Experts at CLM Conference Warn Organizations to Prepare for Cost-Effective Breach Response by Planning Ahead

March 31, 2017. With breaches growing and types expanding, experts at the Claims and Litigation Management Alliance Conference in Nashville, TN yesterday recommended planning ahead for cost-effective breach response and management, according to Gavin Souter in his March 30, 2017, Business Insurance article entitled: “Early breach preparation can save costs as attacks grow.” Robert Parisi of Marsh L.L.C. in New York stated: “’You don’t’ want to start figuring out who to hire—whether it be a lawyer or a forensics investigator—as you are sending the FBI guys out the door and thanking them for telling you about the breach…. Have a plan, work the plan. That seems to be the best way to keep losses to a minimum.’”

OCR Initiates First HIPAA Enforcement Settlement for Failure of Covered Entity to Provide Timely Written Notification of Breach

January 13, 2017. On January 9, 2017, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) announced that Presence Health Network of Illinois settled a HIPAA enforcement action for $475,000 for failure to report in writing in a timely manner as required by the HITECH Act Breach Notification Rule a breach of unsecured protected health information (PHI) in paper format in October 2013 that affected 836 individuals.

Cyber Insurance Required for Breach Coverage

We have discussed in previous posts the importance of having cyber security insurance coverage, especially as Insurance Services Office (ISO) commercial general liability (CGL) policies now exclude coverage of HIPAA breaches in most states.  A recent Supreme Court ruling in Connecticut, reported in a May 24, 2015, article in Business Insurance entitled:  “Court rules for insurers in case of data that fell off truck,” found that “insurers are not obligated to defend or indemnify the loss of data under general liability and umbrella insurance.”  An attorney quoted in the Business Insurance article said “the ruling ‘just confirms (general liability) policies were not intended to, and do not, cover data breach crisis events.’  But separate cyber coverage is available.” 

 

Average Cost of Breached Record Up to $154 in 2015 Study

June 4, 2015.   The May 2015, IBM-sponsored Ponemon Institute Research Report, 2015 Cost of Data Breach Study:  Global Analysis, determined that “the average cost paid for each lost or stolen record containing sensitive and confidential information increased from $145 in 2014 to $154 in this year’s study.”  The $154 per lost or stolen record figure represented the global cost across a number of industries studied.  The Ponemon Research Report also found that “if a healthcare organization has a breach, the average cost could be as high as $363.”  There are a number of factors comprising the average cost, including costs associated with remediating the harm, notification of the breach to affected individuals, and lost business.  For a small covered entity or business associate, a loss of 1,000 or fewer records could imperil the viability of the business.

More Attention to Risk Management Needed by Law Firms and Governance Boards

One of the critical responsibilities of management of covered entities and business associates is safeguarding protected health information (PHI) in hard copy and electronic formats by implementing  “security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the general requirements of the [HIPAA] Security Rule.” [45 CFR 164.308 (a)(1)(ii)(B)]  This is a critical required implementation specification of the Security Management Process standard to the HIPAA Security Rule, which also includes required implementation specifications for conducting a risk analysis, from which safeguard policies and procedures are derived; implementing a sanction policy for workforce members that violate safeguard policies and procedures; and reviewing the effectiveness of safeguard policies and procedures on an ongoing basis.

 

Two Articles Shine the Spotlight on the Importance of Covered Entities Proactively Managing CyberSecurity Risks

On July 13, Politico published online an article entitled “Electronic heath records ripe for theft,” which is available at: http://dyn.politico.com/printstory.cfm?uuid=BF84AA6D-ACFB-4AB8-9C79-FA00701EDD19.  This article makes several important points and we commend it to your attention.  First, the article states: 

Lessons Learned from Breach Reports: A Cautionary Tale for Achieving HIPAA Compliance in Six Parts – (II) Security Evaluation

On May 20, 2014, then Secretary of the Department of Health and Human Services (HHS), Kathleen Sebelius, transmitted to Congress the required HITECH Act document:  Annual Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Years 2011 and 2012, which is available online at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachreport2011-2012.pdf.  Much of this document analyzes the characteristics of breaches that the HITECH Act requires be reported to the HHS Office for Civil Rights (OCR), which prepared the report.

Lessons Learned from Breach Reports: A Cautionary Tale for Achieving HIPAA Compliance in Six Parts – (I) Risk Analysis and Risk Management

On May 20, 2014, then Secretary of the Department of Health and Human Services (HHS), Kathleen Sebelius, transmitted to Congress the required HITECH Act document:  Annual Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Years 2011 and 2012, which is available online at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachreport2011-2012.pdf.  Much of this document analyzes the characteristics of breaches that the HITECH Act requires be reported to the HHS Office for Civil Rights (OCR), which prepared the report.

 

OCR Imposes $4.8 million in Financial Penalties on Two Healthcare Organizations to Resolve HIPAA Noncompliance Issues

The Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) announced on Wednesday, May 7, 2014, resolution and settlement of HIPAA noncompliance issues resulting from an investigation of a joint breach report, dated September 27, 2010, submitted by New York and Presbyterian Hospital and Columbia University Medical Center, concerning an impermissible disclosure of electronic protected health information (ePHI).  The HHS/OCR news release regarding these resolutions is available at www.hhs.gov/news/press/2014pres/05/20140507b.html.

 

 

OCR Imposes $1,975,220 in Financial Penalties on Two Healthcare Entities to Resolve HIPAA Noncompliance Issues

The Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) announced on Tuesday, April 22, 2014, resolution of two instances of stolen unencrypted laptops that contained electronic protected health information (ePHI).  The HHS/OCR news release regarding these resolutions is available at www.hhs.gov/news/press/2014pres/04/20140422b.html.

Categories



Archives

  • October 2017 (1)
  • August 2017 (3)
  • July 2017 (1)
  • June 2017 (7)
  • May 2017 (12)
  • April 2017 (10)
  • March 2017 (2)
  • February 2017 (3)
  • January 2017 (4)
  • December 2016 (4)
  • November 2016 (7)
  • October 2016 (7)
  • September 2016 (2)
  • August 2016 (1)
  • July 2016 (3)
  • June 2016 (1)
  • May 2016 (1)
  • April 2016 (8)
  • March 2016 (6)
  • February 2016 (2)
  • December 2015 (1)
  • November 2015 (1)
  • October 2015 (4)
  • September 2015 (1)
  • June 2015 (8)
  • May 2015 (3)
  • April 2015 (2)
  • March 2015 (1)
  • November 2014 (1)
  • September 2014 (15)
  • August 2014 (6)
  • July 2014 (1)
  • June 2014 (13)
  • May 2014 (11)
  • April 2014 (13)
  • March 2014 (6)
  • February 2014 (12)
  • January 2014 (3)
  • December 2013 (1)