Posts

HIPAA Legal Updates — Breach Reporting Requirements

By Sumita Saxena, Senior Consultant, The Verden Group

There might be some confusion regarding the breach reporting requirements mandated by the Health Insurance Portability and Accountability Act (HIPAA) and further enforced by the Health Information Technology for Economic and Clinical Health (HITECH) Act. A breach is considered any acquisition, access, use or disclosure of Protected Health Information (PHI) which compromises the security or privacy of the PHI. However, if the disclosed PHI has been rendered unusable, unreadable, or indecipherable to unauthorized individuals, an adequate risk assessment may determine that a sufficiently minimal or nonexistent risk is present, thereby excluding the event from the definition of a breach.

The most basic example of a breach occurs when one patient’s records are accidentally sent or disclosed to another patient or individual. While this may seem trivial in a circumstance in which the content disclosed is rather limited, physicians must be aware of how to identify a breach and understand their obligations with respect to reporting.

Every HIPAA breach is reportable; the differentiating factor in reporting is determined based on the number of individuals affected by the event. In instances where fewer than 500 individuals are affected by the breach, practices must maintain a system of logging or otherwise documenting these breaches that occur during the calendar year. Practices must then submit a detailed account of all such events to the Secretary of the U.S. Department of Health and Human Services (HHS), through the HHS Office for Civil Rights, no later than 60 days after the end of the calendar year. Immediate notification to the Office for Civil Rights is required in the event that a breach affects more than 500 individuals.

Recent OIG reports signal an upcoming increase in OCR activity and oversight of HIPAA covered entities, even in the absence of a breach.

On September 29th, the Office of Inspector General (OIG) in the U.S. Department of Health and Human Services (HHS) released two reports which reviewed the successes and shortcoming in the Office for Civil Rights’ (OCR) oversight of Health Insurance Portability and Accountability Act (HIPAA) compliance for covered entities. OCR is responsible for overseeing covered entities’ compliance with the HIPAA standards, which include the Breach Notification Rule, the Privacy Rule and the Security Rule. In one report, the OIG provided conclusions and recommendations from their study on covered entities’ compliance with the HIPAA Privacy Rule, while in the other report, the OIG provided conclusions and recommendations from their investigation of OCR’s follow-up on breaches of patient health information which are reported to OCR. In both studies, the OIG reached some similar conclusions. The guidance provided by these reports should be recognized by providers for what it is: harbingers of OCR’s likely future enforcement activity.

One of the key findings by the OIG likely to have a direct impact on providers: OCR will now proactively audit covered entities to monitor compliance with the Privacy Rule, as opposed to its traditional approach of initiating investigations as a result of complaints or breach reports. The fact that OCR has not been proactively auditing covered entities allows for some level of comfort for covered entities, as there is not a great concern that OCR will conduct an investigation of a covered entity unless a potential breach or violation were reported. It is likely that this will be changing in the very near future, as the OIG has recommended that OCR improve its oversight of covered entities and take a proactive stance, by instituting a permanent audit program, as opposed to OCR’s current reactive posture. In addition, the OIG recommended improving the tracking system which OCR uses to keep records about investigations of covered entities. Such improvements in record-keeping and tracking investigations could mean that OCR will be more likely to impose penalties, as it will be able to more easily determine when covered entities are the subject of multiple investigations.

Regarding the follow-up of breaches, the OIG made some similar recommendations concerning the need for OCR to improve its tracking system. The OIG recommended that OCR more uniformly enter information about breaches, whether large or small, into a searchable database. At present, OCR has largely focused on thoroughly investigating large breaches (e.g. breaches of 500 or more affected individuals) that are reported to it. However, the OIG has now recommended that OCR also track and follow-up on small breaches that are reported to it. This could have a significant impact on providers who may have experienced several small breaches, as it will be more likely that OCR will now closely track and examine covered entities that experience several small breaches. In addition, the OIG recommended that OCR maintain more complete documentation in its database of corrective actions taken by covered entities that experience a breach. Currently, because OCR does not keep thorough records of corrective actions, covered entities may be able to get away with implementing few changes if they experience a breach. Once OCR implements these recommendations to better document corrective actions taken by covered entities, it will place greater scrutiny on these corrective actions to ensure that the covered entities carry out the necessary changes and prevent the occurrence of a similar breach in the future.

It is extremely important for providers to understand how to comply with HIPAA, as well as what to do if they experience a breach. These reports serve to emphasize the importance of compliance and the ways in which OCR will begin to more actively investigate HIPAA compliance. Here at The Verden Group we can offer assistance in reviewing your HIPAA protocols and ensuring you have all the required forms up-to-date and properly disseminated to your patients.

 

 

Cyber Risk Insurance – Should you consider getting it for your practice?

By Sumita Saxena, Senior Consultant, The Verden Group

The cyber-attack on Anthem, which left 80 million customers and employees vulnerable to identity theft, has quickly elevated the question of whether to purchase cyber risk insurance to the forefront of discussion among healthcare providers. The attack will certainly impact the market of cyber security insurance for healthcare providers, payers and others. Small to medium-sized healthcare organizations that have not considered such coverage may do so now while insurers will be re-evaluating underwriting standards and likely premium levels in the wake of the Anthem attack.

Most policies provide broad coverage for what constitutes a privacy breach, whether it results from a hacker, unauthorized access by an internal rogue employee or a laptop that was lost or stolen. Coverage can be divided into two categories: first-party and third-party costs.

Typically first-party costs involve those direct costs related to responding to a privacy breach or security failure. Such costs include forensic investigation of the breach, legal advice to determine notification obligations, notification costs of communicating the breach, offering credit monitoring to customers or patients as a result, and loss of profits and extra expenses during time network is down (business interruption).

Generally third-party costs include legal defense, settlements or damages or judgments related to the breach, liability to banks for re-issuing credit cards, cost of responding to regulatory inquiries and regulatory fines and penalties. Optional coverage can encompass underwriting for cyber-extortion, where hackers access a network and demand a ransom in exchange for not stealing data (many companies would rather pay the ransom and make the problem go away).

Larger organizations are more likely to purchase coverage than smaller ones given their access to risk managers and in-house IT security. Smaller companies, like physician practices and local clinics, may not have access to such resources and may forego coverage as unnecessary or too expensive. Data breaches, however, are continuing to garner significant attention and some insurance experts have commented that more and more small and mid-sized organizations are actively seeking out this coverage. Premiums for a $1 million plan are generally $5,000 to $10,000 annually though the cost can vary based on several factors, including company revenue, cyber-risk management efforts and the coverage chosen.

The cost of insurance coverage and breach response is minimal, however, when compared to the legal and regulatory costs associated with a data breach, which depending on the size of the attack, can run into the millions and substantially impair a company’s profitability if the response is not adequate.

Any large, well-publicized breach such as the one that struck Anthem will affect the market for cyber security insurance, as noted by industry experts, by influencing coverage terms, increasing coverage prices and making underwriting requirements more stringent, especially for healthcare companies as the industry sees more large-scale breaches. In light of these changes, it is prudent to re-assess network security and adequacy of breach notification, and to consider cyber risk insurance as an additional safeguard against the substantial cost associated with data breaches.