OCR Nails Hospice For $50K In First HIPAA Breach Settlement Involving Small Data BreachPosted by Cynthia Marcotte Stamer on January 03, 2013 | Comments

Properly encrypt and protected electronic protected health information (ePHI) on laptops and in other mediums!

That's the clear message of the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) in its announcement of its first settlement under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule involving a breach of ePHI of fewer than 500 individuals by a HIPAA-covered entity, Hospice of North Idaho (HONI).

The settlement shows that the Office of Civil Rights stands ready to penalize these healthcare providers, health plans, healthcare clearinghouses and their business associates (covered entities) when their failure to properly secure and protect ePHI on laptops or in other systems results in a breach of ePHI even when the breach affects fewer than 500 individuals.

HIPAA Security & Breach Notification For ePHI
Under the originally enacted requirements of HIPAA, covered entities and their business associates are required to restrict the use, access and disclosure of protected health information and establish and administer various other policies and safeguards in relation to protected health information. Additionally, the Security Rules require specific encryption and other safeguards when covered entities collect, create, use, access, retain or disclose ePHI.

The Health Information Technology for Economic and Clinical Health (HITECH) Act amended HIPAA, among other things to tighten certain HIPAA requirements, expand its provisions to directly apply to business associates, as well as covered entities and to impose specific breach notification requirements. The HITECH Act Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a "breach," of 500 individuals or more (Large Breach) to the Secretary of HHS and the media within 60 days after the discovery of the breach. Smaller breaches affecting less than 500 individuals (Small Breach) must be reported to the Secretary on an annual basis.

Since the Breach Notification Rule took effect, the Office of Civil Rights' announced policy has been to investigate all Large Breaches and such investigations have resulted in settlements or other corrective action in relation to various Large Breaches. Until now, however, the Office of Civil Rights has not made public any resolution agreements requiring settlement payments involving any Small Breaches.

Hospice Of North Idaho Settlement
On January 2, 2013, the Office of Civil Rights announced that Hospice of North Idaho will pay the Office of Civil Rights $50,000 to settle potential HIPAA violations that occurred in connection with the theft of an unencrypted laptop computer containing ePHI. The Hospice of North Idaho settlement is the first settlement involving a breach of ePHI affecting fewer than 500 individuals. Read the full HONI Resolution Agreement here.

The Office of Civil Rights opened an investigation after Hospice of North Idaho reported to the Department of Health and Human Services that an unencrypted laptop computer containing ePHI of 441 patients had been stolen in June 2010. Hospice of North Idaho team members regularly use laptops containing ePHI in their field work.

Over the course of the investigation, the Office of Civil Rights discovered that Hospice of North Idaho had not conducted a risk analysis to safeguard ePHI or have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule. Since the June 2010 theft, Hospice of North Idaho has taken extensive additional steps to improve their HIPAA Privacy and Security compliance program.

Read more »

Spotlight on Sexual AbusePosted by Chuck Hewitt on February 23, 2012 | Comments

The Risk
A significant problem faced by organizations offering services to youth, elderly, and the developmentally disabled is that individuals who sexually abuse are not easily identified. The majority of perpetrators involved in these incidents at nonprofit organizations have no prior abuse convictions. Also, they are often highly regarded by their peers and the families of those they are secretly abusing.

Data collected from 227 closed claims files over the past 22 years by the Nonprofits Insurance Alliance Group in Santa Cruz, California (a group with 11,000 members nationwide) reveals some interesting insights: 47% of sexual abuse claims involve agency staff members who have abused clients — mostly children, but also the elderly and mentally disabled; 22% of claims arise from client vs. client contacts — virtually all minors; foster home abuse claims account for another 11%; and claims against agency volunteers account for 4%.

The data indicates that most claims are without merit, but can be expensive to defend and costly when there has been actual abuse. Almost 75% of the claims closed with no indemnity paid and at an average defense cost of $4,000. The remaining 25% averaged almost $130,000 in paid indemnity and $40,000 in defense expenses. Those costs can put a serious dent in the budget of a nonprofit agency not insured for this special exposure.

Insurance Considerations
The standard commercial general liability policy excludes coverage for an intentional act, a central requirement for conviction of sexual abuse. In most states, that exclusion extends to the agency responsible for supervision of the perpetrator. In recent years, many carriers have added specific exclusions for any claim of sexual misconduct, and also added those exclusions to Directors and Officers policies. That leaves agencies and their boards without protection for claims that they negligently hired, trained or supervised their staff or volunteers, negligently certified foster homes, or provided inadequate oversight to the activities of clients in their care.

Read more »

You Run a Community-Based Nonprofit – What to Do When You Have an Accident, Claim or Lawsuit, Part 2Posted by Chuck Hewitt on February 15, 2012 | Comments

This is the second of a two-part series on what non-profits should do when a lawsuit is filed against them. Part 1 of this series can be found here.

What Are All of These Papers?
Let's look at the lawsuit itself. When a lawsuit is served, there are two different parts: a summons and a complaint (or some other name). The summons is a notice to you and/or your organization that you have been sued. The complaint tells you what the suit is about and what the person suing wants.

The Summons: The top paper is the summons. The summons is a very important piece of paper. It tells you who has filed the lawsuit, what attorney represents that person and what court the suit will be heard in.

The summons will also tell you exactly who is being served.

The Complaint: The complaint is all of the rest of the papers you receive except for the top page, or summons. In some cases other documents will be included with the complaint. A statement of damages (usually a huge number, unrelated to the merits of the case), and a notice from the court extolling the virtues of arbitration or mediation are the most common attachments.

The complaint is a description of all of the bad things you are supposed to have done to the plaintiff and what they have suffered as a result of your actions.

Generally speaking, it is not a good idea to read the complaint right away. Most people get very upset at what the lawsuit claims to have happened. Remember, lawsuits are all written in the same manner and use the same type of language.

Many counties have adopted a "fill in the blank" form complaint where boxes are checked and a few paragraphs describing the particular event leading to the specific lawsuit are inserted in the appropriate places.

Remember that most of the language used is standardized from complaint to complaint and while this particular one may rant and rave about you or your organization, you will be comforted to know that all complaints rant and rave in the same fashion.

Read more »

You Run a Community-Based Nonprofit – What to Do When You Have an Accident, Claim or Lawsuit, Part 1Posted by Chuck Hewitt on February 13, 2012 | Comments

This is the first of a two-part series on what non-profits should do when a lawsuit is filed against them. Part 2 of the series can be found here.

When Can a Lawsuit Be Filed?
In each state, there are various statutes of limitations or time limits in which a lawsuit must be filed for damaged persons to protect their claims and preserve their rights. In cases claiming bodily injury, persons who are injured must have concluded their claim within a specified time from the date of the incident, or file a lawsuit by the close of court on that specified date if they wish to pursue the claim.

Minors enjoy additional protection under the law. They have until a specified time past their date of majority to file a lawsuit, regardless of when the accident happened.

The statute of limitations for property damage or breach of a written contract may even be longer.

In some cases, people with mental infirmities may have no applicable statutes of limitations.

What Court Will Be Used?
Each state differs and some have names you may not have heard before. In California, for example, there are two levels of state courts where most of the lawsuits will likely be heard. These are Small Claims and Superior Courts.

Small Claims Court has a jurisdictional limit, usually in the range of $5,000 to $7,500. Claims for larger amounts cannot be filed in Small Claims. Attorneys are often not permitted in Small Claims Court. The parties represent themselves.

Superior Court is where most of the lawsuits in which nonprofits are likely to be involved in will be filed. There is no limit to the amount of damages that can be awarded in Superior Court unless there is a specific statutory cap.

Federal Court is the most likely place for employment cases involving allegations of discrimination or harassment. Cases involving out-of-state parties are also candidates for Federal Court.

Where Will the Lawsuit Be Filed?
The geographical location of the court depends on where the accident or alleged wrongdoing happened, where the plaintiff lives, or where the defendant does business. The lawsuit is usually filed in the county where the event happened, but there are exceptions. If the plaintiff lives in a different county, the court may permit the lawsuit to be brought in that county rather than the one where the event occurred.

Read more »

 

To receive our newsletter, enter your email address and click on the Submit button. You will then receive an email asking you to click on a link to confirm your subscription.

     

Insurance Thought Leadership aggregates best practices from highly respected experts in their field. Insurance Thought Leadership provides knowledge and experience at a time when its needed most, times of sweeping change and market uncertainty.

Whether it’s Healthcare, Worker’s Compensation, Property & Casualty, Auto, Sophisticated Life Insurance designs, Directors & Officer’s, Safety, Risk Control or other Claims Management, Insurance Thought Leadership promises to deliver the most relevant mind share the industry has to offer.

• How To Tell Board Chairs Your “Digital Zipper” Is Down
• Boardroom Digital Literacy – R U Talking to Me?
• Leveraging Best Practices With Advanced Analytics: Making the Right Decisions in Fraud Investigation
• Succession Planning: Now or Never
• Attacking the Underground Economy
• Healthcare Disruption: Providers Are Making Newspaper Industry Mistakes
• Giving The Nod To Soft Fraud: Divided We Fall
• The Ten Questions of Captive Insurance, Part 1
• Test Your Emergency, Continuity, and Disaster Recovery Plans Regularly, Part 2
• The CEO’s Guide to Medical Inflation: The Case for Measurement, Part 1

• Safety & Risk Control
• Healthcare
• Workers Compensation
• Actuarial Analysis
• Life Insurance
• Insurance Law
• Property & Liability
• Brokers & Agents
• Claims Management
• Benefits & Long-Term Care
• Directors & Officers
• Auto Insurance
• Health & Wellness
• Captive Insurance
• Leadership
• Disaster Planning & Recovery
• Nonprofit
• Insurance Tech
• Surety & Bonding
• Public Schools
• Subrogation
• Personal Insurance

<<	May 2013					>>
S	M	T	W	T	F	S
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31

• May 2013

• April 2013

• March 2013

• February 2013

• January 2013

• December 2012

• November 2012

• October 2012

• September 2012

• August 2012

• July 2012

• June 2012

• May 2012

• April 2012

• March 2012

• February 2012

• January 2012

• December 2011

• November 2011

• October 2011

• September 2011

• August 2011

• July 2011

• June 2011

• May 2011

• April 2011