Published on February 18, 2014
HEALTHCARE HIGHLIGHTS 6th Annual Advanced Forum on Cyber & Data Risk Insurance September 27, 2012 Presented by: Kimberly B. Holmes, Esq. Chubb Group of Insurance Companies Christopher Keegan Senior Vice President, Willis John F. Mullen, Esq. Nelson, Levine, de Luca & Hamilton Focused on the Business of InsuranceSM © Nelson Levine de Luca & Hamilton, LLC
Healthcare - What We Know • Highly regulated industry – HIPAA – HITECH – State data privacy and breach notification laws • Business Associate requirements are a moving target – Third party due diligence has always been a problem • Covered Entities held to a higher standard – Your customers simply expect more – and they vote with their feet when they don’t get it Focused on the Business of InsuranceSM
What’s Here Now and What’s On the Horizon • Electronic Medical Records (EMRs) – Operation/Implementation Challenges • Fair Information Principles Will Apply • Health Insurance Exchanges (HIEs) – HIPAA Compliance Challenges • Who is and isn’t a Covered Entity? • Operation/Implementation Challenges – States will vary in Compliance protocols Focused on the Business of InsuranceSM
EMR and HIPAA PAA R•HIPAA Focused on the Business of InsuranceSM Requirements
EMRs – The New Reality • The shift toward electronic health records has gained great momentum • Meaningful use, and interoperability, are big concerns – more data in motion, more data at risk • The first round of EHR incentive payments for meaningful use occurred earlier this year Focused on the Business of InsuranceSM
EMR—Compliance Costs • Secure conversion • Secure storage • Administrative safeguards • Technical safeguards • Physical safeguards Focused on the Business of InsuranceSM
EMR—Cost of Non-compliance • Exposure to OCR/AG Actions • Fines • Punitive damages Focused on the Business of InsuranceSM
EMR—Electronic Security • During conversion • Physical security of paper documents • Secure electronic transmission • Secure electronic storage • Secure conversion facility • After conversion • Secure destruction of paper records • Secure electronic storage Focused on the Business of InsuranceSM
Health Insurance Exchanges • Required under Affordable Care Act (ACA) to be implemented by Jan. 2014 • Some states will operate themselves • Some states will establish through partnership with federal government and its contractors • Facilitate the purchase of health insurance coverage by small businesses and individuals • Determine eligibility and reviewing plans for compliance with required benefits packages • Facilitating online availabilty of plans • Processing Enrollment Focused on the Business of InsuranceSM
Health Insurance Exchanges (Cont’d.) • To date, most HIEs have been set up as government or quasi-government entities and are thus NOT “Covered Entities” under HIPAA • Participating Insurers (Qualified Health Plans) ARE still Covered Entities • Must continue to comply with HIPAA as well as any new privacy/security requirements imposed by the exchanges on their participating plan • HHS final rule established no single minimum standards, but directed HIEs to develop privacy/security policies based on FTC Fair Information Practice Principles Focused on the Business of InsuranceSM
Compliance & Notice Regulations • HITECH Act – Extends HIPAA to “business associates” of covered entities. • Eg. claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management – Permits State Attorneys General to bring civil actions in federal court. • First AG suit filed against Health Net Connecticut in January 2010 alleging failure to properly encrypt portable data (violating HIPAA) and failure to timely provide notice (suit settled: $250K fine, 2 ears credit monitoring, additional $500K fine if person suffers ID theft as result of breach) – Civil monetary penalties range from $50K - $1.5m per violation , per calendar year. – Provides for mandatory audits by the Sec. of HHS to ensure data security policies and procedures are compliant, and implemented. Focused on the Business of InsuranceSM
Compliance & Notice Regulations • HITECH Act – Civil Penalties – Cignet Health – HHS fined Cignet $4.3 million (Feb. 2011) • Cignet failed to provide patients access to their own health information as required by HIPAA (fine $1.3 mil) and failed to cooperate with HHS’s investigation (fine $3 mil) • First fine by HHS for violations of HIPAA Privacy Rule provisions – Massachusetts General Hospital – Settlement with HHS in amount of $1 million (Feb. 2011) • Settlement for alleged violations of HIPAA (paper records lost on subway) Focused on the Business of InsuranceSM
HealthNet - Case Study • May of 2009: Portable computer disk drive with 446,000 private records lost/stolen from HealthNet Connecticut. • November 2009: HealthNet goes public about the breach, notifying the affected individuals and the Attorney General. • January 2010: Connecticut Attorney General files suit against HealthNet alleging: – Improper handling of the breach event – Failure to timely notify affected individuals and AG’s office – 12 violations of HIPAA privacy and security rules Focused on the Business of InsuranceSM
HealthNet - Case Study • OUTCOME: July 7, 2010 HealthNet Settles Suit • HealthNet will pay CT $250,000 in statutory damages and implement a corrective action plan. • If misuse of the data is established, such as actual identity theft, Health Net will pay CT an additional $500,000 in statutory damages. • HealthNet incurred costs of over $7 Mil to forensically investigate, provide notification and credit monitoring… Focused on the Business of InsuranceSM
RECENT HIPAA/HITECH BREACHES • Massachusetts Eye and Ear – September, 2012 • Alaska Department of Health and Human Services – June, 2012 • Phoenix Cardiac Surgery – April, 2012 • Blue Cross Blue Shield of Tennessee – March, 2012 • Health Net Connection—January 2010 Focused on the Business of InsuranceSM
Class Action Claims • Litigation • • • • • • • • Breach guidance Investigation Notification E-discovery Litigation prep Contractual review Defense (MDL?) Plaintiffs Demands • • • • • Fraud reimbursement Credit monitoring Identity monitoring Civil fines and/or penalties Time Focused on the Business of InsuranceSM
Class Action—Tricare September, 2011: Backup tapes containing PHI of 4.9m patients treated at San Antonio military facilities between 1992 and September 7, 2011 stolen from vehicle of Tricare contractor Science Applications International Corp. employee • • PHI—names, addresses, phone numbers, clinical notes, laboratory tests, prescription information, social security numbers • September 14, 2011: Science App. notifies Tricare • September 29, 2011: Tricare begins patients notifications • Tricare did not offer credit monitoring Focused on the Business of InsuranceSM
Tricare, cont’d • October 11, 2011: lawsuit filed, alleging, among other things: • Tricare operations manual requires notification no later than ten days after discovery of breach • Tricare was repeatedly informed of recurring, systemic, and fundamental deficiencies in its information security but failed to effectively respond • Lawsuit seeks an award of $4,900,000,000--$1,000 for each affected individual Focused on the Business of InsuranceSM
Class Action—Sutter Health • October 15-16, 2011: Sutter Health’s administrative offices burglarized, and a desktop PC, among other things, was stolen, containing: • Names, addresses, dates of birth, phone number, and email of 3.3m Sutter Physican Services patients that were treated between 1995 and January, 2011 • Information on medical diagnosis and procedures for 943,000 Sutter Medical Foundation patients treated between 2005 and January, 2011 • October 17, 2011: theft reported to police • November 15, 2011: Sutter Health began notifying affected individuals • November 16, 2011: first lawsuit filed; twelve filed thus far Focused on the Business of InsuranceSM
So What Else Keeps HIPAA Privacy Officers Up at Night? • Employee Clinics • Cloud Computing • Social Media Challenges • Encryption of Portable Devices and Tracking—Where is the PHI? Focused on the Business of InsuranceSM
Questions? Kimberly B. Holmes, Esq. firstname.lastname@example.org (860) 408-2017 Christopher Keegan email@example.com (212) 915-8276 John F. Mullen, Esq. firstname.lastname@example.org (215) 358-5154 Focused on the Business of InsuranceSM
Insure your office computer systems against data breaches, hackers and other cyber risks with Hiscox's Cyber and data insurance. Quote and buy online today.
ACI is developing the NYC installment of its acclaimed Cyber & Data Risk Insurance conference, which will take place on July 28-29, 2016.n nCheck this ...
5th Annual Advanced Forum on Cyber & Data Risk Insurance. Demand for cyber and data risk insurance is growing rapidly as businesses are focusing their ...
The Cyber Risk & Insurance Forum (CRIF) is dedicated to raising the awareness of information assurance within the Cyber Insurance market and Risk ...
Cyber-insurance is an insurance product used to protect businesses and individual users from Internet-based risks, and more generally from risks relating ...
Hiscox Cyber and Data Insurance offers businesses comprehensive protection for their computer systems and ... Is your business at risk of a cyber attack?
HSB’s CyberOne™ coverage is a cyber risk insurance solution designed by Hartford Steam Boiler to help small businesses recover from damage to data and ...
Understand the risks Hiscox Cyber and data insurance covers your business against. Details of the insurance policy are available online.
Aon's insights, solutions and expertise in network security, data security and cyber risk empower organizations to manage their cyber risk and data security.
View cyber data from Advisen. Learn about cyber insurance pricing, limits, trends & data breach, network security violations, and other cyber events.