The Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules and Health Information Technology for Economic and Clinical Health Act (HITECH) are designed to protect patients’ medical records and other health information provided to health plans, doctors, hospitals and other health care providers such as home health care agencies and hospice care. The information protected by the two federal laws includes that which doctors, nurses, and other health care providers put in the medical record of an individual; conversations that a healthcare provider has with nurses or others about a patient’s care or treatment; information about an individual in the health insurer’s computer system; billing information at a clinic or other agency; and all medical records and other individually identifiable health information, whether communicated electronically, on paper, or orally.
The HIPAA Privacy Rule specifically sets limits on how health plans and covered health care providers may use individually identifiable health information. Personal Health Information (PHI) generally may not be used for purposes unrelated to health care. Home health care agencies, for example, may use or share only the minimum amount of protected information needed for a particular purpose. In addition, the patients would have to sign a specific authorization before his/her medical information could be released to a life insurer, a bank, a marketing firm, or another outside business for purposes not related to their health care. HIPAA also establishes guidelines for electronic recordkeeping and electronic transactions between parties in the healthcare system. Moreover, health care providers must develop written privacy procedures. These procedures must include who has access to protected information, how it will be used within the home health care agency, and when the information would or would not be disclosed to others. Steps must also be taken to ensure that business associates protect the privacy of health information.
The Office of Civil Rights (OCR) enforces the provisions of HIPAA by investigating complaints, performing education and outreach, and conducting compliance reviews to determine if covered entities are in compliance. These programs enable OCR to identify best practices and proactively uncover and address risks and vulnerabilities to PHI.
Yet, as we all know too well, health care information is fertile ground for cyber criminals due to its value – and unfortunately data breaches now occur on a regular basis. These records don’t only end up in the wrong hands due to data breaches by hackers, but also because of employee negligence or error. The penalties and fines for these data breaches and other violations can be significant. Health care organizations found to be in violation of a patient’s rights to privacy are subject to HIPAA civil penalties that range depending on severity and can be issued for up to $50,000 per violation and $1.5 million annually. For example, as discussed in an earlier article, home health provider Lincare paid $239,800 in fines for a HIPAA violation after an investigation by the OCR found that the company’s manager had not taken appropriate measures under the HIPAA Privacy Rule to adequately safeguard its patients’ PHI.
To address the numerous privacy and security risks faced by health care organizations, the insurance industry over the past several years has developed tailored Cyber Liability and Professional Liability coverage enhancements to respond in the event of a loss. Cyber Liability policies can cover first- and third-party losses, such as patient notification, call center assistance, credit card management, replacement/restoration of electronic data, pinpointing and repairing vulnerabilities, crisis management, business interruption expenses, defense costs related to regulatory proceedings, legal defense in the event of a lawsuit, and settlements and damages related to a breach.
Professional Liability coverage, in addition to providing defense and indemnity coverage to home health care organizations for errors or oversight in treatment that result in patient injury, can be designed and customized to also include HIPAA-related fines and penalties and reimbursement for the costs to notify parties as required by law due to the result of a security breach. This coverage, known as Administrative Defense Expense Coverage, is available by endorsement to a Professional Liability policy. It provides reimbursement for reasonable legal fees and for other expenses incurred in the investigation brought against the insured by any person, entity or federal, state or local agency pertaining to HIPAA. This coverage is critical for home health care agencies, hospices, and other health care organizations due to the high costs involved in investigating a security breach and the attorney fees in defending a complaint. Without such coverage, home health care organizations would indeed have a gap in coverage of which they may not be aware.
Manchester Specialty specializes in insuring the home care, hospice and medical staffing industry and can assist you in providing comprehensive Professional Liability and Cyber Liability insurance to your insureds. We can design a policy to address the various HIPAA exposures your clients face, including providing coverage for related investigation and defense expenses – all part of the costs involved when a health care security breach occurs. To learn more about our insurance programs and services, please contact us at 855.972.9399.