Recently, my boss Steve and I were talking about his early career days with one of those Big 8, then Big 6, then Big 5, then Big 4 intergalactic consulting firms. Steve came out of college with an engineering degree, so it was natural to start in the manufacturing industry. Learning about bills of material, routings, design engineering, CAD/CAM ... "Ah yes," he recalled, "Those were heady days." And all those vendor-packaged manufacturing ERP systems that were starting to take the market by storm.

Eventually Steve found his way into the insurance industry, and thus began our discussion. One of the first things that struck Steve was the lack of standard software packages in the insurance industry. I don't mean the lack of software vendors — there are plenty of those. Seemingly, though, each software solution was a one-off. Or custom. Or some hybrid combination. "Why?" we wondered.

The reasons, as we now know, were primarily reflected in an overall industry mindset:

• A "but we are unique!" attitude was pervasive. Companies were convinced that if they all used the same software, there would be little to differentiate themselves from one another.
• There was also an accepted industrywide, one-off approach. Conversations went something like this: "XYZ is our vendor. We really don't like them. Taking new versions just about kills us. We don't know why we even pay for maintenance, but we do."

But the chief reason for a lack of standard software was the inability to separate product from process. What does this mean?

Well, you can certainly envision that your auto product in Minnesota is handled differently than your homeowners' product in California. I'm not referring to just the obvious elements (limits, deductibles, rating attributes), but also the steps required for underwriting, renewal, and cancellation. Separation of product from process must go beyond the obvious rate/rule/form variations to also encompass internal business and external compliance process variations.

But there's still plenty of processing — the heavy lifting of transaction processing — that's the same and does not vary. For example, out-of-sequence endorsement processing is not something that makes a company unique and therefore would not require a custom solution.

Where the rubber meets the road, and where vendor packages have really improved their architecture over the last several years, is by providing the capability in their policy admin systems for companies to "drop" very specific product information, along with associated variations, into a very generic transaction system.

Once product "components" (digitized) are separated from the insurance processing engine, and once companies have a formal way to define them (standard language), they can truly start making their products "unique" with reuse and mass customization. Much like those manufacturing bills of material and routings looked to Steve way back when.

This separation of policy from product has been a key breakthrough in insurance software. So what is an insurance product, at least in respect to systems automation?

From Muddled To Modeled
The typical scenario to avoid goes something like this:

• The business people pore over their filings and manuals and say, "This is the product we sell and issue."
• The IT people pore over program code and say, "That's the product we have automated."
• The business people write a lot of text in their word processing documents. They find a business analyst to translate it into something more structured, but still text.
• The business analyst finds a designer to make the leap from business text to IT data structures and object diagrams.
• The designer then finds a programmer to turn that into code.

One version of the truth? More like two ships passing, and it's more common than you may think. How can organizations expect success when the product development process is not aligned? Without alignment, how can organizations expect market and compliance responsiveness?

What's the alternative? It revolves around an insurance "product model." Much like general, industry-standard data models and object models, a product model uses a precise set of symbols and language to define insurance product rates, rules, and forms — the static or structural parts of an insurance product. In addition, the product model must also define the actions that are allowed to be taken with the policy during the life of the contract — the dynamic or behavioral aspect of the product model. So for example, on a commercial auto product in California, the model will direct the user to attach a particular form (structure) for new business issuance only (actions).

Anyone familiar with object and data modeling knows there are well-defined standards for these all-purpose models. For insurance product modeling, at least currently, such standards are more proprietary, such as IBM's and Camilion's models, and of course there are others. It is interesting to note that ACORD now has under its auspices the Product Schema as the result of IBM's donation of aspects of IAA. Might this lead to more industry standardization?

With product modeling as an enabler, there's yet another key element to address. Yes, that would be the product modelers — the people responsible for making it work. Product modeling gives us the lexicon or taxonomy to do product development work, but who should perform that work? IT designers with sound business knowledge? Business people with analytical skills? Yes and yes. We must finally drop the history of disconnects where one side of the house fails to understand the other.

With a foundation of product modeling and product modelers in place, we can move to a more agile or lean product life cycle management approach — cross-functional teams versus narrow, specialized skills; ongoing team continuity versus ad hoc departmental members; frequent, incremental product improvements versus slow, infrequent, big product replacements.

It all sounds good, but what about the product source supplier — the bureaus?

Supply Chain: The Kinks In Your Links
Here is where the comparison between insurance and manufacturing takes a sharp turn. In their pursuit of quality and just-in-time delivery, manufacturers can make demands on their supply chain vendors. Insurance companies, on the other hand, are at the mercy of the bureaus. ISO, NCCI, and AAIS all develop rates, rules, and forms, of course. They then deliver these updates to their member subscribers via paper manuals or electronically via text.

From there the fun really begins. Insurance companies must log the info, determine which of their products and territories are impacted, compare the updates to what they already have implemented and filed, conduct marketing and business reviews, and hopefully and eventually, implement at least some of those updates.

Recent studies by Novarica and SMA indicate there are approximately 3,000 to 4,000 changes per year in commercial lines alone. The labor cost to implement just one ISO circular with a form change and a rate change is estimated to be $135,000, with the majority of costs in the analysis and system update steps.

There has got to be a better way ...

ISO at least has taken a step in right direction with the availability of its Electronic Rating Content. In either Excel or XML format, ISO interprets its own content to specify such constructs as premium calculations (e.g., defined order of calculation, rounding rules), form attachment logic (for conditional forms), and stat code assignment logic (to support the full plan).

A step in the right direction, no doubt. But what if ISO used a standard mechanism and format to do this? ACORD now has under its control the ACORD Product Schema. This is part of IBM's fairly recent IAA donation. It provides us a standard way to represent the insurance product and a standard way to integrate with policy admin systems. What if ISO and the other key providers in the product supply chain started it all off this way?

Dream on, you say? While you may not have the clout to demand that the bureaus change today, you do pay membership fees, and collectively the members have a voice in encouraging ongoing improvements in the insurance "supply chain."

In the meantime, the goal to be lean and agile with product life cycle management continues. We must respond quickly and cost-effectively to market opportunities, policyholder feedback, and regulatory requirements. That all starts at the product source ... but it doesn't end there. So while the supply chain improves its quality and delivery, insurance companies will need to gain efficiencies throughout every corner of their organizations in order to achieve those lean goals.

In writing this article, David collaborated with his boss Steve Kronsnoble. Steve is a senior manager at Wipfli and an expert in the development, integration, and management of information technology. He has more than 25 years of systems implementation experience with both custom-developed and packaged software using a variety of underlying technologies. Prior to Wipfli, Steve worked for a major insurance company and leverages that experience to better serve his clients.

Insurance executives are grappling with increasing competition, declining return on equity, average combined ratios sitting at 115 percent and rising claims costs. According to a recent report from Moody's, achieving profitability in workers' compensation insurance will continue to be a challenge due to low interest rates and the decline in manufacturing and construction employment, which makes up 40% of workers' comp premium.

Insurers are also facing significant changes to how they run underwriting. The industry is affected more than most by the aging baby boomer population. In the last 10 years, the number of insurance workers 55 or older has increased by 74 percent, compared to the 45 percent increase for the overall workforce. With 20 percent of the underwriter workforce nearing retirement, McKinsey noted in a May 2010 Report that we will need 25,000 new underwriters by 2014. Where will the new underwriters come from? And more importantly, what will be the impact on underwriting accuracy?

Furthermore, there's no question that technology has fundamentally changed the pace of business. Consider the example of FirstComp reported by The Motley Fool in May 2011. FirstComp created an online interface for agents to request workers' compensation quotes. What they found was remarkable. When they provided a quote within one minute of the agent's request, they booked that policy 52% of the time. However, their success percentage declined with each passing hour that they waited. In fact, if FirstComp waited a full 24 hours to respond, their close rate plummeted to 30 percent. In October 2012, Zurich North America was nominated for the Novarica Research Council Impact Award for reducing the time it takes to quote policies. In one example, Zurich cut the time it took to quote a 110-vehicle fleet from 8 hours to 15 minutes.

In order to improve their companies' performance and meet response time expectations from agents, underwriters need advanced tools and methodologies that provide access to information in real-time. More data is available to underwriters, but they need a way to synthesize "big data" to make accurate decisions more quickly. When you combine the impending workforce turnover with the need to produce quotes within minutes, workers' comp carriers are increasingly turning toward the use of advanced data and predictive analytics.

Added to these new industry dynamics is the reality that both workers' compensation and homeowners are highly unprofitable for carriers. According to Insurance Information Institute's 2012 Workers' Compensation Critical Issues and Outlook Report, profitable underwriting was the norm prior to the 1980s. Workers' comp has not consistently made an underwriting profit for the last few decades for several reasons including increasing medical costs, high unemployment and soft market pressures.

What Is Predictive Analytics?
Predictive analytics uses statistical and analytical techniques to develop predictive models that enable accurate predictions about future outcomes. Predictive models can take various forms, with most models generating a score that indicates the likelihood a given future scenario will occur. For instance, a predictive model can identify the probability that a policy will have a claim. Predictive analytics enables powerful, and sometimes counterintuitive, relationships among data variables to emerge that otherwise may not be readily apparent, thus improving a carrier's ability to predict the future outcome of a policy.

Predictive modeling has also led to the advent of robust workers' compensation "industry risk models" — models built on contributory databases of carrier data that perform very well across multiple carrier book profiles.

There are several best practices that enable carriers to benefit from predictive analytics. Large datasets are required to build accurate predictive models and to avoid selection bias, and most carriers need to leverage third party data and analytical resources. Predictive models allow carriers to make data-driven decisions consistently across their underwriting staff, and use evidenced-based decision making rather than relying solely on heuristics or human judgment to assess risk.

Finally, incorporating predictive analytics requires an evolution in terms of people, process, and technology, and thus executive level support is important to facilitate adoption internally. Carriers who fully adopt predictive analytics are more competitive in gaining profitable market share and avoiding adverse selection.

Is Your Organization Ready For Predictive Analytics?
As with any new initiative, how predictive analytics is implemented will determine its success. Evidence-based decision-making provides consistency and improved accuracy in selecting and pricing risk in workers' compensation. Recently, Dowling & Partners Securities, LLC, released a special report on predictive analytics and said that the "use of predictive modeling is still in many cases a competitive advantage for insurers that use it, but it is beginning to be a disadvantage for those that don't." The question for many insurance executives remains: Is this right for my organization and what do we need to do use analytics successfully?

There are a few important criteria and best practices to consider when implementing predictive analytics to help drive underwriting profitability.

• Define your organization's distinct capability as it relates to implementing predictive analytics within underwriting.
• Secure senior management commitment and passion for becoming an analytic competitor, and keep that level of commitment for the long term. It will be a trial and error process, especially in the beginning.
• Dream big. Organizations that find the greatest success with analytics have big, important goals tied to core metrics for the performance of their business.

Medical identity theft (MIDT) is a crime that has profound consequences for patients, insurance providers, and health care providers. The definition of medical identity theft is the fraudulent use of an individual's personally identifiable information (PII), such as name, Social Security number, and/or medical insurance identity number to obtain medical goods or services, or to fraudulently bill for medical goods or services using an unlawfully obtained medical identity. Unfortunately, the definition of medical identity theft and the consequences that are associated with the crime are not common knowledge to the general public.

A recent study conducted by Harris Interactive on behalf of Nationwide Insurance found that only one in six (~15%) of insured adults say they are familiar or very familiar with the term "medical identity theft." Of the 15% that professed familiarity with the term, only 38% could correctly define what a medical identity was (Medical ID Theft Study 4). Unfortunately, this lack of widespread understanding of medical identity theft by consumers is part of the problem and it is costing consumers, insurers, and healthcare providers alike.

According to the most recent Ponemon Institute Research Report, 1.85 million Americans were affected by medical identity theft in 2012. This is a dramatic increase from the 1.49 million affected by medical identity theft in 2011, amounting to an almost 25% increase in just one year (Third Annual Survey 1). This rate of growth has the potential to explode due to several reasons. First, The Affordable Care Act is estimated to reduce the number of uninsured by approximately 30 million (Insurance Coverage Provisions 13), drastically increasing the number of insurers and insured patients that are targets for medical identity theft. Second, HIPAA policies and new rules under HITECH are increasing the use of electronic health records (EHRs) which can be vulnerable to data hackers. And lastly, the data hackers themselves are more sophisticated and cognizant of ways to profit off of personal data than ever before. All these factors combined pose a very serious dilemma in controlling the rate of growth for medical identity theft. Ponemon estimates that the cost of medical identity theft to consumers in 2012 was approximately $41 billion (Third Annual Survey 1). This does not include the untold cost borne by healthcare and insurance providers. We cannot afford the cost of letting this crime grow.

In order to minimize the effects of medical identity theft we must better understand the nature of medical identity theft. The Identity Theft Resource Center (ITRC) knows it is important to assess how consumers' identities are stolen, how they find out they have fallen victim to this crime, and how difficult it is to resolve once discovered. The Identity Theft Resource Center believes this information can be used to educate and make aware the general public as to what medical identity theft is and how they can minimize their risk or mitigate the cost once they become a victim.

Looking at how medical identity theft victims discover they have fallen victim to this crime is crucial in determining what can be done to discover medical identity theft sooner to avoid increased expenses and instances of fraud. The 2012 Ponemon report found that the most common way (39%) people discover they have become victims of identity theft is by receiving collection letters for delinquent bills. This is bad news as this means the costs for the fraudulent services worked their way through the providers' billing systems and languished there until they were forwarded to collection departments or agencies. In the time it took for the bill to make it to the collection department or agency, the imposter could have committed many more instances of fraud in different locations. The second most common method of discovery (32%) was by noticing mistakes in their health records, tipping them off to the medical identity theft. This is also bad news as mistakes in health records can have catastrophic consequences which can be fatal.

Fortunately, the third most common method (26%) of discovering identity theft was by victims noticing suspicious postings to a statement or invoice, such as an Explanation of Benefits statement. This is very good news as this usually means the victim is discovering their medical identity theft as early as possible. The earlier the victim notices the crime, the more likely they may avoid damage to their credit score, stop future abuse of their medical identity, and reduce the amount of time and money spent to rectify the issue. This statistic is even more interesting when compared to the previous two years of the Ponemon study, where only 9% of participants indicated that they discovered their medical identity theft via suspicious statements of invoices. This is a promising example of how educating and making consumers aware of medical identity theft can make a big difference in helping reduce the incidence of medical identity theft and its costs as a whole.

Looking into the mitigation process victims are confronted with after they discover their medical identity theft reveals the costs and trouble they have to go through to clear their names. There are two distinct objectives when mitigating medical identity theft. First, the victim must deal with an individual incident such as a thief receiving medical care under the victim's name and the associated fiscal impact the crime imposes. Second, the victim must now deal with the task of "curing" themselves of medical identity theft, insuring that their medical identity is not abused again in the future. This second objective is extremely difficult and contributes to the devastating nature of medical identity theft.

Regarding the first objective, the process for rectifying an individual incident of medical identity theft is complicated and drawn out. The victim must immediately contact the medical records and billing departments of the healthcare provider that provided the services to the imposter, request their medical records, and inform the provider that they are not responsible for the fraudulent bills. Upon learning that there may be fraudulent information in the victim's medical record, the healthcare provider may deny the victim access to their medical record for fear of violating the Health Insurance Portability and Accountability Act (HIPAA). HIPAA protects the privacy of patients' medical records making healthcare providers worry that they may be violating the imposter's privacy rights by releasing the medical record to the victim. Oftentimes, the healthcare provider does not know for a fact that the fraudulent information in the medical record was a result of medical identity theft and cannot rule out that it may simply have been an accidental mixing of two patients' records. Regardless of the situation, the healthcare provider is afraid of incurring liability under HIPAA for releasing confidential medical information even if it is under the victim's name. The victim may have to appeal the decision in order to be able to view their records.

In one case, a medical identity theft victim was charged for bills related to the alleged amputation of one of her feet. Luckily, this was easily refutable as she would simply show the hospital billing department that she still has her two feet. Unfortunately, the imposter also had diabetes which prompted a physician, during a subsequent hospitalization, to ask the victim what medications she was taking to treat her diabetes. Note, the victim has never had the disease (Menn). This case demonstrates how frustrating correcting medical records can be and reminds us how dangerous medical identity theft is to the victim.

It is also recommended that victims file a police report and submit a copy of the report to healthcare providers as it will usually help streamline the process. It is important for victims to note that medical identity theft, like any other form of identity theft, is a crime police are required to provide a police report for in most states. Once the incorrect information is identified, the victim must request that the healthcare provider either remove the information or at least flag it should the provider be reluctant to permanently remove it. After correcting the records at the location the imposter received medical services, the victim will then have to request an accounting of disclosures listing all the entities to which the healthcare provider sent the victim's fraudulent records. The victim must repeat this procedure at each location that has their fraudulent medical record. All of this creates mountains of work for healthcare providers, insurers, and the victims themselves which increases costs in the medical industry for everyone involved.

The second and more difficult objective, "curing" oneself of medical identity theft, does not have a set solution. The problem stems from the decentralized structure of the medical data system. Every healthcare provider, pharmacy, and insurer has its own records and records system. In contrast, the financial industry has three major credit reporting agencies through which almost all financial credit information is processed. Therefore, when you have suffered financial identity theft, a great way to mitigate future instances of fraud is to place a credit freeze with all three credit reporting agencies so that identity thieves cannot abuse your credit again. There is no such central medical record agency for medical records. Thus, it is possible for a medical identity thief to commit fraud with the same medical identity over and over again in multiple locations around the country. The victim will have to go through the individual incident mitigation process every time and just hope that the identity thief will stop using their medical identity.

Since there is no way to get ahead of the thief and prevent the medical fraud from occurring, the best way to mitigate the costs and effects of medical identity theft is for the victim to be vigilant and confront each instance of fraud as soon as possible in order to reduce the amount of wasted time and costs. This repetitive cycle is exhausting and costly for the victim as well as healthcare providers and insurers. In all three years Ponemon has conducted this survey, the number of victims who said they had completely resolved their medical identity theft never exceeded 11% (Third Annual Survey 11). This is an ongoing problem that does not yet have a solution, but it is imperative for all stakeholders to be involved.

All of this information points us to the realization that medical identity theft is a costly and potentially dangerous crime that is incredibly difficult to resolve. To make matters worse, medical identity theft often goes undiscovered for long periods of time and only becomes more detrimental and difficult to resolve the longer it goes undetected.

The Identity Theft Resource Center proposes that one of the best methods of reducing medical identity theft and the costs associated with it is an educated and aware consumer population. To make this point, it is useful to separate out the causes of identity theft listed in the Ponemon report into two groups. The first group includes causes of identity theft that victims have no control over: healthcare provider used identification to conduct fraudulent billing (22%), malicious employee in the health provider's office stole health information (7%), and the healthcare provider, insurer or other related organization had a data breach (6%). In total, 35% of the causes of identity theft cannot be affected by actions of the consumer. The second group consists of causes of identity theft that a consumer does have a degree of control over: family member took personal identification credentials without my knowledge (35%), mailed statement or invoice was intercepted by the criminal (6%), lost a wallet containing personal identification credentials (5%), and a phishing attack by criminal who obtained personal identification credentials (4%). Thus, the total of causes of medical identity theft that can be affected by actions of the consumer is 50%. It should be noted that 15% of the participants still did not know how they had their medical identity stolen.

Looking at the numbers above, it is clear that the consumers themselves can have the largest impact in reducing the number of medical identity theft cases and the severity of the cases that still occur. Not only do the consumers themselves have the best ability to reduce the risk of medical identity theft happening to them, they are the only people that can reduce the severity of the crime when it does happen. The Identity Theft Resource Center has long understood the ramifications of medical identity theft on the consumer population as well as the medical industry itself. We know that educating the consumer population can be cost-effective and powerful.

The Identity Theft Resource Center is a founding organization of the Medical Identity Fraud Alliance, the first public/private sector-coordinated effort with a focused agenda that unites all the stakeholders to jointly develop solutions and best practices for medical identity fraud. We encourage all industry stakeholders to join so that we can work together in galvanizing the consumer population into becoming the most effective weapon yet against medical identity theft.

How Consumers Can Minimize Their Risk Of Medical Identity Theft

• Review Explanation of Benefit statements as soon as you receive them as they may detail medical services that you never received.
• Review your credit reports multiple times a year to see if any fraudulent accounts have been opened in your name, or if any medical bills have been reported as unpaid.
• Be aware of phishing emails. These emails are designed to look like they are official communications from either a healthcare provider or insurer and ask for personal information such as a Social Security number, insurance policy number, or other information used to commit medical fraud in your name.
• Do not open attachments in emails from people you are not familiar with as it may have a virus or program to steal information from your computer.
• Use a Virtual Private Network when using the Internet outside of your home as this will encrypt your signal from your mobile device or laptop.
• Do not carry your Medicare card, Social Security card, or certain military identification as these have your Social Security number on them. Should you lose your wallet or purse or have it stolen, this information would be extremely valuable to a medical identity thief.
• Shred or safeguard any documents with personally identifiable information by either locking them in a safe hidden in the home or by storing them on an encrypted thumb drive and deleting them off your computer. Sensitive documents with PII include:
• Tax preparation papers
• Explanation of Benefits statements
• Medical Bills or Records
• Bank Statements
• Passport
• Medicare, Social Security, or military identification card

References
Nationwide Mutual Insurance Company. "Medical ID Theft Study Results." March 2012. Print.

Ponemon Institute. "Third Annual Survey on Medical Identity Theft." June 2012. Print.

Congressional Budget Office. Estimates for the Insurance Coverage Provisions of the Affordable Care Act Updated for the Recent Supreme Court Decision. U.S. Government Printing Office. July 2012. 13 December 2012. http://www.cbo.gov/sites/default/files/cbofiles/attachments/43472-07-24-2012-CoverageEstimates.pdf

Menn, Joseph. "ID Theft Infects Medical Records." Los Angeles Times. 25 Sept. 2006. N.pag. Web. 20 Dec. 2012

Health plans, their insurers, employer and other sponsors, and business associates have work to do. Health care providers, health plans, health care clearinghouses and their business associates will need to review and update their policies and practices for handling and disclosing personally identifiable health care information ("PHI") in response to the omnibus restatement of the Department of Health & Human Services ("HHS") Office of Civil Rights ("OCR") of its regulations (the " 2013 Regulations") implementing the Privacy and Security Rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Rulemaking announced January 17, 2013 may be viewed here.

Since 2003, HIPAA generally has required that health care providers, health plans, health care clearinghouses and their business associates ("Covered Entities") restrict and safeguard individually identifiable health care information ("PHI") of individuals and afford other protections to individuals that are the subject of that information. The 2013 Regulations published today complete the implementation of changes to HIPAA that Congress enacted when it passed the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 as well as make other changes to the prior regulations that the Office of Civil Rights found desirable based on its experience administering and enforcing the law over the past decade.

Since passage of the HITECH Act, Office of Civil Rights officials have warned Covered Entities to expect an omnibus restatement of its original regulations. While the Office of Civil Rights had issued certain regulations implementing some of the HITECH Act changes, it waited to publish certain regulations necessary to implement other HITECH Act changes until it could complete a more comprehensive restatement of its previously published HIPAA regulations to reflect both the HITECH Act amendments and other refinements to its HIPAA Rules. The 2013 Regulations published today fulfill that promise by restating the Office of Civil Rights' HIPAA Regulations to reflect the HITECH Act Amendments and other changes and clarifications to OCR's interpretation and enforcement of HIPAA.

Highlights Of Changes
Among other things, the 2013 Regulations:

• revise the Office of Civil Rights' HIPAA regulations to reflect the HITECH Act's amendment of HIPAA to add the contractors and subcontractors of health plans, health care providers and health care clearinghouses that qualify as business associates to the parties directly responsible for complying with and subject to HIPAA's civil and criminal penalties for violating HIPAA's Privacy, Security, and Breach Notification rules;
• update previous interim regulations implementing HITECH Act breach notification rules that require Covered Entities including business associates to give specific notifications to individuals whose personally identifiable health care information is breached, the Department of Health & Human Services and in some cases, the media when a breach of unsecured information happens;
• update interim enforcement guidance the Office of Civil Rights previously published to implement increased penalties and other changes to HIPAA's civil and criminal sanctions enacted by the HITECH Act
• implement HITECH Act amendments to HIPAA that tighten the conditions under which Covered Entities are allowed to use or disclose personally identifiable health care information for marketing and fundraising purposes and prohibit Covered Entities from selling an individual's health information without getting the individual's authorization in the manner required by the 2013 Regulations;
• update the Office of Civil Rights' rules about the individual rights that HIPAA requires that Covered Entities afford to individuals who are the subject of personally identifiable health care information used or possessed by a Covered Entity to reflect tightened requirements enacted by the HITECH Act that allow individuals to order their health care provider not to share information about their treatment with health plans when the individual pays cash for the care and to clarify that individuals can require Covered Entities to provide electronic personally identifiable health care information in electronic form;
• revise the regulations to reflect amendments to HIPAA made as part of the Genetic Information Nondiscrimination Act of 2008 (GINA) which added genetic information to the definition of personally identifiable health care information protected under the HIPAA Privacy Rule and prohibits health plans from using or disclosing genetic information for underwriting purposes; and
• clarifies and revises other provisions to reflect other interpretations and information guidance that the Office of Civil Rights has issued since HIPAA was passed and to make certain other changes that the Office of Civil Rights found appropriate based on its experience administering and enforcing the rules.

Covered Entities And Business Associates Must Act To Review And Update Policies And Practices
The restated rules in the 2013 Regulations make it imperative that Covered Entities review the revised rules carefully and updated their policies, practices, business associate agreements, training and documentation to comply with the updated requirements and other enforcement and liability risks. The Office of Civil Rights, even prior to the regulations, has aggressively investigated and enforced the HIPAA requirements.

The commitment of the Office of Civil Rights to enforcement most recently was demonstrated by its recent settlement with Hospice of North Idaho (HONI). On January 2, 2013, the Office of Civil Rights announced that the Hospice of North Idaho will pay the Office of Civil Rights $50,000 to settle potential HIPAA violations that occurred in connection with the theft of an unencrypted laptop computer containing electronic personally identifiable health care information. The Hospice of North Idaho settlement is the first settlement involving a breach of electronic personally identifiable health care information affecting fewer than 500 individuals.

While the Hospice of North Idaho settlement marks the first settlement on a small breach, this is not the first time the Office of Civil Rights has sought sanctions against a covered entity for data breaches involving the loss or theft of unencrypted data on a laptop, storage device or other computer device. Rather, the Office of Civil Rights continues to roll out a growing list of enforcement actions demonstrating that the potential risks of HIPAA violations are significant and growing. See also:

• OCR Hits Alaska Medicaid For $1.7M+ For HIPAA Security Breach
• OCR Audit Program Kickoff Further Heats HIPAA Privacy Risks
• $1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report
• HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website
• Providence To Pay $100000 & Implement Other Safeguards.

Coupled with statements by the Office of Civil Rights about its intolerance, the Hospice of North Idaho and other settlements provide a strong warning to covered entities of the need to carefully and appropriately manage their HIPAA encryption and other Privacy and Security responsibilities. Covered entities are urged to heed these warning by strengthening their HIPAA compliance and adopting other suitable safeguards to minimize HIPAA exposures.

In response to the 2013 Regulations and these expanding exposures, all Covered Entities should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration the Office of Civil Rights' investigation and enforcement actions, emerging litigation and other enforcement data, their own and reports of other security and privacy breaches and near misses, and other developments to decide if additional steps are necessary or advisable.

Hurricane Sandy is said to have been the most damaging hurricane recorded in U. S. history. There appears, however, to be some dispute as to whether Hurricane Katrina holds that dubious honor. The loss estimates and concerns are changing daily. The cost of the storm, estimated by private firms including PricewaterhouseCoopers and the PFM group, points to the fact that Hurricane Sandy destroyed or damaged more units of housing, affected more businesses and caused more customers to lose power. Here is the breakdown provided on November 26, 2012: http://www.governor.ny.gov/press/11262012-damageassessment.

• Number of deaths is more than 110 from Hurricane Sandy http://articles.latimes.com/2012/nov/03/nation/la-na-nn-hurricane-sandy-deaths-climb-20121103
• The official death toll from Katrina was 1,723. http://robertlindsay.wordpress.com/2009/05/30/final-katrina-death-toll-at-4081/
• 7.5 million power outages throughout Hurricane Sandy's two day assault on land
• Moody's Analytics estimates the loss in the vicinity of the storm to be $50 billion, of which $30 billion will be directly from damage to property and the remaining $20 billion from economic activity, not all of which is going to come from an insurance policy.
• 60% of the losses in economic activity, or about $12 billion, will come from the New York City metropolitan area.
• Because of the storm's intensity and the breadth and scope of the damage, President Obama declared New York and New Jersey federal disaster zones without waiting for any damage estimates.
• As of 12/3/2012, the Federal government has already issued $180 million in federal contracts related to Sandy.
• The President has declared several areas as disaster areas, which means that federal funds will now be available to storm victims. (This is not limited to those without flood insurance.) This federal disaster assistance usually takes the form of low-interest loans to help home and business owners rebuild, which you can learn more about on the Disaster Loan page.

The statistics are staggering as are the losses (both covered and not covered) that are emerging from the storm. We will attempt to discuss some of the unique and troublesome issues that are arising from the storm.

Article Discussion Points:

• Definition of "Storm" and its impact on insurance
• Flood or NOT Flood?-that is the question (or the hope)
• Personal Auto salvage concerns
• The Lawyers are out to get you

Definition Of "Storm" And Its Impact On Insurance

A storm reaches tropical storm status by reaching sustained winds of 39 miles per hour. The National Hurricane Center creates annual lists of names from the database of names maintained and updated by the World Meteorological Organization. If a storm causes significant damage and /or loss of life, the name is retired from the list permanently. Thus, there will be no Katrina II or Sandy II.

1. What Does The Definition Of "Storm" Have To Do With Insurance? There May NOT Be Coverage On The DIC.
Thousands of businesses were affected by Sandy. Many times those larger clients have flood and wind coverage, but written on a large property or DIC (Difference in Conditions) policy.

In those policies there may be restrictions, sub-limits or different deductibles that apply to "Named Storms." Those policies will define what that is, and should include flood, wind, wind gusts, storm surges, tornadoes, cyclones, hail or rain into this category once the storm has been declared by the National Weather Service to be a hurricane, typhoon, tropical cycle, tropical storm or tropical depression, thus bringing into focus the entire life cycle that a storm may go through.

We have found a number of articles written by law firms that are already taking on the issue of "named storm," claiming that even though the National Weather Service had named the storm, it was not at hurricane strength when it reached landfall. A comprehensive definition of "named storms" would be helpful to clarify coverage. The fact that the meteorologists are discussing the attributes of this storm to be more like a winter storm rather than a tropical storm may end up on the chopping block of justice in a civil court or two and test the insurance policy coverages.

2. What Is Unique About Hurricane Sandy?

• Sandy has defied normal storm behavior by moving east to west; it acted both like a hurricane and a cyclone simultaneously.
• The result of this last odd wind pattern was the root cause of the flood tides and the inundation of the New York subway system.
• The storm qualified as a hurricane at the time of landfall and its wave "destruction potential" reached a 5.8 on the National Oceanic and Atmospheric Administration's 0 to 6 scale.

3. One Storm or Two Storms:
Bad memories of the World Trade Center came immediately to mind when I read about this potential concern relating to Hurricane Sandy in the Daily Report. You might remember there was a significant concern that a second storm, following the initial impact of Sandy, was going to hit which would have further devastated the area.

Richard Mackowsky, a member of the Cozen O'Connor's global insurance group, said "new damage from a second storm could result in a separate occurrence, potentially requiring a separate set of deductibles."

"If there is damage caused by a second storm but related to the first storm, issues arise as to whether there were one or two occurrences. A second storm could impact causation as to what is really driving the loss. If the only reason the second storm caused damage was because of damage from Sandy, the question then becomes whether that is a covered cause of loss," Mackowsky said. "A second storm could trigger a separate limit of liability if it's a big enough situation," he said.

But even one storm can create causation questions. Was the damage from wind or flooding? Not a simple question to answer, litigation stemming from previous storms has shown.

Excerpted from the Daily Report

Saved by the bell on this one — the second storm never hit, but the insurance pundits were armed and ready.

Flood ... Not Flood? — That Is The Question

This appears, at first glance, to be Insurance 101 — most of this damage was either directly or indirectly caused by the condition of flooding. That is sure what it looked like to me and that is not a very popular observation. Why? Because most people did not have flood insurance and if they did, the flood insurance policy has limited amounts of insurance and significant restrictions such as no business income coverage.

1. Dilemma Of The Federal Flood Insurance Program — It's A Problem:
Even if it is covered on the flood insurance policy, there is real concern about the overall program. See this article from Reuters for more information.

2. Flood Or Not Flood
Whether talking about homeowner's insurance (including renters and condominium owners) or commercial property insurance, those forms most often include an exclusion for flood. So, here is where it gets a little tricky:

1. Did the property owner sustain damage from storm surge?
2. Was the loss due to rising flood waters?
3. Was the loss due to too much rain that entered into the building because the wind removed the roof, blew out the windows or knocked a part of the building down?

"It is an ongoing saga," says insurance lawyer Frank Darras, who has worked extensively on litigation scenarios following Katrina. "If you are a homeowner, you are going to argue that you have damage caused by wind and wind-driven rain. If you are the carrier, you are going to say the damage was caused by flood, tidal surge or a hurricane, which requires hurricane coverage."

Excerpted from The Street

In a unique twist, New York has a specific website that contains a regularly updated scorecard on insurance company performance. Here's the link. For example, State Farm has had 48,109 claims; 6,363 closed with payment; 5,229 closed without payment.

3. Problems With The Flood Insurance Solution
FEMA says that less than 15% of homeowners nationally carry flood coverage. Federally backed lenders have been lax in enforcing the obligation to purchase flood insurance (that may change due to higher penalties being imposed upon the banks as of July, 2012).

The National Flood Insurance Program anticipates claims between $6 and $12 billion but has borrowing power at $2.9 billion. Reauthorization from Congress would be required, and Homeland Security is expected to request appropriation soon. Those current and new policyholders of National Flood Insurance Program coverage will be getting a scheduled rate increase that predates Sandy.

Even if the person or business purchased flood coverage, there are still problems and concerns.

1. The limits of insurance available through the National Flood Insurance Program are small.
2. Replacement cost coverage applies only to a dwelling and not to commercial structures.
3. There may be wind damage to the building that the flood insurer will not pay but is covered in the homeowner's policy.
4. The insured will get to pay two deductibles for those two separate policies.
5. What kind of coverage is there if the first layer of property coverage is the NFIP coverage and the insured purchases excess layers of flood coverage above that policy?
   1. Will it drop down to pick up the replacement cost difference? No.
   2. Will it drop down to pick up business income, extra expense coverage? It should. Check the policy language.

4. The Future Of Flood Insurance
The future of the entire program is bleak enough. Add to that the impact of Hurricane Sandy on the future purchase of flood insurance. Homeowners in storm-damaged coastal areas who had flood insurance, and many more who did not, still now may be required to carry flood insurance and will face premium increases for flood from an estimated 20 to 25 percent per year beginning January. This is due in part to legislation enacted in July to shore up the debt ridden National Flood Insurance Program and is exacerbated by Hurricane Sandy.

"Because private insurers rarely provide flood insurance, the program has been run by the federal government, which kept rates artificially low under pressure from the real estate industry and other groups. Flood insurance in higher-risk areas typically costs $1,100 to $3,000 a year, for coverage capped at $250,000; the contents of a home could be insured up to $100,000 for an additional $500 or so a year," said Steve Harty, president of National Flood Services, a large claims-processing company.

Excerpted from The New York Times)

Lenders, in addition, will be affected by Hurricane Sandy if they fail to enforce the requirement for their lenders to carry flood insurance. They will face even higher penalties then they have in the past.

5. Ordinance Or Law

1. Many of those properties damaged by Hurricane Sandy had been built a number of years ago. So here are the questions:
   1. Does the Homeowner's Policy, Commercial Property Policy or Difference in Conditions include contingent ordinance or law coverage, demolition coverage and increased cost of construction coverage?
   2. What about the loss of use for the homeowner as well as the business interruption coverage?
2. The National Flood Insurance Program policy is out as there is no coverage for the indirect loss.
3. Many Difference in Conditions policies do not include ordinance or law automatically and many more do not include ordinance or law — increased period of restoration to cover the additional down time due to code or law enforcement.

6. Power Loss
Earlier we quoted the statistic of there being approximately 7.5 million power outages throughout Hurricane Sandy's two day assault on land. Many of these outages lasted days and weeks. There are several issues relating to insurance in terms of the power outages:

1. Requirement Of An Off Premises Endorsement: In order for businesses to have coverage for either direct or indirect losses relating to power outage, the insurance would first have "off premises" or "utility coverage" on the policy. Typically, losses stemming from off premises situations are excluded on property insurance policies.
2. Causation Of The Power Outage: If there was coverage on the property policies for the off premise loss, the situation that occurred off premises would have to be covered. For example, if the off premises loss were caused by a windstorm, that cause of loss is typically covered on a Commercial Property Policy or personal form. If the loss were caused by flooding, then that cause of loss is excluded and the off premises endorsement would not apply.
3. Off Premises Deductible: Off premises coverage oftentimes has a "time" deductible or waiting period of 72 hours unless endorsed. This waiting period would have eliminated coverage for many of the properties that had their power back in three days or less.
4. Direct vs. Indirect Loss: An Off Premises Endorsement would have to cover both direct damage and indirect to pick up a loss for Business Income.
5. Other Perils such as Equipment Breakdown (EB): The cause of off premises loss may be due to a power surge that results from the storming. If the Equipment Breakdown policy has off premises coverage and business income coverage, then recovery can be sought under that policy.
6. Some Off Premises Policies Have Distance Limitations: It must be ascertained if there is any distance indication on the policy to which the off premises is being attached. For example, some policies have a 500-foot distance radius which means the source of the off premises loss must be within 500 feet of the insured's premise.
7. Spoilage: It may be that the loss the insured sustained while the power was out was spoilage, such as loss to refrigerated items and the business income that stems from that loss. This could be covered on either an Equipment Breakdown Form depending on whether there was a "breakdown" or on a Commercial Property Spoilage Form. Some Homeowners have limited coverage built in for refrigeration loss but not for the peril of flood.

7. Business Income
Now we are talking about one of the bigger claims that will result from Hurricane Sandy and much of it will not be covered. Here are some of the pressure points of this coverage:

1. Cause of Loss — back to that one. Flood is excluded on the Commercial Property form so there will be no response for business income.
2. The Flood insurance policy does not cover business income.
3. If the cause of loss is determined to be "windstorm" and the insured has Business Income insurance, then the policy should respond from the causation point of view assuming they had direct damage.
4. The insured will have to prove that their income loss is directly attributable to Hurricane Sandy.
5. The policy has a waiting period for coverage typically 72 hours unless endorsed.
6. The policy would have to be endorsed with Off Premise coverage for the Business Income stemming from loss of power to apply.
7. There is no building ordinance for the business income — it would have to be endorsed.
8. Civil Authority: Many of the businesses did not sustain direct damage but were closed by civil authority.
   1. There is limited coverage on the Business Insurance form
   2. There may be distance limitations
9. Ingress/Egress: A bigger problem is the ingress/egress issue which basically means "because of the condition, itself, access to an area is affected or unavailable." For example, if a road is flooded out so that there is no access to a grocery store, the grocery store will be able to demonstrate they are losing customers. However, if the store was not directly affected by the physical loss, there will be no trigger on their business income form. Civil Authority did not close down the area — it was closed due to natural events in this case.

Traditional Business Income Policies require that there be direct damage to the premises by a peril insured against for there to be any business income insurance response. However, there is talk, in the aftermath of Hurricane Sandy, of what is referred to as Non-Damage Business Interruption or Non Physical Business Interruption Insurance. It is referred to as NDBI. While articles are referring to these coverages, as if they are readily available, I believe they are truly exceptional in availability and accessibility. Sometimes these forms are part of a "supply line coverage" for very large businesses that often have an international component. There is also the TDI or CDI coverage — Trade Disruption which could come into play — however, that coverage has a very limited market. Bottom line, the average business that sustained damage as a result of Hurricane Sandy had neither one of these types of coverage. Liberty International apparently has a program.

8. Automobile Losses From Hurricane Sandy
Autos are the easiest part of this equation: whether wind, flood or a combination, all are covered under the "Other Than Collision" coverage. The salvaging of these autos is where it gets interesting. Canadian officials are now bewailing the fact that thousands of autos — some estimates are as high as 250,000 — are likely making their way to Canada. Those storm-damaged vehicle are classified in Canada as "non-repairable" and are illegal to sell. But, in the aftermath of Katrina, Canadian citizens were buying these vehicles in the thousands, and they expect the same thing to happen again. What I wonder is, who is selling those vehicles? The original owner? The salvage company the insurer uses?

The Lawyers Are Out To Get You

Errors And Omissions Litigation
Well, as if all the foregoing isn't depressing enough, we cannot end this article without a little nudge to the insurance agent and broker.

If you are relying upon "conversations" with your client along the lines of "Do you want flood insurance? No. OK, then," you are going to be sadly mistaken that your client is not going to enjoin you in litigation over your standard of care. Your client is going to claim an increased standard of care, yes including New York residents, and that you had a duty to advise and quote coverage for them or at the very least, tell them in writing of the limitations of coverage in the policies they purchased and that they relied upon you for your expertise. Many agents simply renew, year after year, their direct bill homeowner's and small business clients without any documentation of coverage offers. Even those handling larger accounts somehow rely upon the client's memory and good will not to sue you. So, again, for the millionth time already, please, please document your file, in writing, to the insured, with a rejection signature every year or, for larger accounts, an authorization to bind affirmation from the insured.

As we were all glued to the TV, watching reporters being blown around reporting the devastation, my insurance brain immediately went to "flood exclusions." I saw the wind ravaging the houses, the uprooted trees blocking the roads, but also saw the rising waters in the streets, along the shores, in the housing areas.

The question will come down to that simple reality — was the damage due to flooding or not? The attorneys are out in force, fighting for first page on the Google search engine so you get to them first. It reminds me of an old Gun Smoke movie — ready, aim, fire. Barrels are being loaded against the insurance companies.

There is no easy way to end this article, although I am sure all of you who reached the very end are hopeful that I will. The storm was one of the biggest ever, and the insurance story will not end soon. There is so much more we could say but best end this with a heads up to watch and see how these claims unravel; and, for those of you who did not insure any of these damaged properties, I say a toast of champagne is in order.

Employees sometimes drive to work,
And then they find a parking spot,
Sometimes on a busy street,
Sometimes in a parking lot,
But injuries can still occur,
Between their cars and the front door,
And who will pay for slips and falls,
Will always be the Judge's call.

Such is the nursery rhyme sung to children of applicants' attorneys and defense lawyers in the dark and murky world of California workers' compensation.

This issue came up recently while I was having lunch with my brother-in-law, Jasper. Jasper had been doing well recently in the wheelbarrow industry, and wanted to expand his operations from his garage to a real factory. He invited me to lunch to present me with some exciting investment opportunities in the wheelbarrow industry. Currently, Jasper had his eye set on one location in particular because it came with a parking lot.

His plan was to set up a series of obstacles in the parking lot, in the hopes that the employee with poor agility and balance would sustain injury outside his factory and shield him from workers' compensation liability. Thus, only the workers that could swim faster than sharks, swing over quicksand pits, and tightrope over mine fields would actually make it to work.

Without getting into issues of serious and willful misconduct, for those readers out there that aren't Jasper, when you're facing a claim of injury in or near a parking lot, are you on the hook? Let's start with the basics.

In order for an injury to fall within the scope of California's workers' compensation system, as opposed to general civil tort, the injury must arise out of and occur within the course of employment (See Labor Code section 3600). This is commonly referred to as AOE/COE (Arising Out of Employment, in the Course of Employment). Generally speaking, injuries sustained during the regular commute to or from work are not compensable, unless they fit into one of several exceptions.

But what about that last stretch of travel, between the car door and the building door?

In the case of Lewis v. WCAB, Lewis parked in a lot leased for employees. Walking down the street to her office, three blocks away, she fell. In finding the claim compensable, the Supreme Court reasoned that there is a "reasonable margin of time and space necessary to be used in passing to and from the place where the work is to be done" included within the scope of employment.

The Court went further, noting that once the employee enters the premises under the control of the employer, including employer-owned parking lots, the commute has ended and the scope of employment has begun (See Santa Rosa Junior College v. WCAB, footnote 11).

By providing an employee parking lot, Jasper could very well find himself increasing his liability with every square foot of parking under his control.

At this, Jasper got nervous and decided his plan would have to be changed. Instead, he would have his employees park on the street and use the entire lot for more obstacles. After all, he read an article in Wheelbarrows and Workers' Comp, a very limited-circulation magazine which only exists in this story, which discussed a similar idea. There, the article's author discussed two cases.

The first, an unpublished decision by the Court of Appeal, was Sharp Coronado Hospital v. WCAB. There, the Court held that an employee asked by its employer to park on the street instead of the parking lot was precluded from recovering for an injury sustained while walking from the employee's parked car to the hospital. The other, General Insurance Co. v. WCAB, held that an employee struck while crossing the street from his parked car to work could not recover because of the going and coming rule.

Furthermore, he had heard his friend, an applicants' attorney, grumbling about the panel decision in the case of Sharon Ewegemi v. Oakland Unified School District. In that case, he understood, a teacher had parked her car on the street and was just a few feet from the door of her school when she turned back to get some papers from her car. Walking to her car, she tripped and fell in the street.

In denying her application, the Workers' Compensation Appeals Board reasoned that, until she entered the school and began working, she was still engaged in her commute, even up to a few feet away from the school.

Jasper's new plan could put all this into use, he thought, by having his employees cross the obstacle course before entering the front door.

Now, bear in mind, dear readers, this is my brother-in-law, so things had to be stated delicately, or else every Thanksgiving dinner would include Jasper mumbling about how he hopes I come see his snake-pit. So, I had to explain that his new idea wouldn't exactly work, either.

So, as I side-stepped the issue of intentionally exposing workers to snake-pits, quicksand, and landmines, I gently pointed out that he might still be liable for injuries sustained in his parking lot because of the "special risk" doctrine, which makes injuries sustained during travel to work compensable if the employee is exposed to a risk of injury, for the benefit of the employer, to which the general public is not exposed.

For example, the applicant in the case of Sandra Parks v. Workers' Compensation Appeals Board, was attacked two car lengths down the street from the employer-provided parking lot, as she was boxed in by school children crossing the street and other cars behind her. In finding the injury compensable, the Court of Appeal reasoned that the car's immobility caused by school children crossing the street was a special risk, and thus compensable.

Similar results were reached in R. G. Greydanus v. Industrial Accident Commission and John Freire v. Matson Navigation Company. In Greydanus, a dairy employee who had to turn left across a busy road to pull into the dairy farm was found to be exposed to a special risk because of the dangerous turn.

Likewise, in Freire, a janitor who worked aboard a steamship could only reach the ship by walking across a public bulkhead. The walk across the bulkhead was found to be a special risk, and the injury, though sustained some distance away from the ship itself, was found compensable.

Jasper looked deeply saddened as his eyes became watery and he glanced down at his blueprint. Where, before, the set of American Gladiator was reborn in his parking lot, now remained only painted lines between which employees could park their cars before proceeding to work.

Frustrated, Jasper shoved his blueprint aside and decided he wouldn't have a parking lot at all. As he angrily stared out the window, no doubt jealously glaring at the restaurant's parking lot, your humble author felt compelled to give some good news.

"Cheer up," I told my brother-in-law, Jasper. "Not all injuries sustained in parking lots are compensable." At that, Jasper seemed to rekindle the possibility of a parking lot obstacle course and he began to listen closely.

For example, in the case of Jessica Rodgers v. Workers' Compensation Appeals Board, an employee took a break from work to go to the bank. She then returned to the work parking lot and arranged her money before stepping out of her car and returning to work. In between her car and the building, however, a "biker," who had followed her from the bank, attacked her and stole her money.

Even though the injury was sustained during work hours, between starting and finishing the day's shift, and in the employer parking lot, the Court of Appeal held that the injury was not compensable because the cause of the injury was formed independent of any work-related activity — the biker just wanted to rob her, regardless of where she worked or who she was.

Likewise, in the panel decision of Basil Perkins v. City of Los Angeles, the applicant, a city animal control officer, was shot while napping in his work vehicle, while parked in the employer-owned lot, and wearing his uniform. As his home was over 130 miles away, he made a regular practice of napping in his car after a shift had ended.

Initially, the workers' compensation judge found the injury compensable, but the Workers' Compensation Appeals Board reversed, finding the injury was not compensable, as the shift had ended, and the employee was only in the parking lot for his convenience. In other words, the scope of employment cannot be artificially extended by dallying on the employer's premises.

The same occurred when a worker arrived to work too early, as in the writ denied case of Paul Grove (Dec'd), Sharon Grove (Widow) v. Miller Coors, LLC. In that case, the employee had arrived to work early and had used the restroom at work less than two hours before the start of his shift, when he sustained an injury in the restroom. There, the workers' compensation Judge found the injury to be non-compensable.

Fortunately, Jasper never got to try out his obstacle course idea — the wheelbarrow industry took a downturn, and he decided expanding beyond his garage was not a good idea at this time. Regardless, here are some takeaway rules:

1. Arriving at an employer-owned or provided parking lot begins the scope of the employment relationship and ends the commute, so long as the arrival is within the regular time for employment.
2. If travel to the employer or the employer's parking lot presents a "special risk" to the employees, then the time during which the employee is exposed to the risk will not be barred by the Going and Coming Rule.
3. Injuries sustained in an employer-provided parking lot are subject to AOE/COE analysis, so injuries sustained for reasons unrelated to work, such as robberies, will not be compensable, unless the special risk doctrine applies.
4. Whatever the liability for workers' compensation, the "Going and Coming" rule is not subject to the premises rule for civil liability and respondeat superior, as found by the Court of Appeal in Dean Hartline v. Kaiser Foundation Hospitals.
5. Do not invest in the wheelbarrow market if the president of your company is busy planning an obstacle course for his employees trying to get to work.

Surgeon and author, Dr. Atul Gawande outlined how, at the turn of the 20th century, more than forty per cent of household income went to paying for food, and food production consumed roughly half the workforce. The drive to change that began in a small town in Texas where an array of new methods of food production were tested. The results were stunning. Today, food accounts for 8% of household budgets and 2% of the workforce.

As a swarm of small innovations led to the transformation of farming, so too is a rapidly building wave of innovative new care and payment models leading to similar breakthroughs in healthcare. The winners in the next epoch of healthcare will be those that have agility in contrast to the lumbering nature of traditional healthcare systems.

In old line models, attempting a new care or payment model meant long planning and development cycles. The cost and complexity of testing new models prevent many from being tried. Demonstrating how healthcare hasn't experienced the benefits of modern, cloud-based software, the leading HealthIT vendor is known to charge $100 million and up for its software and it takes a year or two to start realizing any benefit. [See also Health Systems Spending Billions to Prepare for the Last Battle]

Iterative Testing And Refinement Will Prevail
There's a striking parallel between the transformation of healthcare and what happened with advertising campaigns as a result of traditional media getting disrupted by digital media.

Once upon a time, because the stakes were high with large ad campaigns, 90% of the effort around an ad campaign was in the planning/building of a campaign — i.e., creating ads, focus grouping creative/promotions, planning where to place ads, etc. When ads were created and it was decided where to run the ads, marketers sat back and watched to see how it would play out with little ability to change the course of a campaign.

Today, as little as 20% of the marketing effort is done upfront before putting elements to the test. The Internet is much more effective at testing offers and ad creative than a contrived focus group. Likewise, smart marketers can tap very sophisticated tools to optimize their ad spending so that the actual place ads run can be radically different than what an ad director may have thought initally.

I'd expect a similar transition to happen in healthcare. As Dr. Farzad Mostashari (National Coordinator for Health IT) said, "what's transformative isn't just harvesting & analyzing Big Data — it's instrumenting what we do, testing predictions, A/B trials..."

It's well understood that the mega healthIT systems (e.g., a $900M implementation was announced not long ago in the Northeast) take a couple years to implement. The reason for the long implementation, in part, is due to all of the decisions that have to be made regarding customization. The stakes are high as it's only logical to do system-wide changes when 100's of millions are at stake, leading some healthcare providers to have weak operating results as a result of healthIT costs as Zina Moukheiber reported. The market leader is noted for its customizability. However, once customized, it's also noted for its rigidity. That is, if a workflow changes, it's a major project to change the supporting healthIT to support the new workflow.

Where processes are well understood and predictable (e.g., surgeries), applying a manufacturing mindset is very appropriate. It's akin to setting up an assembly line at an auto plant at great expense. Once that is done, it can be used for a long period of time and is worth the upfront investment. The danger comes in when it comes to chronic disease management (where more than 75% of healthcare dollars are spent). With accountable models and recognition that the patient or family members have the greatest impact on outcomes (i.e., not healthcare professionals), setting up a rigid system is a recipe for disaster.

If there's one thing we know for certain, it's going to take iteration for many years to hone how to tackle chronic conditions as it involves complexity of the variety humans present to the healthcare system. In an agile system that has modern software economics (i.e., dramatically lower cost), it's feasible to do smaller scale tests. If they prove successful, they can be expanded. Listening to a recent podcast from the Institute for Healthcare Improvement on reducing readmissions echo'ed this point — i.e., addressing an issue like this will take a series of changes vs. one silver bullet.

The rigid mega healthIT systems are a vestige of the "do more, bill more" model of reimbursement, particularly given that healthcare is a supply-driven market (e.g., MDs who own a stake in imaging equipment order scans at three times the rate of MDs who don't). Spending nine figures doesn't sound as bad when you have capital projects planned in excess of $1 Billion. Perhaps we should refer to the legacy model as the "build more, do more, bill more" model. Any health analyst will tell you that the cure for healthcare's hyperinflation is NOT building more healthcare facilities. It would be as if a fire department argued that the way to solve a wave of structural fires was to buy more fire fighting equipment. Indeed, that might help, however there's a much more cost-effective approach such as having buildings inspected for fire prevention capabilities.

In their book, The Innovator's Prescription, Clayton Christensen and Dr. Jason Hwang point out how applying technology into old business models has only raised costs. Thus, buying new technology isn't a silver bullet if it's put into an old business model. Rather, the new technologies need to go hand-in-hand with agile, new processes. The organizations who optimize their approaches for a more agile model will prevail.

Images are courtesy of Jason Hwang, M.D., M.B.A. Co-author of The Innovator's Prescription.

Dramatic Gains From New Care And Payment Models
Innovators such as Iora Health, WhiteGlove Health and Qliance rethought the care delivery and payment models from the ground up. Their results have been impressive. For example, Qliance has Net Promoter Scores higher than Google or Apple, while reducing the direct costs of healthcare (i.e., their service coupled with a high deductible wrap-around policy) 20-40%. More impressively, they have reduced utilization of the most expensive downstream costs (surgical, specialist and emergency visits) 40-80%. Iora has reported similar outcomes with some of the toughest patient populations out there. [See "David Clause" in Obamacare Ready to Slay the Healthcare Cost Beast for more on the outcomes Iora and Qliance have reported.]

The next wave of innovators are taking advantage of second-mover advantage as the wave of healthtech startups provide them off-the-shelf software that is an order of magnitude less investment than the first wave of innovators. It's a couple orders of magnitude less expensive than legacy healthIT. More importantly for the innovators is the speed that they can not only stand up the new technology but also easily iterate based on real world experience. Rather than months or years, it's hours or days. This is a key component of IT agility. They also make the most of investment others make rather than be threatened by them. A simple example: WebMD is used by over 100M consumers per month. Clinicians can curate information that they think will be useful for patients from WebMD and others (e.g., medical societies) who've made large investments in consumer-friendly content. Healthcare can no longer afford to reinvent the wheel. [See Khan Academy Approach to Solve Wicked Problem in Healthcare for examples of new approaches taken.]

Change is already happening faster than many expected. Oliver Wyman's recent paper highlighted the rapidity of the market shift in The ACO Surprise (PDF). When I was presenting to the Pioneer ACOs over the summer (see summary here), it was already apparent to the pioneering organizations that their new models required new systems. They went on to state they didn't expect to get anything for the new requirements from their traditional healthIT suppliers for at least the next two years. Meanwhile, the market shift is taking place much quicker than that.

New York Digital Health Accelerator Is A Model To Emulate
Zina Moukheiber highlighted a program that is a key plank of perhaps the largest effort in the country to reinvent healthcare delivery and payment.

The New York Health Home program was designed to make obsolete the traditional uncoordinated and unaccountable "system" that has cared for Medicaid patients in New York. Managing a $50B budget gives Dr. Nirav Shah (NY's state Commissioner of Health) the clout to attract hundreds of companies that want to enable the reinvention of healthcare. Dr. Shah and other leaders in New York's public and private sector recognized that with an entirely new set of objectives a new set of technology requirements naturally emanates from that. Through the New York Digital Health Accelerator (NYDHA), they are supporting the growth of agile startups to meet these new requirements. [Disclosure: My company was one of the 8 companies selected for the accelerator program.] Just two months into the program, there are pilots and deployments with the accelerator companies underway in the leading healthcare providers in New York.

The graphic below depicts the transition from the slide rule to the mainframe and then back out to mobile devices. Dr. Shah's comments in the video above echo'ed the shift from an old "mainframe" method of healthcare delivery to a more distributed "smartphone" model.

New business models require new technology. As David Whitlinger (head of the New York eHealth Collaborative) highlighted in the video above, his organization has built a state health information network but what it needs are the applications riding on top of that network to realize its full value. The startups in the NYDHA will be the first to get access to the statewide network due to their agility in taking advantage of the state's health information exchange.

The trucking industry accounted for nearly 20 percent of all days-away-from-work cases in 2011. Correspondingly, trucking was among the seven occupations which had an incidence rate greater than 300 cases per 10,000 full-time workers and who had greater than 20,000 days-away-from-work cases.

OSHA defines a Musculoskeletal Disorder (MSD) as an injury of the muscles, nerves, tendons, ligaments, joints, cartilage and spinal discs. They identify examples of Musculoskeletal Disorders to include: carpal tunnel syndrome, rotator cuff syndrome, De Quervain's disease, trigger finger, tarsal tunnel syndrome, sciatica, epicondylitis, tendinitis, Raynaud's phenomenon, carpet layers knee, herniated spinal disc, and low back pain.

The average cost of a work-related soft tissue injury in the trucking industry exceeds any other industry. According to the U.S. Bureau of Labor Statistics (BLS), Musculoskeletal Disorders nationwide typically account for 33% of work-related injuries, while the incidence of Musculoskeletal Disorders in the transportation industry is 60-67%. The Bureau of Labor Statistics also noted that there were 1.4 million total transportation workers, and each year 1 in 18 is injured or made ill by the job.

These higher rates of injury can be attributed in part to several factors. Due to the nature of their work, many drivers maintain a poor diet, rarely get enough sleep, and are sedentary. As a result, they find themselves more susceptible to heart attacks and diabetes, as well as a myriad of strains, sprains and various other Musculoskeletal Disorders.

Additionally, the percentage of older workers is higher in transportation than in most industries, with the Transportation Research Board estimating that up to 25 percent of truck drivers will be older than 65 by 2025, translating into more severe Musculoskeletal Disorder claims.

These factors are contributing to more workers' compensation claims for drivers which increase employers' costs. As part of the job, many truck drivers are required to unload the goods they transport, leading to serious sprains and strains. Heavy lifting after long periods of sitting can increase the likelihood of severe sprains and strains. In addition, drivers often rush at the delivery site in an effort to meet the demands of tight schedules. This combination contributes to 52% of the non-fatal injuries in this industry, with trunk and back claims accounting for 70% of these cases.

Due to its unique workplace circumstances, the commercial transportation industry is at higher risk for increased frequency of injuries and costs to the industry. The following describes the framework of this dilemma:

1. Commercial transportation jobs expose workers to high physical demands and extended hours of exposure.
2. The transportation industry experiences one of the highest work-related injury rates among all workplace sectors.
3. The transportation industry experiences a high level of turnover on an annual basis, which results in a high number of newly hired employees exposed to unfamiliar and physically demanding tasks.

While this is an industry-wide issue, we will focus on California in order to illustrate how problematic it truly is. In March of 2010, the California Workers' Compensation Institute (CWCI) issued its latest scorecard for the California Trucking Industry. Over eight years, $480 million dollars was paid in medical and indemnity costs alone. The study found that, even though this industry accounted for only 1% of all California industrial claims, they accounted for 1.8% of the state's workers' compensation paid benefits. It was also found that medical and indemnity payments were higher than any other industry. The average lost-time direct claim cost at $18,587 is 41% higher than the industry average in California. The indirect costs in this industry range from a 2x to a 10x multiple, and in an industry known for low profit margins, controlling costs is critical.

It should also be noted that California can retain jurisdiction of a workers' compensation claim even if the injury did not occur in that state; the employee only has to live in California, drive through California or have been hired out of California. This is such a significant problem that in 2010 the U.S. Department of Transportation initiated the Compliance Safety Accountability measure of driver's fitness. This is specific to transportation, is publicly available, and the ratings are tied to insurance rates and letters of credit.

With the numerous reforms taking place in 2013 and the Centers for Medicare and Medicaid Services (CMS) Mandatory Reporting Act, it is now essential that employers become proactive and only accept claims that arise out of the course and scope of employment. Medicare has mandated all work-related and general liability injuries be reported to CMS in an electronic format. This means that CMS has the mechanism to look back and identify work comp-related medical care payments made by Medicare. This is a retroactive statute that will ultimately hold the employer and/or insurance carrier responsible for these payments.

Should CMS have to pursue the employer in court, the amount owed is doubled. The insured or employer could pay the future medical cost twice — once to the claimant at settlement and later when Medicare seeks reimbursement of the medical care they paid on behalf of the claimant. There is no statute of limitations on compliance with the MSA requirements. CMS can review claims closed last year, five years ago, or even longer to check for compliance. Penalties and fees for noncompliance are $1,000 per day if medical care is not paid within 30 days.

Historically, soft tissue injuries have been difficult to diagnose and even harder to treat due to the broad spectrum of disorders related to soft tissue. Most diagnostic tests are not designed to address Musculoskeletal Disorders and are unable to document the presence of pain or loss of function ... two key complaints.

Employers need a way to manage their Musculoskeletal Disorder exposure and provide better care to their injured workers. The key to managing this problem is for employers to obtain the ability to only accept claims that arise out of the course and scope of employment. The only viable solution for employers is to conduct a baseline soft tissue assessment in order to establish pre-injury status. The baseline must be job and body part specific and objective to comply with the Americans with Disabilities Act Amendments Act of 2008.

The baseline assessments are not read or interpreted unless and until there is an injury. By not identifying a potential disability, employers are able to conduct baseline assessments on new hires as well as existing employees while maintaining compliance with the Americans with Disabilities Act Amendments Act. If there is a soft tissue injury, the employee is sent for a post-loss assessment to determine what and if there is any change from the baseline assessment. If no change is noted (no acute pathology), then there is no valid claim. This proven baseline program is known as the EFA Soft Tissue Management Program (EFA-STM Program), which utilizes the Electrodiagnostic Functional Assessment to objectively provide this data.

SB 863 was passed on the last day of August 2012. It is the largest and most comprehensive change to the California workers compensation system since April 2004 when SB 899 passed.

To make sure that the new law is implemented properly, the California Division of Workers Compensation and the Workers Compensation Appeals Board have both promulgated extensive regulations. Some of the regulations, by their nature, were considered "emergency" and were approved by OAL on December 31.

Because of the extensive impact of the various articles in the legislation, there will be ongoing regulatory efforts at least through the first six months of this year.

I strongly encourage all claims operations to review these regulations and provide their insight, thoughts, and comments on a timely basis to the Division of Workers Compensation. You can find all of the regulations on the California Department of Industrial Relations web site or the California Division of Workers Compensation web site.

Implementing SB 863
On the front lines there are many legitimate questions, such as:

• How much of the new law applies to my existing cases?
• If I have started Permanent Disability (PD) advances, and if the employee has returned to his/her regular work, do I still need to advance Permanent Disability?
• What is Independent Medical Review (IMR)?
• How will I pay for the Independent Medical Review evaluation?
• Under what circumstances will I have to use Independent Medical Review?
• What happens if I have an old case and the applicant attorney claims a sleep disorder?
• What are the new ways to rate Permanent Disability?
• What happens if the lien holders have not paid their lien filing fee?

To assist with helping claims operations and claims departments implementing the new law, I have provided an SB 863 Implementation and Survival Guide, organized by Mark Webb. It is intended to assist claims operations in the day-to-day implementation of SB863.

The original wording of the bill can be viewed here.

Napoleon's Corporal
Napoleon Bonaparte conquered most of Europe and North Africa. Many do not know the inside story of why he was a successful a military leader. One reason was his unique and extensive use of cannon. However he also had a secret weapon ... His advantage was his use of a corporal.

Napoleon realized that war was a complex endeavor. When his generals outlined the battle plan, he had a random corporal assigned to shine his boots. After the plan was explained to Napoleon, he would look down at the corporal and ask if he understood the plan. If the corporal (who had been listening to the explanation of the plan) understood, Napoleon would then authorize the attack. However if the corporal was confused or did not understand the plan, then Napoleon had his generals re-do the plan to simplify it.

Napoleon understood that it was his front line that needed to execute the battle plan. If the plan was confusing, the front line would not be successful.

I recommend that this concept be considered when implementing SB863.

Here are some additional comments and observations on developing claim procedures to implement SB 863:

• Usually the best and the brightest are used to develop procedures in claims departments. That does not always result in simple processes. This is because the focus is usually only on compliance with the new laws (which does not include simplifying the existing processes or the new process).
• When the claims departments are developing their policies, rules and procedures, front line claims assistants and examiners should be included in the development of the processes and should also review the proposed plans to determine if they can be understood and implemented.
• Unfortunately many times the new procedures result in processes that reflect the axiom "we have always done it this way." Include folks who think "out of the box" and allow their voices to be heard.
• SB 863 will result in major changes within the claims offices procedures and claims handling. Now is the time to take advantage of the change and embrace the change rather than to resist the change.
• The focus on implementation should be: Benefit provision, Compliance, Cost Savings, Simplification, Documentation, Training.
• For many claims adjusters, this will be the third system that they will be working with (Pre-899, 899 and 863).
• Segregating claims by system may help but is not a panacea (because many of the provisions of SB863 apply to all existing claims).
• Claims systems will also have to be changed. Limitations of some of the claims systems will result in problematic work-around procedures for awhile.
• Sometimes working out a manual process first allows one to identify efficiencies. Do not be afraid to use a manual process for awhile (as the bugs are worked out).
• Regular reviews of the implementation team specifically focused on simplification are productive.
• The team should have a dedicated focus on the new law's cost-saving provisions.
• The team should keep track of its costs and also develop an analysis of costs of implementing the laws.
• The new laws may change the claims staffing model.
• Third Party Administrators should notify their customers of the potential increased costs (Permanent Disability, for example) and also projected savings (lien reduction and resolution).
• Third Party Administrators should review their contracts with their customers to determine if the changes in the laws impact their current pricing models and are best for their clients and for their success.
• Bill review vendors and Utilization Review companies both have major changes to implement.
• Special Investigations Units and Fraud Reporting have new issues to report because of the increased conflict of interest provisions in the law. Include the Special Investigations Unit as part of the implementation team.
• I recommend an implementation team include: A senior claims executive, a senior claims supervisor, a claims examiner, a claims assistant, a bill specialist, a hearing representative, a finance person, a claims system expert, an attorney who knows the new law, and a person who is responsible for documenting the discussions, processes and procedures.
• Training of the entire staff will take more than just one meeting and more than one month. Assume that there will be a need for re-training on a regular basis for the first nine months.

Properly encrypt and protected electronic protected health information (ePHI) on laptops and in other mediums!

That's the clear message of the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) in its announcement of its first settlement under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule involving a breach of ePHI of fewer than 500 individuals by a HIPAA-covered entity, Hospice of North Idaho (HONI).

The settlement shows that the Office of Civil Rights stands ready to penalize these healthcare providers, health plans, healthcare clearinghouses and their business associates (covered entities) when their failure to properly secure and protect ePHI on laptops or in other systems results in a breach of ePHI even when the breach affects fewer than 500 individuals.

HIPAA Security & Breach Notification For ePHI
Under the originally enacted requirements of HIPAA, covered entities and their business associates are required to restrict the use, access and disclosure of protected health information and establish and administer various other policies and safeguards in relation to protected health information. Additionally, the Security Rules require specific encryption and other safeguards when covered entities collect, create, use, access, retain or disclose ePHI.

The Health Information Technology for Economic and Clinical Health (HITECH) Act amended HIPAA, among other things to tighten certain HIPAA requirements, expand its provisions to directly apply to business associates, as well as covered entities and to impose specific breach notification requirements. The HITECH Act Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a "breach," of 500 individuals or more (Large Breach) to the Secretary of HHS and the media within 60 days after the discovery of the breach. Smaller breaches affecting less than 500 individuals (Small Breach) must be reported to the Secretary on an annual basis.

Since the Breach Notification Rule took effect, the Office of Civil Rights' announced policy has been to investigate all Large Breaches and such investigations have resulted in settlements or other corrective action in relation to various Large Breaches. Until now, however, the Office of Civil Rights has not made public any resolution agreements requiring settlement payments involving any Small Breaches.

Hospice Of North Idaho Settlement
On January 2, 2013, the Office of Civil Rights announced that Hospice of North Idaho will pay the Office of Civil Rights $50,000 to settle potential HIPAA violations that occurred in connection with the theft of an unencrypted laptop computer containing ePHI. The Hospice of North Idaho settlement is the first settlement involving a breach of ePHI affecting fewer than 500 individuals. Read the full HONI Resolution Agreement here.

The Office of Civil Rights opened an investigation after Hospice of North Idaho reported to the Department of Health and Human Services that an unencrypted laptop computer containing ePHI of 441 patients had been stolen in June 2010. Hospice of North Idaho team members regularly use laptops containing ePHI in their field work.

Over the course of the investigation, the Office of Civil Rights discovered that Hospice of North Idaho had not conducted a risk analysis to safeguard ePHI or have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule. Since the June 2010 theft, Hospice of North Idaho has taken extensive additional steps to improve their HIPAA Privacy and Security compliance program.

Enforcement Actions Highlight Growing HIPAA Exposures For Covered Entities
While the Hospice of North Idaho settlement marks the first settlement on a small breach, this is not the first time the Office of Civil Rights has sought sanctions against a covered entity for data breaches involving the loss or theft of unencrypted data on a laptop, storage device or other computer device. In fact, the Office of Civil Rights' first resolution agreement — reached before the enactment of the HIPAA Breach Notification Rules — stemmed from such a breach (see Providence To Pay $100000 & Implement Other Safeguards).

Breaches resulting from the loss or theft of unencrypted ePHI on mobile or other computer devices or systems has been a common basis of investigation and sanctions since that time, particularly since the Breach Notification rules took effect. See, e.g., OCR Hits Alaska Medicaid For $1.7M+ For HIPAA Security Breach. Coupled with statements by the Office of Civil Rights about its intolerance, the Hospice of North Idaho and other settlements provide a strong warning to covered entities to properly encrypt ePHI on mobile and other devices.

Furthermore, the Hospice of North Idaho settlement also adds to growing evidence of the growing exposures that health care providers, health plans, health care clearinghouses and their business associates need to carefully and appropriately manage their HIPAA encryption and other Privacy and Security responsibilities. See OCR Audit Program Kickoff Further Heats HIPAA Privacy Risks; $1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report; and, HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website. Covered entities are urged to heed these warnings by strengthening their HIPAA compliance and adopting other suitable safeguards to minimize HIPAA exposures.

Office of Civil Rights Director Leon Rodriguez, in OCR's announcement of the Hospice of North Idaho settlement, reiterated the Office of Civil Rights' expectation that covered entities will properly encrypt ePHI on mobile or other devices. "This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients' health information." said Rodriguez. "Encryption is an easy method for making lost information unusable, unreadable and undecipherable."

In the face of rising enforcement and fines, the Office of Civil Rights' initiation of HIPAA audits and other recent developments, covered entities and their business associates should tighten privacy policies, breach and other monitoring, training and other practices to reduce potential HIPAA exposures in light of recently tightened requirements and new enforcement risks.

In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration the Office of Civil Rights' investigation and enforcement actions, emerging litigation and other enforcement data, their own and reports of other security and privacy breaches and near misses, and other developments to determine if additional steps are necessary or advisable.

New Office Of Civil Rights HIPAA Mobile Device Educational Tool
While the Office of Civil Rights' enforcement of HIPAA has significantly increased, compliance and enforcement of the encryption and other Security Rule requirements of HIPAA are a special focus of the Office of Civil Rights.

To further promote compliance with the Breach Notification Rule as it relates to ePHI on mobile devices, the Office of Civil Rights and the HHS Office of the National Coordinator for Health Information Technology (ONC) recently kicked off a new educational initiative, Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information. The program offers health care providers and organizations practical tips on ways to protect their patients' health information when using mobile devices such as laptops, tablets, and smartphones. For more information, see here.

For more information on HIPAA compliance and risk management tips, see here.