HIPPA Goes HITECH. Data Protection for Agents

Transcription

1 HIPPA Goes HITECH Data Protection for Agents For agent information only. this material should not be distributed to the public or used in any solicitation

2 Course objectives Agents will be able to understand the basics of HITECH Agents will be able to explain how HITECH affects how he/she does business Agents will be able to identify potential ti personal consequences of not adhering to the law Agents will be able to describe procedures which will prevent problems Agents will be able to describe his/her responsibility in reporting breach of information situations

3 RECOGNIZE Agents must recognize information that is subject to HIPAA/HITECH

4 Background HIPAA is an existing federal law that requires insurers and healthcare providers ( Covered Entities ) to adopt stringent privacy and security procedures HIPAA requires that Covered Entities have written agreements with independent contractors and other third parties that perform services for its customers. As an Agent, your Agent Contract describes your privacy and security responsibilities HIPAA did not directly regulate the activities of independent contractors or third parties that provide services to insured s, insurers and providers Beginning February 17, 2010, HIPAA privacy and security regulations will directly apply to Agents. The amendments to HIPAA are contained in a law known as HITECH

5 What does HIPAA/HITECH protect Broadly speaking, HIPAA/HITECH protects information that identifies an individual and relates to the individual's health condition and/or payment for health care treatment. Washington National uses the term Personal Information or PI to describe the categories of data that are regulated by HIPAA/HITECH and other privacy laws Some sources of PI are: insurance applications, medical records, claims information, etc. Protecting PHI includes: Proper security for the information Secure sharing of data Safe disposal of data Authorization for release/disclosure of PHI

6 HITECH- What is it? HITECH stands for Health Information and Technology for Economic and Clinical Health Act HITECH expands the scope of privacy law under HIPAA by: Heightening awareness of privacy laws Establishing penalties for improper conduct Requiring notification if consumer data is compromised Protecting individuals from financial and medical identity theft

7 Information protected by state and local laws Individual s name Payment card number Address Date of birth Medical records Information about health condition or payment for health care treatment Social Security number Bank account number Drivers license number Passport/Visa number Consumer credit report Adverse underwriting information Personal net worth of financial asset data Signature images

8 HITECH Agent Responsibilities Verbal safeguards Agents g cannot discuss consumers personal information with anyone that does not have a business need to know Physical safeguards Agents are responsible for the security of paper documents containing personal information while under agent s control Electronic safeguards If your computer has client and/or prospect information, YOU MUST take steps to protect this data This law requires companies and individuals to take steps to protect consumer PI Agents are now directly liable for privacy or security violations involving PI Agents are legally obligated to quickly inform Washington National of suspected PI issues

9 PREVENT Agents must prevent wrongful disclosures of legally protected information

10 What are agent requirements for protecting PI? Privacy requirements all data (verbal, paper, p electronic) Use the minimum amount of PI required to achieve your business purpose Disclose PI only to authorized individuals id and only disclose the minimum amount required to achieve your business purpose Take precautions to safeguard PI from loss and theft Never put PI in the trash always shred.

11 What are agent requirements for protecting PI? Security requirements electronic data Assess the security of PI stored on your laptop/desktop computer Install technical safeguards such as virus protection and encryption software Use strong passwords/change every 90 days Don t store PI if you can t protectitaccordingtothelaw to the NOTE: HITECH requires agents to document the steps they have taken to protect consumer s data. A simple statement identifying the data you store (paper and electronic) and the steps you have taken to protect this data should be kept in a safe place.

12 What can agents do to safeguard client's and prospect s s data? Download virus protection and date encryption software Keep your computer and data locked up Protect your papers from prying eyes Encrypt data so that others cannot use the information Use strong passwords

13 REACT Agents must react to events that have the potential to constitute a data breach

14 What should you do if PI is compromised? You must report the situation to the home office Complete a DATA ALERT (located on bizlink) and to servicedeskticket@cnoinc.com Each consumer and the federal government MUST be notified Washington National will handle all individual and regulatory notifications What situations should be reported? Lost of stolen computer Computer intrusion (virus, malware, spyware) Lost or stolen CDs, DVDs, memory sticks and storage devices with consumer data Suspected snooping of paperwork Accidental or inadvertent t situations ti involving i data such as misplaced items, accidental delivery or wrong item to customer, accidental sending of information to incorrect address or fax number

15 Consequences The Department of Health and Human Services (HHS), Office of Civil Rights now has the authority to not only penalize companies, but now can personally penalize agents if they do not take appropriate steps to protect consumer data In addition, the state attorneys generals may also bring civil actions personally against the agents

16 Agent personal liabilities for penalties If the Agent has no knowledge of violation: $100 per violation (up to $25,000 per year) If violation is due to Agent s reasonable neglect: penalty rises to $1,000 per violation (up to $100, per year) If violation is due to Agent s willful neglect: maximum penalty is $500,000 per violation (up to $1.5 million per year) and the United States Department of Justice is authorized to pursue criminal penalties

17 Summary: recognize, prevent and react HITECH places responsibility for securing consumer data with both the agent and the company Agents are required to do a written risk assessment of the hardcopy and electronic data they store Is it worth the risk to store this data? Where is the data stored? What steps have I taken to secure this data? What is on my computer? Have I installed virus protection? Have I set up strong passwords? Did I encrypt the data? Who else is using my computer? Did I secure the data from others? Do I lock up my computer when I am not using it?

18 Summary: recognize, prevent and react Both the Federal and State regulators will monitor HITECH It is important to the consumer that you protect their information from identity theft It is also important t for you to protect t yourself from penalties due to violations of the law. Document your risk assessment and how you will secure/protect the data.

19 Attestation of completion Click each box to record training completion: I have completed the HIPAA to HITECH training presentation. I understand and acknowledge my legal responsibilities to safeguard personal information (PI) as required by HIPAA and the HITECH Act. I understand my legal obligations to safeguard personal information (PI) from loss I understand my legal obligations to maintain anti-virus and encryption software on my personal computer if I store personal information (PI) electronically I understand my legal obligations to immediately notify Washington National in the event that personal information (PI) becomes misplaced, lost, stolen or is wrongfully disclosed, even if a wrongful disclosure is inadvertent or accidental Agent signature Printed name Date Agent #