Privacy Officer Desk
Did You Know?
In a world of constant data security threats, hacking incidents, and bad actors looking to do maximum damage to corporate reputations and individual privacy and security, data — including sensitive and personal information — has become vulnerable and at risk. Protected health information (PHI) is the most private of information and is also at risk on multiple provider and vendor sites. Entities lacking robust security and privacy protocols can be easy targets for hackers and cyber criminals. Even those companies that do follow the rules and provide extensive security and privacy safeguards can be hacked by very sophisticated bad actors. The cost of remediating a data security incident can be exorbitant and if a business is not properly insured for such a loss, it can be catastrophic for that business and its customers, patients, partners, and investors.
Cyber liability insurance, also occasionally referred to as “data security” coverage, is vital for any business that maintains lots of data and does business in the cloud or over the internet. It is particularly important to healthcare companies and their business associates who are all maintaining, sharing, using and disclosing PHI. A recent report revealed that the average cost to remediate a major healthcare data breach has surpassed $10 million. Some of the costs related to a healthcare breach include, but are not limited to, preparing and mailing notification letters to affected individuals, setting up a website and/or call center to field questions and address issues, notifying the media and having alternative means of notification to affected individuals, providing for credit monitoring and fraud recovery services, payment of attorney and forensic investigation fees, and payment of fines assessed by state and federal regulators. The internal costs, which are unlikely to be covered by insurance, include staff time to investigate and remediate the issue, along with adjustment to policies, procedures, and systems to correct the problems and prevent any future events, system downtime, and purchase of new or enhanced software products.
The industry is now also dealing with class action lawsuits in states that permit those actions as a result of breaches or cyber incidents. The costs to defend and settle these suits can be staggering, and without cyber liability insurance, could likely bankrupt a small business and seriously affect the operating budget of a larger institution. Insurance coverage for these losses has now become an accepted cost of doing business, but that cost is rising significantly. Some insurance companies have stopped offering this coverage as recent losses over the past few years have been extremely high. Companies that still offer cyber liability insurance have raised rates to astronomic levels, forcing businesses to rethink their overall insurance programs as well as adjusting operating budgets and enhancing privacy and security programs.
How can a business, small or large, improve its chances of obtaining cyber liability insurance coverage and minimize the cost of that coverage? Here are a few points to consider:
- A robust privacy and security program is vital to showing insurance companies that your business is serious about securing data.
- Policies and procedures that require stringent privacy & security protocols and are mandatory for compliance within your organization are vital.
- Performance of an annual privacy & security risk analysis, as well as an annual risk management assessment, are also critical to show the seriousness with which your organization views data security and also sets forth a plan to address shortcomings.
- Continuous training of your workforce and engagement with your third-party partners is important to keep privacy and security on everyone’s mind and enforce the rules within your organization related to privacy, security, and data handling.
- Compliance with federal and state regulations related to privacy and security.
- Inclusion of specific tools in your privacy and security programs that will enhance overall compliance efforts, such as privacy and diversion monitoring and alerting.
Remember also that a history of insurance claims, no matter the cause or reason, will affect the cost of obtaining any type of insurance coverage. A business needs to minimize its risks so as to minimize its incidents and thus minimize its claims. Being aware of issues, and being vigilant in addressing those issues, is essential to being able to obtain and afford cyber liability insurance in today’s ever risky data security world.
The Health Insurance Portability and Accountability Act (“HIPAA”), as amended, sets forth standards and requirements for both privacy and security of Protected Health Information (“PHI”). There are many nuances to protecting PHI, including specific privacy and security standards. And while the official HIPAA regulation contains the phrase “Administrative Simplification”, those rules and regulations can be anything but simple!
How does all of this work with privacy and security? Isn’t there a difference between the two concepts that requires them to be separately addressed? Yes and no. HIPAA does, in fact, separate the two concepts with the Privacy Rule and the Security Rule, each with individual mandates and requirements. However, the concepts of privacy and security should never be addressed so separately that one is given more weight than the other, or one is ignored in order to meet requirements of the other. The Privacy and Security Rules of HIPAA are intended to work together to protect the rights of individuals and to secure their PHI.
Many laws and regulations address either data security or individual privacy, but few address both as does HIPAA. The requirements for privacy and security under HIPAA are not mutually exclusive. Covered entities and business associates must comply with both the Privacy and Security Rules in even fashion, thus addressing both concepts contemporaneously. HIPAA mandates that covered entities and business associates have both a Privacy Officer and Security Officer, and while many organizations keep these functions very separate and distinct, the officials who serve in those roles should always be in contact and work together in order to provide a comprehensive plan for both privacy and security. An organization’s privacy policies and plans should complement the organization’s security policies and efforts, and vice versa. Compliance under the Privacy Rule does not allow for a “pass” under the Security Rule -- both privacy and security must be accounted for under HIPAA.
The specifications under HIPAA are generally tagged as either “required” or “addressable.” A required specification means that a covered entity or business associate MUST implement that specification. An addressable specification means that a covered entity or business associate must assess if the specification is appropriate and reasonable for its environment and thus determine if implementation is achievable. If the specification as written is deemed to be inappropriate or unreasonable, a party must implement an equivalent alternative measure that satisfies the intent and requirement of the written specification. “Addressable” does NOT mean that the specification may be completely ignored.
Robust security programs must have the following safeguards: technical, physical and administrative, all as set forth under HIPAA with specific standards and requirements. Access and audit controls fall under technical safeguards and are required to protect electronic PHI, or ePHI. Performing a risk analysis and having risk management reviews and procedures in place fall under administrative safeguards and are required to identify and reduce organizational risks that may jeopardize the security of PHI. Workstation security protocols and data back-up and storage procedures fall under physical safeguards and are implemented to provide a safe and secure work environment when accessing ePHI. There are many other safeguards and standards set forth under HIPAA that all covered entities and business associates must comply with, and it is important to stay vigilant with these requirements in order to protect and secure PHI in all forms. Utilizing artificial intelligence, or AI, to address some of these mandatory safeguards can mitigate risk, including reducing the risk of an inappropriate use or disclosure of PHI.
Many states have data security, data protection, and/or breach notification laws, but only 5 states have specific privacy-centered laws:
The laws are in various stages of finalization and roll-out, but all are based upon consumer protection concepts for individuals. These state laws codify protections for individuals who share personal information with businesses, or whose personal information is collected, used, and disclosed by businesses, often through website activity.
While the protections under these laws are not geared specifically to health information, all individuals who interact with businesses will have rights, and in some instances remedies, under these state laws. The privacy laws are loosely based on the European Union’s GDPR, and may provide stand-alone consumer protections, or provide additional protections in conjunction with other data security regulations.
There are 12 additional states considering specific consumer privacy regulations, but those efforts are either on-hold or adjourned at this time.