Network Security and Data Privacy Insurance for Physician Groups

Transcription

1 Network Security and Data Privacy Insurance for Physician Groups February 2014 Lockton Companies While exposure to medical malpractice remains a principal risk MIKE EGAN, CPCU Senior Vice President Unit Manager, Healthcare msegan@lockton.com of financial loss for physician practices, network security and data privacy concerns continue to increase significantly. It is progressively more likely that when we pick up the paper, watch the news, or scan the Internet, a new report will appear about a FRED FLEMIG Senior Vice President Producer, Healthcare fflemig@lockton.com business responding to a hacker, a data breach, or a privacy issue. What has changed to make these incidents more frequent? 1. An increasingly sophisticated criminal element 2. An explosion of technology enabling the collection and storage of massive amounts of data (not always with timely and adequate training to protect the security of data) 3. Increased regulatory scrutiny and enforcement of data privacy and security laws This article will review privacy regulatory history, discuss some 2013 breaches and enforcement activities, and outline insurance options available to physician groups. Securing an appropriate insurance solution, with adequate coverage limits, can be critical to ensuring the financial health of a physician group practice. Particularly at the end of this article, we discuss the inadequacy of the throw-in coverage limits, often found in medical malpractice policies purchased by physician groups. L O C K T O N C O M P A N I E S

2 Federal Privacy Regulation Background and 2013 Updates The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 with the intent of protecting against the breach of personal health information (PHI). From late 1999 to early 2005, little significant change occurred relative to HIPAA. Then in 2009, The American Recovery and Reinvestment Act (ARRA) was signed into law. Title XIII of ARRA outlined the Health Information Technology for Economic and Clinical Health Act (HITECH). HITECH brought $31 billion in stimulus to grow the healthcare infrastructure and incent the use of electronic health records. In return for the stimulus, HITECH also imposed new requirements, new provisions for aggressive enforcement, and significant potential monetary penalties connected with the breach of PHI. In September of 2009, Health and Human Services (HHS) issued an Interim Final Rule for Breach Notification. The passage and implementation of HITECH was described by OCR Director Leon Rodriquez, This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a patient s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a healthcare provider, or one of their business associates. It was not until January of 2013 that the HIPAA Omnibus Final Rule (Final Rule), which took effect in September 2013, was finally published. A summary of the Final Rule is included at the end of this document. Some of the most significant changes are: 1. Both covered entities and business associates are directly liable to the Office for Civil Rights (OCR) for compliance with the Final Rule, and both may be assessed civil money penalties for noncompliance. 2. The term business associate was expanded and business associate agreements must now be executed with subcontractors. 3. The standard for determining notification requirements for a breach has been lowered to presume a breach has occurred, unless the covered entity can demonstrate a low probability that PHI has been compromised. 4. A covered entity must provide requested records in electronic format whenever possible. This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a patient s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates. -Leon Rodriguez, OCR Director

3 February 2014 Lockton Companies 2013 Breaches and Enforcement Actions Based on data within the HHS website, in 2013 there were nearly 180 breaches of PHI which exceeded 500 records. 1 According to the Ponemon Institute report, 94 percent of healthcare organizations have suffered data breaches; the cost of a breach is estimated at nearly $200 per record. 2 It would seem that a breach of PHI is more a question of when, and not if, for healthcare organizations. With the Interim Rule introduced more than four years ago and the Final Rule in place for one year, experts believe OCR will step up the assessment of civil money penalties against healthcare organizations that have experienced a breach of PHI. This trend is perhaps heightened by the Office of Inspector General s December 2013 report that was especially critical of OCR s diligence in carrying out its enforcement of the HIPAA and HITECH security requirements. Covered entities of all sizes need to give priority to securing electronic protected health information. Leon Rodriguez, OCR Director In 2013, OCR issued six resolution agreements with settlements ranging from $50,000 to $1,700,000. The costs of breach investigation, notification, and any third-party lawsuits are in addition to these settlement amounts. Details of three of these settlements are outlined below. Adult and Pediatric Dermatology $150,000 settlement, which represents the first settlement for failure to have policies and procedures in place to address HITECH s data breach notification requirements. The group is a 12-physician practice based in Massachusetts. This settlement was announced on December 26, 2013, more than two years after the HHS investigation was initiated. On September 11, 2011 an employee had a flash drive with 2,200 unencrypted patient records, stolen from a vehicle. The drive was never recovered. Rodriguez said, Covered entities of all sizes need to give priority to securing electronic protected health information. 3 Top 5 Causes of Major Data Breaches in the Past Six Months Theft (35) Unauthorized Access/Disclosure (16) Loss (5) Hacking/IT Incident (2) Improper Disposal (1) Sources: Becker s Hospital Review/ U.S. Department of Health and Human Services (1) (2) (3)

4 This action sends a strong message to the healthcare industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients health information. Leon Rodriguez, OCR Director Affinity Health Plan, Inc. $1,215,780 settlement. While not a physician group, the circumstances of this breach could surely impact any size or type healthcare provider. Affinity filed a breach report with the HHS Office for Civil Rights (OCR) on April 15, Affinity estimated that up to 344,579 individuals may have been affected by this breach. OCR s investigation indicated that Affinity impermissibly disclosed the protected health information of these affected individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives. In addition, the investigation revealed that Affinity failed to incorporate the electronic protected health information (ephi) stored on photocopier hard drives in its analysis of risks and vulnerabilities, and failed to implement policies and procedures when returning the photocopiers to its leasing agents. 4 The Hospice of North Idaho (HONI) $50,000 settlement. While again not a physician group, this action by HHS illustrates once again that any size organization is susceptible to an imposed money penalty. It also illustrates that the small size of a breach does not preclude a penalty being assessed. The HHS began its investigation after HONI reported that an unencrypted laptop computer containing the electronic protected health information (ephi) of 441 patients had been stolen in June This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients health information said Rodriguez. 5 (4) (5)

5 February 2014 Lockton Companies Available Insurance Product Options A critical component of any cyber liability risk management program is a complete insurance solution to address the exposure to loss. The consequences of a data breach or privacy incident are numerous and can be severe. Financial loss can result from: Third-party liability lawsuits (possibly class action) alleging damages resulting from the breach or incident Civil money penalties assessed by a regulatory body Defense of allegations First-party breach response costs, including: Legal consultation expenses Computer forensic and investigation expenses Public relation consultation and advertising expenses Postage expenses and other notification costs Credit monitoring and identity theft services to impacted patients Network Asset Protection, including: Cost to restore digital assets Loss of income or increased expenses resulting from a cyber event Cyber extortion and cyber terrorism The insurance marketplace in the cyber liability space has expanded greatly in recent years, in response to client need and the increasing awareness of the exposures present. The market is acutely dynamic and diverse, requiring a focused and experienced broker to navigate through all the options and assist in selecting the most appropriate coverage structure. The majority of physician malpractice carriers now provide an automatic coverage grant as part of their professional liability coverage. This automatic, or throwin coverage, typically comes with no additional premium charge. The coverage provided is generally broad, responding to most of the exposures outlined. However, the limits provided with this automatic coverage are typically only $50,000 to $100,000 per incident. Given the heightened regulatory scrutiny; the increased attention from the plaintiffs bar, and the significant investigation and notification costs, these throw-in limits are increasingly becoming inadequate to respond fully to an actual data breach or privacy incident. Higher limits of coverage are available, and Lockton highly recommends limits of at least $1,000,000 be purchased. These higher limits of liability are available from up to 20 different carriers, resulting in a competitive marketplace. Because of the coordination of insurance coverage and other insurance clauses, many times it is recommended that the additional limits be purchased from the same carrier providing the throw-in coverage. However, this is not always the case, and Lockton is prepared to broadly market this coverage for our physician group clients to ensure the most beneficial fit. Next Steps With this introduction to the exposures faced by physician groups in connection with their handling of protected health information, we hope you feel ready for a more in-depth discussion with Lockton concerning a risk management program to address and insure the exposure to loss. If you have any questions regarding the material presented, please contact your Lockton business partner.

6 HIPAA FINAL OMNIBUS RULE REQUIREMENTS AND IMPACTS 6 (The Compliance Deadline was September 23, 2013) Breach Notification Business Associates Increased Enforcement of Willful Neglect Requirement New definition of a breach replaces the risk of harm standard with the probability that PHI has been compromised. The entity retains the burden of proof, however. The exception for limited data sets that did not contain birth dates or zip codes has been removed. State and federal laws are more aligned. Expanded definition of a business associate is one that creates, receives, maintains, or transmits PHI on behalf of a covered entity, as well as other specific types of organizations. Subcontractors are now considered business associates and are bound by the same HIPAA privacy and security requirements. Business associate contracts must specify requirements for breach notification, electronic access to PHI, etc. OCR enforcement focuses on willful neglect, defined to be conscious, intentional failure or reckless indifference. Patient Rights Restriction of disclosure for out-of-pocket payments Copies of PHI to third parties must be authorized. Electronic copies of PHI must be made available. Impact CEs and BAs must conduct and document an objective risk assessment to determine probability and support their decision to notify or not notify. Risk assessments must include steps taken to mitigate risks to PHI. CEs and BAs are still required to mitigate adverse consequences and to notify individuals when the probability of PHI being compromised is not low. Entities must update policies and procedures and retrain their workforce. Entities must conduct risk assessments following all PHI privacy or security incidents. More stringent state laws may be applied, as long as they are not contrary to federal law. New business associates have the same liability as existing BAs. They must bring business processes and systems into compliance with HIPAA Rules. CEs must enter into appropriate contracts with these new BAs. Subcontractors must bring business systems and processes into compliance with HIPAA privacy and security requirements. BAs must revise contracts with subcontractors to reflect HIPAA requirements. BA contracts must specify compliance with the Breach Notification Rule. If a CE designates HIPAA liability, the contract must specify BA compliance. Contracts must specify to whom the BA provides electronic access to PHI. One-year grandfathering may be available. OCR will: Investigate all cases of possible willful neglect. Impose a penalty on all violations of willful neglect. CEs must agree to an individual s request to restrict disclosure to a health plan if the individual pays in full for a service or item. Authorization must be made in writing, and clearly identify the recipient and where to send the copy. CEs must provide a readable electronic copy of PHI, rather than a hard copy, even if it is not readily producible.

7 February 2014 Lockton Companies Notice of Privacy Practices Use and Disclosure of PHI Requirement Changes to notice of privacy practices New categories of PHI may be used or disclosed for fundraising. Strengthened opt-out for fundraising CEs may combine conditioned and unconditioned authorizations for research to simplify authorization paperwork. There is a new interpretation on authorization for future research. The Final Rule changes access to student immunization records. Decedents PHI is under HIPAA protection for 50 years after death. Covered entities also have greater flexibility to disclose PHI to persons involved in a decedent s care or payment. New definition of marketing includes remuneration from a third party for describing their product or service. Genetic information is now considered PHI. Impact CEs must change their notice of privacy practices to include: Prohibition of sale of PHI Duty to notify in case of a breach Right to opt out of fundraising Right to restrict disclosure for out-of-pocket payments Limit on use of genetic information Healthcare organizations can better target their fundraising efforts based on these categories. CEs may not make fundraising communications after opt-out, but may provide method of opting back in. The authorization must differentiate between these two portions. Unconditioned authorization must be opted in. Authorization may be used for future research, with notice to individuals. CEs may release immunization records to schools without an authorization that meets HIPAA standards. The Final Rule enables CEs to continue communicating with relevant family and friends after an individual s death. Covered entities must obtain authorization for thirdparty marketing. Health plans may not use or disclose genetic information for underwriting purposes. (6) The HIPAA Final Omnibus Rule: An Analysis of The Changes Impacting Healthcare Covered Entities and Business Associates, IDExperts, Member Access Only.

8 Our Mission To be the worldwide value and service leader in insurance brokerage, employee benefits, and risk management Our Goal To be the best place to do business and to work Lockton, Inc. All rights reserved. Images 2014 Thinkstock. All rights reserved. MN S:\CID\COVERAGE INFO\Cyber Liability\Network Security White Paper Folder\ Network Security White Paper.indd