For Clearwater Compliance Founder and CEO Bob Chaput, it isn’t enough to just write or talk about business security … the HIPAA compliance expert has worked hands-on with more companies than he can count to develop highly secure information technology strategies that are tightly aligned with the client’s specific business goals.
Having earned a string of certifications – CISSP, HCISPP, CRISC, CIPP/US – tied to information security and privacy, Chaput is an educator, executive, and entrepreneur who frequently gives workshops, seminars, and consultations that reflect his knowledge, enthusiasm, vision … and sense of humor. He uses his practical experience as an active information risk and compliance executive to counsel companies about handling, securing, and protecting their sensitive data, which is mission critical within the healthcare industry.
Chaput, who founded Clearwater Compliance in 2010, laughingly acknowledged he is a “failure at retirement,” having unsuccessfully tried it twice before. Prior to launching his company that specializes in all things HIPAA and HITECH, he spent a number of years in executive positions with Healthways, Johnson & Johnson, and GE Information Services. He noted the Clearwater team is made up of healthcare executives helping other healthcare execs navigate the deep water of federal regulations and rules while simultaneously thinking through their internal processes.
“It is often a matter of helping hospitals take stock and consider the reasons for their decisions, realizing that regulations that are reasonable and appropriate for Williamson County are not necessarily right for Johns Hopkins,” Chaput said of customizing solutions.
Clearwater – which was recently included in the top 15 of the inaugural issue of the Cybersecurity 500, highlighting the “hottest and most innovative” companies in the industry to watch in 2015 – has already helped more than 400 organizations across the country protect sensitive data through the deployment of effective risk management tools and processes. The company has earned the endorsement of the American Hospital Association for it’s healthcare information privacy, security, compliance and risk management solutions, which include proprietary web-based software, assessments and audits, and educational workshops and trainings for clients ranging from small medical practices to Fortune 100 companies.
Chaput said he is convinced much of their success is attributable not only to their rigorous adherence to regulations and relevant federal guidance but to their relationship-oriented mindset. “It is not just who you know but how you share what you know with them,” he pointed out.
The company was launched in the wake of the Health Information Technology for Economic and Clinical Health Act of 2009. Prior to that, much of the focus of HIPAA had been on privacy. HITECH, however, brought stimulus dollars into the picture to entice doctors to convert to electronic medical records with a “carrot and stick” approach. Chaput quickly realized this would bring about a sea change in the way of looking at penalties by requiring vendors to adhere to statutory compliance independent of the regulations for the health industry. With digital migration came greater risk of cyber attacks and security breaches that could make not only protected health information (PHI) more vulnerable but also personally identifiable information (PII).
The enforcement of HIPPA rules was not any different from what was going on in other industries. Publicity surrounding major data breaches at banks and large retailers meant consumers were paying more attention to security issues, and companies began to recognize they needed help in keeping their records both private and secure.
Chaput said that about this time, hospital boards of directors “got religion” about how regulations affected them on a personal level. “They got serious,” he said.
Boards began to recognize that compliance was not a question of ‘why’ but of ‘when’ regulations would require that record keeping be not only private but also stringently secure. They also realized they had a responsibility to assist in ensuring the healthcare facilities they represented had a plan in place and response in case of a breach. Chaput noted, “It was a great starting point in a long process and recognized that response must be very professional, polite, and customer focused.”
Even with heightened awareness that security is critical, breaches continue to happen … and to big players. One of the largest exposures in the country was reported by Community Health System in mid-August of last year. Chaput said the news “fell like a lightning bolt.” Then, in early 2015, the CHS breach was dwarfed when health insurance giant Anthem announced as many as 80 million customers might have had their account information stolen via cyber attack.
In a constantly changing field where the bad guys continue to get more devious, the good guys have to stay on top of their game. Chaput created and moderates the HIPAA HITECH Blue Ribbon Panel where a group of industry experts provide robust discussions on key issues and regulations in monthly forums.
“As educators, we continue to expand and update our knowledge base through postgraduate study, earning professional certification and participation in professional healthcare forums,” he added of Clearwater Compliance staff members.
“Our mission is to help companies make informed decisions about information privacy and security and implement the most effective solutions,” he observed, noting that experience is a great teacher. To that end, Clearwater developed a playbook formula of 10 key items that needed to be put in place that were based on lessons learned by what 25 companies had already faced.
However, Chaput continued, the company is about more than just meeting federal guidelines. The goal is to help organizations establish, implement and mature their privacy, security, compliance and information risk management programs. By doing that, he continued, Clearwater can help healthcare organizations and their service providers ultimately improve patient safety and the quality of care by allowing data to be safely shared with those who need it … and protected from those who don’t.
WEB:
