This document summarizes a presentation on cyber and data risk insurance for the healthcare industry. It discusses how healthcare is a highly regulated industry with laws like HIPAA, HITECH, and state privacy laws. The implementation of electronic medical records and health insurance exchanges present new compliance challenges. Recent data breaches at healthcare organizations like HealthNet, Tricare, and Sutter Health resulted in lawsuits and fines for failures to properly secure private health information and notify individuals. Emerging issues that impact HIPAA compliance include cloud computing, mobile devices, and social media use.
2. Healthcare - What We Know
• Highly regulated industry
– HIPAA
– HITECH
– State data privacy and breach
notification laws
• Business Associate requirements are a moving target
– Third party due diligence has always been a problem
• Covered Entities held to a higher standard
– Your customers simply expect more – and they vote with their feet
when they don’t get it
Focused on the Business of InsuranceSM
3. What’s Here Now and What’s On the Horizon
• Electronic Medical Records (EMRs)
– Operation/Implementation Challenges
• Fair Information Principles Will Apply
• Health Insurance Exchanges (HIEs)
– HIPAA Compliance Challenges
• Who is and isn’t a Covered Entity?
• Operation/Implementation Challenges
– States will vary in Compliance protocols
Focused on the Business of InsuranceSM
4. EMR and HIPAA
PAA R•HIPAA
Focused on the Business of InsuranceSM
Requirements
5. EMRs – The New Reality
• The shift toward electronic health records has gained great momentum
• Meaningful use, and interoperability, are big concerns – more data in
motion, more data at risk
• The first round of EHR incentive payments for meaningful use occurred
earlier this year
Focused on the Business of InsuranceSM
7. EMR—Cost of Non-compliance
• Exposure to OCR/AG Actions
• Fines
• Punitive damages
Focused on the Business of InsuranceSM
8. EMR—Electronic Security
• During conversion
• Physical security of paper documents
• Secure electronic transmission
• Secure electronic storage
• Secure conversion facility
• After conversion
• Secure destruction of paper records
• Secure electronic storage
Focused on the Business of InsuranceSM
9. Health Insurance Exchanges
• Required under Affordable Care Act (ACA) to be implemented
by Jan. 2014
• Some states will operate themselves
• Some states will establish through partnership with federal
government and its contractors
• Facilitate the purchase of health insurance coverage by
small businesses and individuals
• Determine eligibility and reviewing plans for compliance
with required benefits packages
• Facilitating online availabilty of plans
• Processing Enrollment
Focused on the Business of InsuranceSM
10. Health Insurance Exchanges (Cont’d.)
• To date, most HIEs have been set up as government or
quasi-government entities and are thus NOT “Covered
Entities” under HIPAA
• Participating Insurers (Qualified Health Plans) ARE still
Covered Entities
• Must continue to comply with HIPAA as well as any
new privacy/security requirements imposed by the
exchanges on their participating plan
• HHS final rule established no single minimum
standards,
but
directed
HIEs
to
develop
privacy/security policies based on FTC Fair Information
Practice Principles
Focused on the Business of InsuranceSM
11. Compliance & Notice Regulations
• HITECH Act
– Extends HIPAA to “business associates” of covered
entities.
• Eg. claims processing or administration, data analysis,
processing or administration, utilization review,
quality assurance, billing, benefit management
– Permits State Attorneys General to bring civil actions in
federal court.
• First AG suit filed against Health Net Connecticut in
January 2010 alleging failure to properly encrypt
portable data (violating HIPAA) and failure to timely
provide notice (suit settled: $250K fine, 2 ears credit
monitoring, additional $500K fine if person suffers ID
theft as result of breach)
– Civil monetary penalties range from $50K - $1.5m per
violation , per calendar year.
– Provides for mandatory audits by the Sec. of HHS to
ensure data security policies and procedures are
compliant, and implemented.
Focused on the Business of InsuranceSM
12. Compliance & Notice Regulations
• HITECH Act – Civil Penalties
– Cignet Health – HHS fined Cignet $4.3 million (Feb. 2011)
• Cignet failed to provide patients access to their own health information as
required by HIPAA (fine $1.3 mil) and failed to cooperate with HHS’s
investigation (fine $3 mil)
• First fine by HHS for violations of HIPAA Privacy Rule provisions
– Massachusetts General Hospital – Settlement with HHS in amount of
$1 million (Feb. 2011)
• Settlement for alleged violations of HIPAA (paper records lost on subway)
Focused on the Business of InsuranceSM
13. HealthNet - Case Study
• May of 2009: Portable computer disk drive
with 446,000 private records lost/stolen from
HealthNet Connecticut.
• November 2009: HealthNet goes public about the
breach, notifying the affected individuals and the Attorney General.
• January 2010: Connecticut Attorney General files suit against
HealthNet alleging:
– Improper handling of the breach event
– Failure to timely notify affected individuals and AG’s office
– 12 violations of HIPAA privacy and security rules
Focused on the Business of InsuranceSM
14. HealthNet - Case Study
• OUTCOME: July 7, 2010
HealthNet Settles Suit
• HealthNet will pay CT $250,000 in statutory damages
and implement a corrective action plan.
• If misuse of the data is established, such as actual identity theft, Health
Net will pay CT an additional $500,000 in statutory damages.
• HealthNet incurred costs of over $7 Mil to forensically investigate, provide
notification and credit monitoring…
Focused on the Business of InsuranceSM
15. RECENT HIPAA/HITECH BREACHES
• Massachusetts Eye and Ear – September, 2012
• Alaska Department of Health and Human Services – June, 2012
• Phoenix Cardiac Surgery – April, 2012
• Blue Cross Blue Shield of Tennessee – March, 2012
• Health Net Connection—January 2010
Focused on the Business of InsuranceSM
16. Class Action Claims
• Litigation
•
•
•
•
•
•
•
•
Breach guidance
Investigation
Notification
E-discovery
Litigation prep
Contractual review
Defense (MDL?)
Plaintiffs Demands
•
•
•
•
•
Fraud reimbursement
Credit monitoring
Identity monitoring
Civil fines and/or penalties
Time
Focused on the Business of InsuranceSM
17. Class Action—Tricare
September, 2011: Backup tapes containing PHI of 4.9m patients
treated at San Antonio military facilities between 1992 and September 7,
2011 stolen from vehicle of Tricare contractor Science Applications
International Corp. employee
•
• PHI—names, addresses, phone numbers, clinical notes,
laboratory tests, prescription information, social security
numbers
• September 14, 2011: Science App. notifies Tricare
• September 29, 2011: Tricare begins patients notifications
• Tricare did not offer credit monitoring
Focused on the Business of InsuranceSM
18. Tricare, cont’d
• October 11, 2011: lawsuit filed, alleging, among other things:
• Tricare operations manual requires notification no later than ten days
after discovery of breach
• Tricare was repeatedly informed of recurring, systemic, and
fundamental deficiencies in its information security but failed to
effectively respond
• Lawsuit seeks an award of $4,900,000,000--$1,000 for each affected
individual
Focused on the Business of InsuranceSM
19. Class Action—Sutter Health
• October 15-16, 2011: Sutter Health’s administrative offices burglarized, and a
desktop PC, among other things, was stolen, containing:
• Names, addresses, dates of birth, phone number, and email of 3.3m Sutter
Physican Services patients that were treated between 1995 and January, 2011
• Information on medical diagnosis and procedures for 943,000 Sutter Medical
Foundation patients treated between 2005 and January, 2011
• October 17, 2011: theft reported to police
• November 15, 2011: Sutter Health began notifying affected individuals
• November 16, 2011: first lawsuit filed; twelve filed thus far
Focused on the Business of InsuranceSM
20. So What Else Keeps HIPAA Privacy Officers Up at
Night?
• Employee Clinics
• Cloud Computing
• Social Media Challenges
• Encryption of Portable Devices and Tracking—Where is the PHI?
Focused on the Business of InsuranceSM
21. Questions?
Kimberly B. Holmes, Esq.
holmesk@chubb.com
(860) 408-2017
Christopher Keegan
christopher.keegan@willis.com
(212) 915-8276
John F. Mullen, Esq.
jmullen@nldhlaw.com
(215) 358-5154
Focused on the Business of InsuranceSM