With the Final HIPAA omnibus rule released on January 17th, healthcare organizations and its business associates need to sit down together and make sure that their policies and procedures align. All parties that handle PII and PHI must be made aware of and provided training on the organization’s policies and procedures. Especially now that the final rule has been released, its important that all parties come together to ensure HIPAA Privacy and Security compliance and understand the ramifications and risks associated with non-compliance.
HHS Office for Civil Rights Director Leon Rodriguez stated, “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”
Now is the time for healthcare organizations to make sure they are HIPAA compliant and to also make sure their business associates are compliant as well. Healthcare organizations must start asking their business associates some tough questions now rather than after a data breach happens.
Some questions healthcare organizations may want to consider asking their business associates (not limited to the below):
-
– Does your healthcare organization require Business Associates who have access to confidential information or (ePHI) Electronic Personal Health Information to demonstrate adequate security policies and procedures?
– Do you know your Business Associates compliance levels?
– How often does your organization test or assess their compliance? Do you
actively monitor your Business Associates?
– Do you know how your Business Associates stores ePHI? Do you know how they
destroy it, and how they manage it?
– Are your Business Associates required by contract to indemnify your organization for harm arising from a data breach?
– How do you know if your Business Associates are following your policies and
procedures?
– Do you have evidence that your Business Associates are training their
employees on those policies and procedures?
– In the event of a BA data breach, will your organization be able to prove you
did enough to qualify as “satisfactory assurances?”
The Final HIPAA omnibus rule should be a wakeup call for healthcare organizations and its business associates in that HHS has made it very clear that the final rule strengthens their ability to vigorously enforce the HIPAA privacy and security protections. Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation.
With this being said, cyber insurance can help mitigate fines that may be assessed upon a healthcare organization for failure to comply with the HIPAA Privacy and Security rules. It can also help mitigate the first party response costs that are associated with responding to a data breach. (For example – notification costs, call center, credit monitoring,…)
Cyber insurance with data breach response services offers an array of services (check the policy you are considering for covered services) “after” a cyber attack or a data breach happens and can help manage the aftermath. It may offer coverages such as (depending on the specific policies and endorsements):
1) crisis management and customer notification expenses,
2) credit/identity theft monitoring,
3) privacy and security liability,
4) privacy regulatory defense and penalties,
5) computer forensics investigation,
6) a “Data Breach Coach” (aka “Privacy” attorney) and
7) pre-breach planning services.
It’s important to note that all cyber insurance policies are not standard policies and vary by insurance carrier.
CYBER DATA RISK MANAGERS LLC is an Independent Insurance Agency specializing in Cyber Security and Data Breach response insurance. We offer solutions that help you quickly respond to cyber events and data breaches as well as to plan in advance for their occurrence. Given the ever changing nature of information assurance and compliance, you don’t want to be caught unprepared.
For assistance, call 1-(855) CUT-RISK Toll Free -or- complete the form below.