On May 1, 2014—just over three months from now—the Insurance Services Office, Inc. revisions of the standard commercial liability policy forms are effective in all but four states and territories. The revisions include many types of data breach exclusionary endorsements that would apply to breach of protected health information under HIPAA privacy and security rules, as modified by the HITECH Act, and the HITECH Act breach notification rule.
Since the compliance date of the HIPAA Privacy Rule in April 2003, through the end-of-year 2013, the Department of Health and Human Services (HHS)/Office for Civil Rights (OCR) has received over 90,001 HIPAA complaints, of which, 84,554, or about 94%, have been resolved.
On December 24, 2013, a New England dermatology practice agreed to pay a financial penalty of $150,000 to HHS as part of a resolution agreement and corrective action plan“for not having policies and procedures in place to address the breach notification provisions of the [HITECH Act]” following theft of an unencrypted thumb drive containing electronic protected health information (ePHI). While the practice reported to HHS the breach of its ePHI, the required OCR investigation thereafter indicated that the practice had not performed a risk analysis as part of its security management process until after the breach, did not have written policies and procedures implemented until after the breach, and had not trained its workforce members on those policies and procedures.