2. Do you know?
• When the new federal HIPAA/HITECH final ruling
became law? March 26, 2013
• When is the law enforceable? Sept. 23, 2013
“These changes not only greatly enhance a patient’s privacy rights and protections,
but also strengthen the ability of my office to vigorously enforce the HIPAA privacy
and security protections, regardless of whether the information is being held by a
health plan, a health care provider or one of their business associates”.
Leon Rodriguez, Director of the Office of Civil Rights
3. What is new to the federal law?
• Business Associates/Business Associates
Agreements
• Notice Requirements (Federal & your State)
• Penalty Structure: $100-$50,000 per violation
maximum $1,500,000 for all violations of an
identical provision per year
4. Examples of Legal Requirements
• Federal Laws
– Health information (HIPAA/HITECH)
– Financial information (Graham-Leach Bliley Act)
– Education information (FERPA)
– Information of children under 13 (COPPA)
– Sensitive employee information (GINA, FMLA)
• State Laws
– Breach notification in 46 states
– Disclosure of SSNs
– Processing of Medical information
– Destruction/Disposal
– “Reasonable measures” to safeguard personal information
5. State Laws
46 of 50 states plus the District of Columbia, Puerto
Rico & the Virgin Islands have data breach laws
related to Personal Information (PI); many contain
subsets of data that may be contained within medical
records- Personal Health Information (PHI)
States w/o laws: Alabama, Kentucky, New Mexico, and South Dakota
• Usually protects data of residents residing in the state from certain
types of disclosures
• CEs and BAs must be aware of these laws in the event of a breach
• Differing requirements regarding who must be notified (State
Attorney General, law enforcement, media outlets, the individual),
the timing for such notice, and the manner of the notice
6. OCR /State Attorney General Investigations
Hospice of North Idaho
• 12/31/12: Theft of unencrypted laptop with EPHI of 41 patients
• First HIPAA breach settlement involving less than 500 patients
• $50,000 payment
Ashley Industrial Molding, Inc Employee Welfare Benefit Plan (Indiana)
• 8/09/11: Hacking/IT incident of 506
Massachusetts Mutual Life Insurance Company, MassMutual Financial
Group
• 6/5/13: The 401(k) retirement plan information of certain clients
was inadvertently exposed when a MassMutual account manager
sent an email on May 8. Names, Social Security
numbers, investment elections, and account balances
7. Attorneys General Beginning to Use
HIPAA Enforcement Authority
Accretive Health, Inc. sued by Minnesota AG
• Suit followed breach of 23,000 patient’s PHI
• AG used combination of HIPAA and state law to close
Accretive down in MN for two-year period
• 7/31/12: $2.5M fine
South Shore Hospital sued by Massachusetts AG
• Suit followed breach of PHI of 800,000 patient’s PHI on
unencrypted back-up tapes lost during shipment
• 5/24/12: $750,000 fine
8. Research
Brown & Brown-Tampa Programs Division’s
research to find the best product to meet your
client’s needs yielded the Beazley Breach Response
Select.
Beazley Breach Response was involved in 6 of 9 major breaches in the
United States last year sending out 9.6 million notices.
Excellent Coverage including Risk Management
Services.
9. Policy Highlights
If a breach occurs one call to report it & Beazley takes over…
• Privacy Liability
• Privacy Notification Expense
• Regulatory Liability
– HIPAA/HITECH Fines & Penalties
• Network Security Liability
• Media/Website Liability
• Public Relations and Crisis Management Expense
• Credit Monitoring Expense
• Legal and Forensic Expense
• Theft Resolution Services
• Cyber Extortion Loss
• Data Protection Loss
• Business Interruption Coverage
10. Coverage Limits
• Information Security & Privacy Liability $1,000,000*
• Regulatory Defense & Penalties $100,000*
• Website Media Content Liability $100,000*
• Payment Card Industry(PCI) fines and Cost $50,000
* Higher limits available upon request
11. Coverage Limits Continued
• Privacy Breach Response Services*
– Notification to Individual Clients 25,000 individuals
– Credit Monitoring 3 Credits Bureaus for 12 months
– Identity Theft Resolutions Up to 5,000 cases
– Foreign Notification $50,000
*Breach Response Services are OUTSIDE of the Limits
of Liability
• First Party Coverage
– Cyber Extortion Included
– Data Protection Loss Included
– Forensic Expense $50,000**
– Business Interruption Loss Included
** higher limits available upon request
12. Scope of Services (1)
Step-by-Step Procedures to
Lower Risk
• Understand the scope of
“personal information” (“PI”)
• Determine where PI is stored
• Collect/retain the minimum
amount of PI required for
business needs
• Destroy PI when no longer
needed
• Risk assessment guidance
• Develop and implement an
Incident Response Plan
On-line Compliance Materials
• Federal and state
compliance materials
• Summaries of federal and
state laws
• Sample policies &
procedures
• Continuing updates and
electronic notification of
significant changes
13. Scope of Services (2)
Periodic Newsletter &
“Privacy Posts”
• Sent by email
• Significant changes in federal
and state laws/regulations
• Breach and data security news
• Links to related On-line
information
Privacy Posts for events
requiring immediate
attention
Phone/E-mail Support
Consultants & attorneys
answer questions, including:
• Health care & HIPAA
compliance issues
• Data breach prevention
issues
• Data Security best practices
• Computer forensic issues
14. Scope of Services (3)
Training Modules
• On-line training material
– Specific, to-the-point
• Awareness bulletins &
posters
• Webinars
– for privacy compliance and IT
staff
Handling Data Breaches
Guidance provided to:
• Respond to a data breach
15. Questions???
Thank you
& look forward to quoting for you soon!!!
Martha Oddo 813-222-4133 moddo@bbprograms.com
Urvish Patel 813-222-4358 upatel@bbprograms.com