April 18, 2016. HIPAA Integrity recommends that you read the excellent April 11, 2016, Business Insurance article by Mark A. Hofmann entitled: “Cyber coverage seen as security incentive.” This article discusses concepts of “cyber insurance in risk management” presented at a recent U.S. House of Representatives Homeland Security Committee. The article reports that Representative John Ratcliffe (R-TX) said: “’We must explore market-driven methods for improving the security of the companies that store our personal information. I believe cyber insurance may be one such solution.’ Just applying for and maintaining such coverage would require ‘entities to assess the security of their systems and examine their own weaknesses and vulnerabilities.’” Already the HIPAA Security Rule provides for covered entities and business associates to complete a risk analysis that addresses Rep. Ratcliff’s statement, which would provide, along with their risk mitigation strategies, written background information in support of underwriting cyber coverages. Failure to comply has consequences, as echoed by Nat Wienecke, senior vice president of Property Casualty Insurers Association of America: “’In many cases, the soft underbelly of our cyber security environment can come through companies that haven’t matched their cyber risk management programs to the threats we are facing.’”
The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) started its long-awaited HIPAA Privacy and Security and HITECH Act Breach Notification Rule compliance audits on March 21, 2016, that will continue through 2016. We have discussed OCR’s audit program in previous postings. In early April, OCR also posted its long-awaited audit protocols that identify information OCR seeks from covered entities and business associates as part of the current desk audit process. HIPAA Integrity has completed a comparison of the original with the April audit protocols, and has linked each comparison to the appropriate safeguard policy and procedure in the HIPAA Integrity Compliance Tool Package (Version 3.0). This Package is designed for covered entities and business associates to document and successfully demonstrate safeguard compliance for either a potential selection for an OCR desk or onsite audit or for providing evidence to cyber insurance underwriters of a security management process and security measures in place. HIPAA Integrity will discuss the OCR compliance audit program and protocols in a WEDI-sponsored Webinar on May 4, 2016.