HIPAA Compliance for Medical Practices
82.6K views | +0 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

Cyber insurance can reduce impact of a data breach

Cyber insurance can reduce impact of a data breach | HIPAA Compliance for Medical Practices | Scoop.it

Cyber insurance for your business might be worth the cost. It deserves a good look because it educates on reducing risk, helps when a breach happens and can be a competitive advantage.

In 2015, data breach events are once again on the rise. How your organization, regardless of size, efficiently and compliantly manages a breach incident response can be the difference between being the next headline news story or going out of business.

As business owners and executives look for new ways to protect their business risks and branding, cyber insurance is receiving more consideration as a way to help you manage and respond, whether your data breach is caused by outside hackers, your own employees, or vendor relationships ranging from malicious intent to accidental release of information.

The use of cyber insurance communicates to clients, prospects and vendors that your business is serious about managing a data breach event and your commitment to protecting customer and employee information.

Here are three tips to consider when reviewing the option of adding a cyber insurance policy:

Work with an insurance broker who understands cyber insurance. An insurance broker who understands cyber insurance can help educate your business on the different types of cyber insurance policies and validate the need for a cyber-insurance policy. A broker can also help you understand business interruption, legal liability, costs to investigate a data breach, notification to victims and defend/settle class-action lawsuits, including regulatory enforcement actions and fines.

Data breach assessment. Your business needs to evaluate its overall risk of experiencing a data breach and the type data you collect, store and transmit.

Here are some questions to ask when considering cyber insurance: What type of industry are you in? What is the type and volume of data that your company collects, uses, stores, and transfers? What is the prominence of your brand? Are your technology and information security and governance best practices up to date? Are mobile devices an integral part of your business? What are the total number of vendors and third-party contractors with access to your company's sensitive data?

Learn about cyber policy exclusions and endorsements. Not all cyber insurance policies are created equal. Ask about retroactive coverage for "prior, unknown data breaches." Ask about coverage that includes "loss of data" versus only "theft of data." If your business acts as a vendor or third party contractor for other businesses, ask about your cyber coverage that includes liability to cover your business clients.

The reality is, the challenges of a data breach event can include complex federal and state breach notification laws, and most small businesses lack the financial and human resources to respond. Cyber insurance can support your risk-management objectives.

Mark Manning's curator insight, March 9, 2016 8:11 AM

Insurance cover might be essential for your business.


HIPAA Marketing Violation Affects 80,000

HIPAA Marketing Violation Affects 80,000 | HIPAA Compliance for Medical Practices | Scoop.it

The unauthorized use and disclosure of patient information for marketing purposes by an insurer in Tennessee offers a reminder of the importance of complying with HIPAA's marketing-related provisions.

TRH Health Plan of Columbia, Tenn. discovered the HIPAA violation in November, when it began receiving inquiries from some of its members about a mailing promoting a Medicare Advantage program they had received from BlueCross BlueShield of Tennessee, an administrative partner of TRH, according to a TRH spokeswoman.

TRH immediately launched an investigation into the matter, the company says in a statement. As a result of the mailing, TRH is notifying 80,000 of its members that a "limited amount" of their protected health information, specifically names, addresses, and subscriber IDs, was inappropriately used and disclosed by BCBS Tennessee for marketing purposes, the TRH spokeswoman says.

The PHI was inappropriately shared with a third-party vendor that BCBS Tennessee hired to print the documents and assist in the mailings, TRH says.

"We made a mistake and included TRH members in a BlueCross Medicare Advantage mail marketing campaign," a BCBS Tennessee spokeswoman tells Information Security Media Group. The PHI has been subsequently destroyed by the printing vendor, she says. In addition, "we've ensured that our marketing teams will receive additional training in the use of HIPAA protected data as it relates to marketing purposes."

In a statement, TRH says that it believes "the potential harm to its members has been mitigated" based on the limited amount of PHI involved and the steps taken by BCBS Tennessee and its vendor in response to the incident.

Marketing Provision

Before the HIPAA Omnibus Rule went into effect in 2013, HIPAA regulations generally required a covered entity to obtain authorization from an individual for any use or disclosure of PHI for marketing purposes, says privacy expert Rebecca Herold partner at HIPAA Compliance Tools and CEO of the consulting firm, The Privacy Professor. The Omnibus Rule added even more restrictions on the use or disclosure of PHI for marketing, she notes. It also expanded all the HIPAA requirements to apply to business associates.

"Even prior to this, though, a BA agreement should have stipulated that a BA could not use PHI for any other purposes than those for which they were contracted," she says. "All CEs and BAs need to document policies, and supporting procedures and processes, detailing how patients, as well as insureds in the case of health insurance companies, will be given the choice to consent [for authorizing use of their PHI], and then how to opt-out of any other already agreed-to marketing and fundraising activities when they choose to."

Privacy expert Kate Borten, president of consulting firm The Marblehead Group, suspects there have been other marketing breaches that haven't come to light "because individuals don't know the regulations."

Nonetheless, she adds, "I believe there's a difference between a technical error and an organization's failure to consider the marketing requirements. In the case of BCBSTN, the cause may have [theoretically] been a software coding error due to incomplete specifications. It's unfortunate, but not a high crime."

Covered entities and business associates are too often ignoring the HIPAA marketing restrictions or choosing to interpret them in favor of their business processes, she adds. "Although [HIPAA Omnibus] helped clarify marketing, the privacy rule leaves room for interpretation. Writing regulations is not as easy as some would think."

Regulatory Actions

In 2010, the Department of Health and Human Services imposed a $35,000 penalty in its enforcement action against a covered entity, Management Services Organization Washington, or MSO, for violations of HIPAA marketing regulations.

An OCR resolution agreement with MSO indicates that the company provided PHI of "numerous individuals" to a sister company, Washington Practice Management, in 2009, for the marketing of Medicare Advantage plans.

In addition to alleged violations of the HIPAA marketing provisions, an OCR investigation of MSO also uncovered other HIPAA privacy and security rule non-compliance, including a lack of "appropriate and reasonable administrative, technical and physical safeguards to protect the privacy of PHI."

Under the resolution agreement with OCR, MSO agreed to a corrective action plan that included developing, maintaining, and revising, written policies and procedures with the HIPAA privacy and security rule, as well as implementing workforce training.

Preventing Breaches

Borten recommends that covered entities carefully monitor all uses and disclosures of PHI to ensure HIPAA Privacy Rule compliance. "BAs should do the same, but their BA contracts further limit what uses and disclosures are permitted," she adds.

"Whenever a new or modified process involving PHI use or disclosure is planned, privacy rule requirements must be explicitly reviewed. This should be a required component of each organization's project management process, along with considering security implications."

As for future OCR enforcement actions against organizations that violate the HIPAA marketing provisions, Herold says she think those actions are necessary. "Otherwise the misuse of PHI for unwanted marketing activities will continue to increase," she says.

Under HIPAA Omnibus, covered entities, as well as business associates, can be fined up to $1.5 million per HIPAA violation.

Previous BCBS HIPAA Violation

In another HIPAA-related incident, Blue Cross Blue Shield Tennessee was the first covered entity to get slapped with a monetary penalty from OCR under the HIPAA breach notification rule, which went into effect in 2009.

In March 2012, the insurer agreed to pay a $1.5 million settlement and carry out a corrective action plan in the wake of a 2009 breach affecting more than 1 million individuals that involved the theft of 57 unencrypted computer hard drives.

No comment yet.