25. Q & A
22/23

26. To Learn More …
• Visit www.controlcase.com
• Call +1 703 483 6383 (North America)
• Call +57 1 678 3716 (South America)
• Call +44 1276 686 048 (Europe)
• Call +971 4440 5958 (Middle East & Africa)
• Call +91 982 029 3399 (Asia Pacific)
• Hugh Kominars (VP) hkominars@controlcase.com
23/23