Does your organization meet the requirements laid out in the HIPAA/HITECH omnibus final rule? Bob Parisi from Marsh gives his view on the new rules, their impact on healthcare organizations, and cyber risks in general.
What are some of the new changes in the HIPAA privacy and security rules?
The new Health Insurance Portability and Accountability Act (HIPAA) rule under the Health Information Technology for Economic and Clinical Health (HITECH) Act includes several changes. First, it expands the definition of ‘breach’ to say that a cyber event is “… presumed to be a breach, unless the covered entity can demonstrate that there is a low probability that the protected health information (PHI) has been compromised”.
What this means is that breach notification is now necessary in all situations except those in which the covered entity or business associate, as applicable, demonstrates that there is a low probability that PHI has been compromised. To put it simply: guilty until proven innocent.
How do healthcare organizations demonstrate low probability in these situations?
There is no clear guidance in the rule but a logical first step would be undertaking a risk assessment that addresses, at a minimum:
• The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
• The unauthorized person who used the PHI or to whom the disclosure was made, whether the PHI was actually acquired or viewed; and
• The extent to which the risk to the PHI has been mitigated.
What other changes were made to the HIPAA privacy and
In addition to a tougher breach reporting standard, the new rules significantly broaden the definition of healthcare providers’ business associates, bringing more subcontractors, such as document and data storage organizations, personal health record vendors and financial lenders, under HIPAA’s authority.
The new rule also provides certain exceptions when it comes to the sale of PHI. For example, the request for authorization to sell PHI must now state that the disclosure will result in remuneration to the covered entity.
Why do you think the new rules were needed?
For no other reason than to clarify exactly what was required. Healthcare providers, health plans, and their business associates have a strong tradition of safeguarding private health information. However, higher security standards are needed to keep pace with changing technology and the increased exchange of PHI between covered and non-covered entities. As such, the HIPAA omnibus final rule provides clear standards for the protection of electronic PHI.
What else should healthcare organizations do to comply with the new changes?
It is recommended that, at a minimum, healthcare organizations and covered entities review and revise their policies and procedures on breach notification and the sale of PHI. They should also develop new protocols for business associates to ensure they extend to subcontractors. Risk managers at affected entities also should review policies regarding PHI used for fundraising, requests to transmit such information to third persons, disclosure of immunization records, and authorizations for the use and sale of PHI and disclosure for paid marketing.
In addition, business associates and any entity that transmits PHI should perform risk assessments and carefully review their relationships with subcontractors. The entities may also want to seek clarification of language that clearly defines the roles and responsibilities of each party. Of course, this all assumes that the affected organizations are also ensuring they are in compliance with the relevant regulations.
Are healthcare organizations more at risk of a cyber breach than other industries?
Studies suggest that healthcare organizations are among the most at risk for data breaches. Over the last two years, 94 percent of healthcare organizations have suffered a data breach, while 45 percent suffered more than five such incidents, according to a report by data breach prevention company ID Experts.
The cost of such breaches to the healthcare industry is staggering—as high as $7 billion annually, according to risk consultant Navigant, with the average number of lost or stolen records per breach at 2,769.
What are the best ways to mitigate cyber risk?
Cyber risk involves a lot more than just privacy issues and protecting information. It’s an operational risk and needs to be properly understood and managed. Frankly, it’s education and awareness that serve as the best defense. Simply buying cyber insurance is not the answer. Healthcare risk managers need to take the appropriate steps to understand the risk and adequately inform their senior leaders so they can provide company-wide IT risk oversight.
In order to do that, risk managers need to take a coordinated view and approach to these risks and engage IT, legal, and compliance colleagues in the process.
You mentioned cyber insurance. What does that cover?
Cyber insurance policies can fill many of the gaps in traditional insurance and provide direct loss and liability protection for risks created by the use of technology and data in an organization’s day-to-day operations. For example, cyber insurance will protect a company from key vulnerabilities such as:
• Claims arising from an actual or alleged failure of computer security to prevent or mitigate a computer attack;
• Claims arising from a disclosure or mishandling of confidential information;
• Costs associated with complying with privacy breach notification statutes, including legal and forensic expenses; and
• Defense of regulatory actions including affirmative coverage for assessed fines and penalties.
Are more healthcare companies purchasing cyber insurance today?
According to Marsh’s most recent benchmarking report, the number of healthcare clients purchasing cyber insurance increased 20.2 percent from 2011 to 2012. .
About the rule
In January, the Department of Health and Human Services Office of Civil Rights issued its final rule modifying the HIPAA privacy, security, enforcement, and breach notification rules under the HITECH Act. The final rule, which impacts the cyber activities of healthcare providers, became effective on March 26, and final compliance is required by September 23.
Organisation, HIPPA, Healthcare, Rules, Security, Information, Assessment, healthcare risk management, IT