The Health Insurance Portability and Accountability Act (HIPAA) took effect in 1996, introducing privacy measures to protect Americans’ sensitive health-related data. Health care providers and organizations, as well as their business associates, must develop and follow procedures to ensure the confidentiality and security of protected health information (PHI) when it is received, handled, transferred, or shared. This applies to all forms of PHI, including paper, oral, electronic, etc. PHI includes name, date of birth, Social Security Number, health insurance number, medical record number, license number, phone number, and address. Moreover, organizations must not use, disclose or request more personal health information than is absolutely necessary.
The HITECH Act as part of the American Recovery and Reinvestment Act (ARRA) was enacted in 2009, and expanded provisions in HIPAA. Under the HITECH Act, HIPAA-covered entities must maintain specific physical, administrative, and digital data protection mechanisms; any breaches to patient information must be reported to affected parties in a timely manner; any breaches of 500 or more patient records must be reported to Human Health Services (HHS) and the media; HIPAA-covered entities must demonstrate “meaningful use” of electronic patient records and provide patients with access to their records within 30 days of a request; and fines for HIPAA-covered entities that violate data privacy standards were increased substantially.
In 2013, further changes were implemented to HIPAA under the HiTECH Act with the Omnibus Rule. One of the most significant developments under the Omnibus Rule made business associates of health care entities directly liable for compliance with many of the requirements under the HIPAA Privacy and Security Rules. The Omnibus Rule defines “business associate” as a person or entity “who creates, receives, maintains or transmits” protected health information on behalf of a covered entity. Moreover, “subcontractors”— persons “to whom a business associate delegates a function, activity, or service”— were specifically included in the new definition of “business associate.” The rules are not simply limited to direct subcontractors but also apply to “downstream entities.” Previously, business associates and their subcontractors could only be held liable for breach of their contracts with health care providers. Now that business associates and subcontractors are directly liable for HIPAA violations, it is necessary for them to follow all rules regarding the use and disclosure of personal health information due to their potential liability. Equally so, health care providers must closely monitor their business partners due to the potential risk of vicarious liability they face under the Omnibus Rule.
Coverage for HIPAA Violations
As HIPAA-covered entities, hospices, home health care providers, and miscellaneous medical facilities must ensure they do everything required by HIPAA Privacy and Security Rules. Additionally, given the complexity of regulations under HIPAA, the significant fines and penalties for HIPAA violations, and the possibility of broader liability for the acts of business partners under the Omnibus Rule, it is critical that providers protect themselves against potential risk exposure.
Professional Liability insurance policies can be designed to include coverage for HIPAA violations including for proceedings, fines and penalties. It may also be possible to obtain coverage for business associates and subcontractors as “independent contractors” under a Professional Liability policy.
It’s important to understand how your Professional Liability policy is written when it comes to HIPAA coverage, including whether there is defense coverage as a result of an investigation that is brought by the government alleging HIPAA violations. Also, review the policy’s sub-limits for HIPAA coverage and whether you can be covered for the exposures of others (business associates). Manchester Specialty Programs offers a broad Professional Liability policy with HIPAA coverage to health care organizations. We can discuss your specific needs and the details of the policy with your local insurance broker. You or your local agent/broker can contact us at 855.972.9399 for more information.