Tag Archives: department of health & human services

Healthcare Case on Cutting Corners

Healthcare providers, health plans, healthcare clearinghouses (covered entities) and business associates that provide services that deal with protected health information received another reminder to be prepared to prove they are properly handling and administering electronic and other protected health information. This came after the Department of Health & Human Services Office of Civil Rights (OCR) announced its latest in a growing series of high-dollar resolution agreements with a covered entity that was charged with violating the privacy and security standards of the Health Insurance Portability and Accountability Act (HIPAA).

Raleigh Orthopaedic Charges and Resolution Agreement

The Resolution Agreement and Corrective Action Plan announced by OCR on April 20 requires the Raleigh Orthopaedic Clinic, P.A. to pay $750,000 to settle charges that it violated the privacy rule. The clinic handed over the protected health information of approximately 17,300 patients to a potential business partner without first executing a business-associate agreement.

Raleigh Orthopaedic is a provider group practice that operates clinics and a surgery center in the Raleigh, NC, area. OCR’s investigation indicated that Raleigh Orthopaedic violated privacy rules by releasing X-ray films and related protected health information of patients to an entity that promised to transfer the images to electronic media in exchange for harvesting the silver from the X-ray films. Raleigh Orthopaedic failed to execute a business associate agreement with this entity before turning over the X-rays and protected health information (PHI).

Although the resolution only addresses charges OCR brought against the covered entity (Raleigh Orthopaedic), business associates need to keep in mind that both covered entities and business associates are now responsible for ensuring compliance with the business associate agreement requirements of the privacy rules — ever since the stimulus bill amended HIPAA to make most provisions of the privacy rule directly applicable to business associates, as well as covered entities.

Takeaways for Covered Entities and Their Business Associates

The resolution agreement includes a strong message for other covered entities and business associates: It’s important for an entity to take seriously its responsibility under the privacy rule to ensure the business associate agreement requirements of the privacy rule are met before business associates are allowed to receive, access or use protected health information. Jocelyn Samuels, the director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), said, “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected,” and “HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise.”

In many cases, the process of evaluating the adequacy of current arrangement and of considering the advisability of changes to tighten existing practices will result in the discovery and discussion of potentially sensitive information. For example, it is possible that, in the course of review, parties may be unable to locate a signed business associate agreement that governs a relationship, or, in the course of review, information indicates breaches of protected health information or other privacy rule violations may have occurred. For this reason, most covered entities and their business associates will want to consider arranging it so this review and analysis is conducted within the scope of attorney-client privilege or under the direction of qualified legal counsel with HIPAA experience who has entered into a business associate agreement.

More Pressure to Protect Health Data

Health plans, insurers and other health plan industry service providers need to ensure that their Internet applications properly safeguard protected health information (PHI), based on a recent warning from Department of Health and Human Services (HHS) Office of Civil Rights (OCR).

The warning comes in a resolution agreement with St. Elizabeth’s Medical Center (SEMC) that settles OCR charges that it breached the Health Insurance Portability and Accountability Act (HIPAA) by failing to protect the security of personal health data when using Internet applications. The agreement shows how complaints filed with OCR by workforce members can create additional compliance headaches for covered entities or their business associates.

With recent reports on massive health plan and other data breaches fueling widespread regulatory concern, covered entities and their business associates should prepare to defend the adequacy of their own HIPAA and other health data security practices. Accordingly, health plans and their employer or other sponsors, health plan fiduciaries, health plan vendors acting as business associates and others dealing with health plans and their management should contact legal counsel experienced in these matters for advice within the scope of attorney-client privilege about how to respond to the OCR warning and other developments to manage their HIPAA and other privacy and data security legal and operational risks and liabilities.

SEMC Resolution Agreement Overview

The SEMC resolution agreement settles OCR charges that SEMC violated HIPAA. The charges stem from an OCR investigation of a Nov. 16, 2012, complaint by SEMC workforce members and a separate data breach report that SEMC made to OCR of a breach of unsecured electronic PHI (ePHI). The information was stored on a former SEMC workforce member’s personal laptop and USB flash drive, and 595 individuals were affected.

In their complaint, SEMC workers complained that SEMC violated HIPAA by allowing workforce members to use an Internet-based document application to share and store documents containing electronic protected health information (ePHI) of at least 498 individuals without adequately analyzing the risks. OCR says its investigation of the complaint and breach report revealed among other things that:

  • SEMC improperly disclosed the PHI of at least 1,093 individuals;
  • SEMC failed to implement sufficient security measures regarding the transmission of and storage of ePHI to reduce risks and vulnerabilities to a reasonable and appropriate level; and
  • SEMC failed to identify and respond to a known security incident, mitigate the harmful effects of the security incident and document the security incident and its outcome in a timely manner.

To resolve OCR’s charges, SMCS agreed to pay $218,400 to OCR and implement a “robust corrective action plan.” Although the required settlement payment is relatively small, the resolution agreement merits attention because of its focus on security requirements for Internet application and data use and sharing activities engaged in by virtually every covered entity and business associate.

HIPAA-Specific Compliance Lessons

OCR Director Jocelyn Samuels said covered entities and their business associates must “pay particular attention to HIPAA’s requirements when using Internet-based document sharing applications.” She stated that, “to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”

The resolution agreement makes clear that OCR expects health plans and other covered entities and their business associates to be able to show both their timely investigation of reported or suspected HIPAA susceptibilities or violations as well as to self-audit and spot test HIPAA compliance in their operations. The SEMC corrective action plan also indicates covered entities and business associates must be able to produce evidence showing a top-to-bottom dedication to HIPAA, to prove that a “culture of compliance” permeates their organizations.

Covered entities and business associates should start by considering the advisability for their own organization to take one or more of the steps outlined in the “robust corrective action plan,” starting with the specific steps that SEMC must take:

  • Conducting self-audits and spot checks of workforce members’ familiarity and compliance with HIPAA policies and procedures on transmitting ePHI using unauthorized networks; storing ePHI on unauthorized information systems, including unsecured networks and devices; removal of ePHI from SEMC; prohibition on sharing accounts and passwords for ePHI access or storage; encryption of portable devices that access or store ePHI; security incident reporting related to ePHI; and
  • Inspecting laptops, smartphones, storage media and other portable devices, workstations and other devices containing ePHI and other data devices and systems and their use; and
  • Conducting other tests and audits of security and compliance with policies, processes and procedures; and
  • Documenting results, findings, and corrective actions including appropriate up-the-ladder reporting and management oversight of these and other HIPAA compliance expectations, training and other efforts.

Broader HIPAA Compliance and Risk Management Lessons

Covered entities and their business associates also should be mindful of more subtle, but equally important, broader HIPAA compliance and risk management lessons.

One of the most significant of these lessons is the need for proper workforce training, oversight and management. The resolution agreement sends an undeniable message that OCR expects covered entities, business associates and their leaders to be able to show their effective oversight and management of the operational compliance of their systems and members of their workforce with HIPAA policies.

The resolution agreement also provides insights to the internal corporate processes and documentation of compliance efforts that covered entities and business associates may need to show their organization has the required “culture of compliance.” Particularly notable are terms on documentation and up-the-ladder reporting. Like tips shared by HHS in the recently released Practical Guidance for Health Care Governing Boards on Compliance Oversight, these details provide invaluable tips.

Risks and Responsibilities of Employers and Their Leaders

While HIPAA places the primary duty for complying with HIPAA on covered entities and business associates, health plan sponsors and their management still need to make HIPAA compliance a priority for many practical and legal reasons.

HIPAA data breach or other compliance reports often trigger significant financial, administrative, workforce satisfaction and other operational costs for employer health plan sponsors. Inevitable employee concern about health plan data breaches undermines employee value and satisfaction. These concerns usually require employers to expend significant management and financial resources to respond.

The costs of investigation and redress of a known or suspected HIPAA data or other breach typically far exceed the actual damages to participants resulting from the breach. While HIPAA technically does not make sponsoring employers directly responsible for these duties or the costs of their performance, as a practical matter sponsoring employers typically can expect to pay costs and other expenses that its health plan incurs to investigate and redress a HIPAA breach. For one thing, except in the all-too-rare circumstances where employers as plan sponsors have specifically negotiated more favorable indemnification and liability provisions in their vendor contracts, employer and other health plan sponsors usually agree in their health plan vendor contracts to pay the expenses and to indemnify health plan insurers, third party administrators and other vendors for costs and liabilities arising from HIPAA breaches or other events arising in the course of the administration of the health plan. Because employers typically are obligated to pay health plan costs in excess of participant contributions, employers also typically would be required to provide the funding their health plan needs to cover these costs even in the absence of such indemnification agreements.

Sponsoring employers and their management also should be aware that the employer’s exception from direct liability for HIPAA compliance does not fully insulate the employer or its management from legal risks in the event of a health plan data breach or other HIPAA violation.

While HIPAA generally limits direct responsibility for compliance with the HIPAA rules to a health plan or other covered entity and their business associates, HIPAA hybrid entity and other organizational rules and criminal provisions of HIPAA, as well as various other federal laws, arguably could create liability risks for the employer. See, e.g., Cyber Liability, Healthcare: Healthcare Breaches: How to Respond; Restated HIPAA Regulations Require Health Plans to Tighten Privacy Policies and Practices; Cybercrime and Identity Theft: Health Information Security Beyond. For example, hybrid entity and other organizational provisions in the HIPAA rules generally require employers and their health plan to ensure that health plan operations are appropriately distinguished from other employer operations for otherwise non-covered human resources, accounting or other employer activities to avoid subjecting their otherwise non-covered employer operations and data to HIPAA Rules. To achieve this required designation and separation, the HIPAA rules typically also require that the health plan include specific HIPAA language and the employer and health plan take appropriate steps to designate and separate health plan records and data, workforces and operations from the non-covered business operations and records of the sponsoring employer. Failure to fulfill these requirements could result in the unintended spread of HIPAA restrictions and liabilities to other aspects of the employer’s human resources or other operations. Sponsoring employers will want to confirm that health plan and other operations and workforces are properly designated, distinguished and separated to reduce this risk.

When putting these designations and separations in place, employers also generally will want to make arrangements to ensure that their health plan includes the necessary terms and that the employer implements the policies necessary for the employer to provide the certifications to the health plan that HIPAA will require that the health plan receive before HIPAA will allow health plan PHI to be disclosed to the employer or its representative for the limited underwriting and other specified plan administration purposes permitted by the HIPAA rules.

Once these arrangements are in place, employers and their management also generally will want to take steps to minimize the risk that their organization or a member of the employer’s workforce honors these arrangements and does not improperly access or use health plan PHI systems in violation of these conditions or other HIPAA rules. This or other wrongful use or access of health plan PHI or systems could violate criminal provisions of HIPAA or other federal laws making it a crime for any person – including the employer or a member of its workforce – to wrongfully access health plan PHI, electronic records or systems. Because  health plan PHI records also typically include personal tax, Social Security information that the Internal Revenue Code, the Social Security Act and other federal laws generally would require the employer to keep confidential and to protect against improper use, employers and their management also generally should be concerned about potential exposures for their organization that could result from improper use or access of this information in violation of these other federal laws. Because HIPAA and some of these other laws under certain conditions make it a felony to violate these rules, employer and their management generally will want to treat compliance with these federal rules as critical elements of the employer’s federal sentencing guideline and other compliance programs.

Employers or members of their management also may have an incentive to promote health plan compliance with HIPAA or other health plan privacy or data security requirements.

For instance, health plan sponsors and management involved in health plan decisions, administration or oversight could face personal fiduciary liability risks under ERISA for failing to act prudently to ensure health plan compliance with HIPAA and other federal privacy and data security requirements.. ERISA’s broad functional fiduciary definition encompasses both persons and entities appointed as “named” fiduciaries and others who functionally exercise discretion or control over a plan or its administration. This fiduciary status and risk can occur even if the entity or individual is not named a named fiduciary, expressly disclaims fiduciary responsibility or does not realize it bears fiduciary status or responsibility. Because fiduciaries generally bear personal liability for their own breaches of fiduciary duty as well as potential co-fiduciary liability for fiduciary breaches committed by others that they knew or prudently should have known, most employers and members of their management will make HIPAA health plan compliance a priority.

Furthermore, most employers and their management also will appreciate the desirability of taking reasonable steps to manage potential exposures that the employer or members of its management could face if their health plan or the employer violates the anti-retaliation rules of HIPAA or other laws through the adoption and administration of appropriate human resources, internal investigation and reporting, risk management policies and practices. See Employee & Other Whistleblower Complaints Common Source of HIPAA Privacy & Other Complaints.

Manage HIPAA and Related Risks

At minimum, health plans and their business associates should move quickly to conduct a documented assessment of the adequacy of their health plan internet applications and other HIPAA compliance in light of the Resolution Agreement and other developments. Given the scope and diversity of the legal responsibilities, risks and exposures associated with this analysis, most health plan sponsors, fiduciaries, business associates and their management also will want to consider taking other steps to mitigate various other legal and operational risks that lax protection or use of health plan PHI or systems could create for their health plan, its sponsors, fiduciaries, business associates and their management. Health plan fiduciaries, sponsors and business associates and their leaders also generally will want to explore options to use indemnification agreements, liability insurance or other risk management tools as a stopgap against the costs of investigation or defense of a HIPAA security or other data breach.

8 Points to Consider on Cyber Insurance

A common question we often hear CEOs, CFOs and directors of businesses and public and private institutions ask is, “What terms and conditions should I consider when buying cyber insurance?” We have compiled a list of some of the most important terms and conditions to consider. However, you should discuss more nuanced industry and organization specific terms and conditions with your broker and insurance coverage attorney.

1. Crisis Services

Crisis services include the costs for computer forensic investigations to determine the cause of the data breaches, obtaining legal guidance, notifying victims, providing credit monitoring to the victims, and promoting media or public relations campaigns. According to Net Diligence’s 2014 Cyber Claims Study, almost half of the total amount of insurance company payouts from data breaches was for crisis management services. The Ponemon Institute’s 2014 Cost of Data Breach Study: U.S. also reported unusually high churn rates following news of data breaches. Your organization will want professional assistance to communicate to your customers, regulators, business partners and vendors that you are taking appropriate and reasonable steps to protect your customers with respect to any loss of data and that you will take reasonable steps to try and safeguard your customers’ data going forward.

2. Regulatory Defense (including fines and penalties)

Regulatory agencies, such as the Federal Trade Commission and Department of Health and Human Services, actively investigate data breaches within their jurisdictional powers. There are many examples of corrective actions, penalties and fines imposed by the Office of Civil Rights on behalf of HHS for HIPAA violations, including the $4.8 million in HIPAA settlements following the data breaches at New York-Presbyterian Hospital and Columbia University. This is especially important to keep in mind if your organization is a healthcare provider (a HIPAA-covered entity) responsible for its patient information or has a self-funded health plan (a separate type of HIPAA “covered entity”) where your organization is ultimately responsible for the security of the plan participants’ data. Many policies have a sublimit for regulatory defense. You may think you have a $10 million policy, only to find out that you have a sublimit for regulatory defense of $500,000, which may leave you woefully underinsured. Net Diligence reported that the average healthcare sector payout in 2014 was $1.3 million, with the median regulatory defense payout being a little more than $1 million and the mean regulatory settlement cost being $937,500.

3. Prior Acts Coverage/Retroactive Date

Prior acts coverage provides protection against prior acts that may lead to a claim during the policy period. The “retroactive date” is the date when your coverage begins, and can be subject to negotiation. Although Verizon’s 2015 Data Breach Investigations Report noted that the time from compromise to discovering the compromise is at its smallest deficit ever recorded (days or less, 45% of the time), data breaches can take many months to detect. Here is a common example: On Jan. 1, 2015, a particular program offers a patch to mitigate certain security vulnerabilities. A hacker finds that your company failed to install the patch and uses it as a means to enter your network, sets up a program to start filtering and collecting your data and then installs the patch to prevent detection of the intrusion. You apply for cyber insurance soon thereafter. Just after closing the 2015 Christmas holiday shopping season, the hackers send your data out, at which point you detect the intrusion. Your insurer subsequently notifies you that it is denying coverage for the claim because of prior acts that occurred before coverage began. This is why you want the broadest “prior acts” coverage possible. You may also want to negotiate an extended reporting period, as a subsequent insurer may claim that the data breach events did not occur during its policy period.

4. Network Business Interruption Coverage

This covers certain losses while your network is interrupted as a result of a data breach. This is especially important if your organization engages in e-commerce. How much profit would you lose if your organization was down for several days while law enforcement and your computer forensics consultants investigated the cause of a data breach?

5. Contingent Business Interruption Coverage (resulting from the acts or omissions of third parties)

Many organizations rely on third parties for processing data. For example, many healthcare providers rely on third-party billing companies and clearinghouses to process payments, making them “business associates” under HIPAA. Similarly, self-funded health plans frequently contract with third-party business associates for claims management and other plan administration functions. If the business associate suffered a data breach affecting your patients’ (or enrollees’) data, your organization may bear the ultimate responsibility for the breach. Accordingly, your organization will want coverage to offset this potential loss. Your organization may also want to consider negotiating the self-insured retention or deductible in case of a loss so that the third party is responsible to pay for the deductible if it results from the third party’s acts or omissions.

6. Defense Option/Reimbursement of Costs

Some cyber insurance policies require the insurance company to hire consultants and attorneys to defend your organization, while others agree to reimburse reasonable and necessary costs. Using your own consultants and attorneys make sense if they know your system and are familiar with your business, so you won’t have to pay for them to come up to speed on your organization. You will want to consider which path you will want to take.

7. Costs of Restoring and Recreating Data

The cost to restore or recreate data if taken or damaged can be extensive. Your organization will need to assess the cost of this coverage and its need.

8. Extortion Coverage

Criminals continue to run phishing scams where a user clicks on a link that serves to encrypt a laptop or other computer. Oftentimes, one laptop or computer can infect others, and you’ll want to negotiate this coverage to simply pay for the data to be restored.

Restated HIPAA Regulations Require Health Plans To Tighten Privacy Policies And Practices

Health plans, their insurers, employer and other sponsors, and business associates have work to do. Health care providers, health plans, health care clearinghouses and their business associates will need to review and update their policies and practices for handling and disclosing personally identifiable health care information (“PHI”) in response to the omnibus restatement of the Department of Health & Human Services (“HHS”) Office of Civil Rights (“OCR”) of its regulations (the ” 2013 Regulations”) implementing the Privacy and Security Rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Rulemaking announced January 17, 2013 may be viewed here.

Since 2003, HIPAA generally has required that health care providers, health plans, health care clearinghouses and their business associates (“Covered Entities”) restrict and safeguard individually identifiable health care information (“PHI”) of individuals and afford other protections to individuals that are the subject of that information. The 2013 Regulations published today complete the implementation of changes to HIPAA that Congress enacted when it passed the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 as well as make other changes to the prior regulations that the Office of Civil Rights found desirable based on its experience administering and enforcing the law over the past decade.

Since passage of the HITECH Act, Office of Civil Rights officials have warned Covered Entities to expect an omnibus restatement of its original regulations. While the Office of Civil Rights had issued certain regulations implementing some of the HITECH Act changes, it waited to publish certain regulations necessary to implement other HITECH Act changes until it could complete a more comprehensive restatement of its previously published HIPAA regulations to reflect both the HITECH Act amendments and other refinements to its HIPAA Rules. The 2013 Regulations published today fulfill that promise by restating the Office of Civil Rights' HIPAA Regulations to reflect the HITECH Act Amendments and other changes and clarifications to OCR's interpretation and enforcement of HIPAA.

Highlights Of Changes
Among other things, the 2013 Regulations:

  • revise the Office of Civil Rights' HIPAA regulations to reflect the HITECH Act's amendment of HIPAA to add the contractors and subcontractors of health plans, health care providers and health care clearinghouses that qualify as business associates to the parties directly responsible for complying with and subject to HIPAA's civil and criminal penalties for violating HIPAA's Privacy, Security, and Breach Notification rules;
  • update previous interim regulations implementing HITECH Act breach notification rules that require Covered Entities including business associates to give specific notifications to individuals whose personally identifiable health care information is breached, the Department of Health & Human Services and in some cases, the media when a breach of unsecured information happens;
  • update interim enforcement guidance the Office of Civil Rights previously published to implement increased penalties and other changes to HIPAA's civil and criminal sanctions enacted by the HITECH Act
  • implement HITECH Act amendments to HIPAA that tighten the conditions under which Covered Entities are allowed to use or disclose personally identifiable health care information for marketing and fundraising purposes and prohibit Covered Entities from selling an individual's health information without getting the individual's authorization in the manner required by the 2013 Regulations;
  • update the Office of Civil Rights' rules about the individual rights that HIPAA requires that Covered Entities afford to individuals who are the subject of personally identifiable health care information used or possessed by a Covered Entity to reflect tightened requirements enacted by the HITECH Act that allow individuals to order their health care provider not to share information about their treatment with health plans when the individual pays cash for the care and to clarify that individuals can require Covered Entities to provide electronic personally identifiable health care information in electronic form;
  • revise the regulations to reflect amendments to HIPAA made as part of the Genetic Information Nondiscrimination Act of 2008 (GINA) which added genetic information to the definition of personally identifiable health care information protected under the HIPAA Privacy Rule and prohibits health plans from using or disclosing genetic information for underwriting purposes; and
  • clarifies and revises other provisions to reflect other interpretations and information guidance that the Office of Civil Rights has issued since HIPAA was passed and to make certain other changes that the Office of Civil Rights found appropriate based on its experience administering and enforcing the rules.

Covered Entities And Business Associates Must Act To Review And Update Policies And Practices
The restated rules in the 2013 Regulations make it imperative that Covered Entities review the revised rules carefully and updated their policies, practices, business associate agreements, training and documentation to comply with the updated requirements and other enforcement and liability risks. The Office of Civil Rights, even prior to the regulations, has aggressively investigated and enforced the HIPAA requirements.

The commitment of the Office of Civil Rights to enforcement most recently was demonstrated by its recent settlement with Hospice of North Idaho (HONI). On January 2, 2013, the Office of Civil Rights announced that the Hospice of North Idaho will pay the Office of Civil Rights $50,000 to settle potential HIPAA violations that occurred in connection with the theft of an unencrypted laptop computer containing electronic personally identifiable health care information. The Hospice of North Idaho settlement is the first settlement involving a breach of electronic personally identifiable health care information affecting fewer than 500 individuals.

While the Hospice of North Idaho settlement marks the first settlement on a small breach, this is not the first time the Office of Civil Rights has sought sanctions against a covered entity for data breaches involving the loss or theft of unencrypted data on a laptop, storage device or other computer device. Rather, the Office of Civil Rights continues to roll out a growing list of enforcement actions demonstrating that the potential risks of HIPAA violations are significant and growing. See also:

Coupled with statements by the Office of Civil Rights about its intolerance, the Hospice of North Idaho and other settlements provide a strong warning to covered entities of the need to carefully and appropriately manage their HIPAA encryption and other Privacy and Security responsibilities. Covered entities are urged to heed these warning by strengthening their HIPAA compliance and adopting other suitable safeguards to minimize HIPAA exposures.

In response to the 2013 Regulations and these expanding exposures, all Covered Entities should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration the Office of Civil Rights' investigation and enforcement actions, emerging litigation and other enforcement data, their own and reports of other security and privacy breaches and near misses, and other developments to decide if additional steps are necessary or advisable.

Privacy Enforcement In The Healthcare Arena​

The Exposure
Organizations that deal with private health information (PHI) should know how to properly handle such data in absence of a breach as well as how to respond after a breach occurs. According to the 2011 Computer Security Institute Crime and Security Survey, 97% of organizations report using anti-virus software, 95% use firewalls, 85% use anti-spyware software, 66% use data encryption and 62% use intrusion detection systems.

The Open Security Foundation’s website, www.datalossdb.org, shows that despite taking meaningful steps to prevent security breaches, healthcare organizations accounted for 18% of the 1,032 data breaches reported in 2011 and 15% of all time. Further, according to the Ponemon Institute’s 2011 Cost of Breach Study, the per capita costs of a breach for healthcare organizations average around $240 per record. When compared to retail, which averages $174 per record, education which averages $142 per record, and an average of $194 per record for all industries, healthcare organizations clearly have cause to be concerned about breach response expenses.

A healthcare organization or business associate1 should also be aware of the increased standards that have been imposed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), the Privacy Rule and the Security Rule. One aspect of the Health Information Technology for Economic and Clinical Health Act act that may surprise many is the potential for the Office of Civil Rights (OCR) to fine an organization in absence of a breach.

In 2012, the Office of Civil Rights will conduct 150 audits of Covered Entities. If material security weaknesses are reported, a formal compliance review will follow. If that review uncovers blatant security violations, civil monetary fines could follow. Enforcement action around data breaches has been on the rise, and fines and penalties are being levied more frequently than in the past. The Department of Health & Human Services (DHHS) posts examples of resolutions including fines on their website. These initial audits are likely only the beginning of expanding regulatory oversight related to private health information.

Theodore Kobus III of Baker & Hostetler LLP, one of the national leaders of their Privacy, Security and Social Media Practice, advises the following regarding the current regulatory environment:

Data security extends beyond breach response and we are seeing an increasing number of regulatory investigations and fines stemming from how an organization responds to changes in its risks. A big part of being prepared includes understanding the nature and scope of the information you hold and how that data needs to be protected as risks in the organization evolve. For example, if you store data in an area that was once monitored by a security guard, but that area is now unoccupied, you may want to consider implementing other security measures.

Reducing The Exposure
In a previous article regarding lost laptops, we provided basic tips for handling a privacy breach.

With the type and volume of private health information that organizations in the healthcare arena touch, they are expected to take even more comprehensive steps to anticipate, prevent, respond to, and survive a breach. While many organizations are large enough to have entire departments dedicated to this issue, the complexity of the privacy laws means that, regardless of the organization’s ability to dedicate resources, it is important to work with legal counsel that is solely focused on privacy related issues. Similarly, healthcare providers should also seek out specialized network security risk management providers who can help answer important questions like:

  • Am I prepared to show that I took the proper steps before a data breach occurred?
  • Do I have an effective incident response plan in place when there is a problem?
  • Am I protecting digital records as well as paper records under the requirements of the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act?
  • Are my vendors and business associates also in compliance with the proper standards?

Many insurers have existing relationships with computer forensic firms, notification vendors, credit monitoring providers, legal forensic firms, public relations firms and others to help navigate the huge distractions following a data breach. To this end, we have seen insureds purchase cyberliability coverage solely for the value-added services provided by the insurer. Many of these buyers feel that they can afford a security breach, but that they don’t have the time to line up all the necessary critical response vendors if a breach occurs.

Neeraj Sahni of Kroll Advisory Solutions points out:

The ease of access to electronic data, anywhere-anytime, makes security a challenge as negligence leads to recurring data breaches. Preventive preparation is the most important loss control mechanism for any organization that has sensitive data. Thus waiting for a breach to occur is reactive and may incur more liability for any company. An incident response plan potentially helps lessen the impact of a breach. Also note, being compliant with security and privacy regulations does not provide assurance to an organization against a data breach.

Contractual Risk Transfer May Not Be Enough
Contracts with business associates and other trading partners may be part of the solution, but not the whole solution, as observed by Theodore Kobus III:

Many organizations think that a contract shifting liability to a third party is all that you need to protect the organization in the event that a vendor causes a breach. This type of protection is good, but it does not solve all of the organization’s issues. Notwithstanding the public relations issues the organization may face after a breach by a vendor, laws such as HITECH and various state laws still hold the organization who owns the data ultimately responsible for the breach. Another consideration about shifting all responsibility for a breach to the vendor is the lack of control about the messaging after a breach occurs. Remember, even though the vendor may have caused the breach, these are still your customers and your reputation is at risk.

Mr. Kobus brings up a dangerous situation. If a healthcare provider has fully shifted post-breach responsibilities to a vendor that caused the breach, the treatment of its customers or patients is in the hands of the vendor. To shift financial responsibility is one thing, but the provision of post-breach services such as call centers and identity/credit services should remain in the healthcare provider’s control. When it comes to the handling of an organization’s reputation, the preferred approach is to proactively protect its reputation rather than scramble to restore it after a poorly handled data breach.

The Right Insurance To Survive A Breach
Healthcare providers and business associates should have their own policy to protect their organization. The company’s own employees are a significant cause of data breaches, as are external hacks. The organization will not be able to unfailingly transfer that risk to other parties.

Organizations should also ensure their vendors have the financial assets or insurance to back up their contractual promises. If an entity is going to rely on a third party vendor to hold on to private health information for which they are responsible, they should be reviewing the vendor’s professional liability insurance rather than just asking if they have a policy.

Types Of Risk Transfer Vehicles
Cyberliability is the generic description of the type of policy healthcare organizations will need. In a prior article, we went into some detail about what is available. Here are some of the typical insuring agreements in a Cyberliability policy:

  • 1st Party Business Interruption — Covers lost business income in the event a virus infection or hacker shuts down your network.
  • 1st Party Data Asset — Covers the expense to recover lost data and other expenses.
  • Cyberextortion — Covers expenses and ransom if a hacker threatens your network or data.
  • 3rd Party Network Security — Covers your liability when hackers use your system to inflict damage on others.
  • 1st Party Privacy
    • Notification Expenses — When data is lost, you must notify all potential victims within a very brief period of time and in accordance with the state laws where the potential victims reside.
    • Forensic Expenses — The insurer will cover the expenses associated with bringing in computer experts to determine the cause of a breach and list of potential victims. Some insurers also cover legal forensic experts.
    • Credit Monitoring — The insurer may cover one to two years of credit monitoring services for those exposed.
    • Credit or Identity Repair Services — The insurer will cover the expenses for up to one year to restore compromised identities and repair a victim’s credit rating following an actual identity theft.
    • Crisis Management — Public Relations expense coverage to protect the image of the organization.
  • Regulatory Defense and Expenses — Many new regulations exist related to the protection of confidential data. The insurance will provide defense cost coverage and in many cases cover fines, penalties and restitution funds levied by a regulatory body, where insurable. This coverage is designed to help healthcare organizations respond to actions brought by state agencies, state attorneys general, the Department of Health and Human Services, the Office of Civil Rights and other regulatory agencies.

There are now more than 30 different insurers with dedicated cyberliability policies, and no two insuring agreements are the same. It is important to be diligent in making sure the coverage sought is the coverage bought.

Conclusion
The current regulatory oversight and monetary implications surrounding a loss of private health information means that firms in the healthcare arena should be more aware than most of privacy enforcement and how to protect their clients, constituents, reputation, and organization.

1 A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A member of the covered entity’s workforce is not a business associate. (For more information, see hhs.gov.)