April 8, 2016. HIPAA Integrity recommends that you read the excellent April 6, 2016, Health Data Management article by Joseph Goedert entitled: “Cyber insurance gaps may surprise healthcare organizations.” This article is based on an interview with Collin Hite, a security expert with the law firm of Hirschler Fleischer in Richmond, VA. The article discusses the consequence of a breach, the need for cyber insurance, especially for small providers, but also for a thorough understanding of the insurance contract provisions. Cyber insurance coverages are complex, and covered entities and business associates subject to HIPAA/HITECH Act safeguard regulations should avail themselves of outside experts, some of which may be provided by the insurer.
Cornichon Healthcare, which owns HIPAA Integrity, has highlighted in its blog postings over the past two years the importance of covered entities and business associates to acquire cyber insurance coverage because the Insurance Services Office (ISO) commercial general liability (CGL) policies excluded HIPAA/HITECH Act related breach events from coverage, effective May 1, 2014. Now, because of heavy CGL underwriting losses pertaining to HIPAA/HITECH Act breaches, cyber insurance carriers increasingly are requiring written documentation showing that a risk management process, including a risk analysis, and risk mitigation measures are in place. The Ponemon Institute 2015 Annual Survey (sponsored by IBM) shows the following:
Those costs include remediating the harm, notification of breach to affected individuals, and lost business and reputation.
It is important for covered entities and their business associates to be covered for privacy breach and security incidents, but such cyber insurance coverage increasingly requires evidence of a security management process and risk mitigation measures in place, at a minimum to be compliant with HIPAA/HITECH Act safeguard regulations. The Office for Civil Rights (OCR) March 21, 2016, announcement of desk and onsite compliance audits underway is another incentive to have written safeguard documentation in place. We discussed the OCR initiative in postings last week.
HIPAA Integrity’s Safeguard Compliance Tool Package (Version 3.0), which was released earlier this week, is designed for covered entities and business associates to document and successfully demonstrate safeguard compliance for either a potential selection for an OCR desk or onsite audit or for providing evidence to cyber insurance underwriters of a security management process and security measures in place. HIPAA Integrity is comprised of an easy-to-follow tabular risk analysis template; 92 written generic safeguard policies and procedures that a covered entity or business associate must have in place and that can readily be tailored to its risk analysis findings; 22 authorization and maintenance forms accompanying safeguard procedures; and the safeguard training curriculum in five lessons with test questions for administration by Privacy and Security Officials to their workforce members. Each component of the package is linked via proprietary code and written in plain language. HIPAA Integrity also includes guidance, online accessible authoritative references, and OCR audit protocols. At an affordable $499 for a year’s membership, including any federal regulatory updates, HIPAA Integrity’s Safeguard Compliance Tool Package (Version 3.0) is a much more cost-effective option than being selected for an OCR desk audit and found non-compliant or rejected for cyber insurance coverage and having to deal with the financial and non-financial consequences of a privacy breach or security incident.
Read this important article by Joe Goedert and prepare to not be surprised.