Cyber & Data Risk Insurance

HEALTHCARE HIGHLIGHTS
6th Annual Advanced Forum on Cyber & Data Risk Insurance
September 27, 2012
Presented by:

Kimberly B. Holmes, Esq.
Chubb Group of Insurance Companies

Christopher Keegan
Senior Vice President, Willis

John F. Mullen, Esq.
Nelson, Levine, de Luca & Hamilton

Focused on the Business of InsuranceSM

© Nelson Levine de Luca & Hamilton, LLC

Healthcare - What We Know
• Highly regulated industry
– HIPAA
– HITECH
– State data privacy and breach
notification laws
• Business Associate requirements are a moving target
– Third party due diligence has always been a problem
• Covered Entities held to a higher standard
– Your customers simply expect more – and they vote with their feet
when they don’t get it


What’s Here Now and What’s On the Horizon
• Electronic Medical Records (EMRs)
– Operation/Implementation Challenges
• Fair Information Principles Will Apply

• Health Insurance Exchanges (HIEs)
– HIPAA Compliance Challenges
• Who is and isn’t a Covered Entity?
• Operation/Implementation Challenges
– States will vary in Compliance protocols


EMR and HIPAA
PAA R•HIPAA


Requirements

EMRs – The New Reality
• The shift toward electronic health records has gained great momentum
• Meaningful use, and interoperability, are big concerns – more data in
motion, more data at risk
• The first round of EHR incentive payments for meaningful use occurred
earlier this year


EMR—Compliance Costs
•

Secure conversion

•

Secure storage

•

Administrative safeguards

•

Technical safeguards

•

Physical safeguards


EMR—Cost of Non-compliance
• Exposure to OCR/AG Actions
• Fines
• Punitive damages


EMR—Electronic Security
• During conversion
• Physical security of paper documents
• Secure electronic transmission
• Secure electronic storage
• Secure conversion facility
• After conversion
• Secure destruction of paper records
• Secure electronic storage


Health Insurance Exchanges
• Required under Affordable Care Act (ACA) to be implemented
by Jan. 2014
• Some states will operate themselves
• Some states will establish through partnership with federal
government and its contractors
• Facilitate the purchase of health insurance coverage by
small businesses and individuals
• Determine eligibility and reviewing plans for compliance
with required benefits packages
• Facilitating online availabilty of plans
• Processing Enrollment


Health Insurance Exchanges (Cont’d.)
• To date, most HIEs have been set up as government or
quasi-government entities and are thus NOT “Covered
Entities” under HIPAA
• Participating Insurers (Qualified Health Plans) ARE still
Covered Entities
• Must continue to comply with HIPAA as well as any
new privacy/security requirements imposed by the
exchanges on their participating plan
• HHS final rule established no single minimum
standards,
but
directed
HIEs
to
develop
privacy/security policies based on FTC Fair Information
Practice Principles


Compliance & Notice Regulations
• HITECH Act
– Extends HIPAA to “business associates” of covered
entities.
• Eg. claims processing or administration, data analysis,
processing or administration, utilization review,
quality assurance, billing, benefit management
– Permits State Attorneys General to bring civil actions in
federal court.
• First AG suit filed against Health Net Connecticut in
January 2010 alleging failure to properly encrypt
portable data (violating HIPAA) and failure to timely
provide notice (suit settled: $250K fine, 2 ears credit
monitoring, additional $500K fine if person suffers ID
theft as result of breach)
– Civil monetary penalties range from $50K - $1.5m per
violation , per calendar year.
– Provides for mandatory audits by the Sec. of HHS to
ensure data security policies and procedures are
compliant, and implemented.


Compliance & Notice Regulations
• HITECH Act – Civil Penalties
– Cignet Health – HHS fined Cignet $4.3 million (Feb. 2011)
• Cignet failed to provide patients access to their own health information as
required by HIPAA (fine $1.3 mil) and failed to cooperate with HHS’s
investigation (fine $3 mil)
• First fine by HHS for violations of HIPAA Privacy Rule provisions
– Massachusetts General Hospital – Settlement with HHS in amount of
$1 million (Feb. 2011)

• Settlement for alleged violations of HIPAA (paper records lost on subway)


HealthNet - Case Study
• May of 2009: Portable computer disk drive
with 446,000 private records lost/stolen from
HealthNet Connecticut.
• November 2009: HealthNet goes public about the
breach, notifying the affected individuals and the Attorney General.
• January 2010: Connecticut Attorney General files suit against
HealthNet alleging:
– Improper handling of the breach event
– Failure to timely notify affected individuals and AG’s office
– 12 violations of HIPAA privacy and security rules


HealthNet - Case Study
• OUTCOME: July 7, 2010
HealthNet Settles Suit
• HealthNet will pay CT $250,000 in statutory damages
and implement a corrective action plan.
• If misuse of the data is established, such as actual identity theft, Health
Net will pay CT an additional $500,000 in statutory damages.
• HealthNet incurred costs of over $7 Mil to forensically investigate, provide
notification and credit monitoring…


RECENT HIPAA/HITECH BREACHES
• Massachusetts Eye and Ear – September, 2012
• Alaska Department of Health and Human Services – June, 2012
• Phoenix Cardiac Surgery – April, 2012
• Blue Cross Blue Shield of Tennessee – March, 2012

• Health Net Connection—January 2010


Class Action Claims
• Litigation
•
•
•
•
•
•
•

•

Breach guidance
Investigation
Notification
E-discovery
Litigation prep
Contractual review
Defense (MDL?)

Plaintiffs Demands
•
•
•
•
•

Fraud reimbursement
Credit monitoring
Identity monitoring
Civil fines and/or penalties
Time


Class Action—Tricare
September, 2011: Backup tapes containing PHI of 4.9m patients
treated at San Antonio military facilities between 1992 and September 7,
2011 stolen from vehicle of Tricare contractor Science Applications
International Corp. employee
•

• PHI—names, addresses, phone numbers, clinical notes,
laboratory tests, prescription information, social security
numbers
• September 14, 2011: Science App. notifies Tricare
• September 29, 2011: Tricare begins patients notifications
• Tricare did not offer credit monitoring


Tricare, cont’d

• October 11, 2011: lawsuit filed, alleging, among other things:
• Tricare operations manual requires notification no later than ten days
after discovery of breach
• Tricare was repeatedly informed of recurring, systemic, and
fundamental deficiencies in its information security but failed to
effectively respond
• Lawsuit seeks an award of $4,900,000,000--$1,000 for each affected
individual


Class Action—Sutter Health
• October 15-16, 2011: Sutter Health’s administrative offices burglarized, and a
desktop PC, among other things, was stolen, containing:
• Names, addresses, dates of birth, phone number, and email of 3.3m Sutter
Physican Services patients that were treated between 1995 and January, 2011
• Information on medical diagnosis and procedures for 943,000 Sutter Medical
Foundation patients treated between 2005 and January, 2011
• October 17, 2011: theft reported to police
• November 15, 2011: Sutter Health began notifying affected individuals
• November 16, 2011: first lawsuit filed; twelve filed thus far


So What Else Keeps HIPAA Privacy Officers Up at
Night?
• Employee Clinics
• Cloud Computing
• Social Media Challenges

• Encryption of Portable Devices and Tracking—Where is the PHI?


Questions?
Kimberly B. Holmes, Esq.
holmesk@chubb.com
(860) 408-2017
Christopher Keegan
christopher.keegan@willis.com
(212) 915-8276
John F. Mullen, Esq.
jmullen@nldhlaw.com
(215) 358-5154

Cyber & Data Risk Insurance

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (15)

Ähnlich wie Cyber & Data Risk Insurance

Ähnlich wie Cyber & Data Risk Insurance (20)

Mehr von Rachel Hamilton

Mehr von Rachel Hamilton (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Cyber & Data Risk Insurance