Upload
rebecca-carter
View
311
Download
1
Embed Size (px)
Citation preview
Cyber Liability/ Data Breach Protection
The Policy with Risk Management Services
Do you know?
• When the new federal HIPAA/HITECH final ruling became law? March 26, 2013
• When is the law enforceable? Sept. 23, 2013
“These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider or one of their business associates”.
Leon Rodriguez, Director of the Office of Civil Rights
What is new to the federal law?
• Business Associates/Business Associates Agreements
• Notice Requirements (Federal & your State)• Penalty Structure: $100-$50,000 per violation
maximum $1,500,000 for all violations of an identical provision per year
Examples of Legal Requirements
• Federal Laws– Health information (HIPAA/HITECH)– Financial information (Graham-Leach Bliley Act)– Education information (FERPA)– Information of children under 13 (COPPA)– Sensitive employee information (GINA, FMLA)
• State Laws– Breach notification in 46 states– Disclosure of SSNs– Processing of Medical information– Destruction/Disposal– “Reasonable measures” to safeguard personal information
State Laws
46 of 50 states plus the District of Columbia, Puerto Rico & the Virgin Islands have data breach laws related to Personal Information (PI); many contain subsets of data that may be contained within medical records- Personal Health Information (PHI)States w/o laws: Alabama, Kentucky, New Mexico, and South Dakota• Usually protects data of residents residing in the state from certain
types of disclosures• CEs and BAs must be aware of these laws in the event of a breach• Differing requirements regarding who must be notified (State Attorney
General, law enforcement, media outlets, the individual), the timing for such notice, and the manner of the notice
OCR /State Attorney General Investigations
Hospice of North Idaho• 12/31/12: Theft of unencrypted laptop with EPHI of 41 patients• First HIPAA breach settlement involving less than 500 patients• $50,000 payment
Ashley Industrial Molding, Inc Employee Welfare Benefit Plan (Indiana)• 8/09/11: Hacking/IT incident of 506
Massachusetts Mutual Life Insurance Company, MassMutual Financial Group• 6/5/13: The 401(k) retirement plan information of certain clients was
inadvertently exposed when a MassMutual account manager sent an email on May 8. Names, Social Security numbers, investment elections, and account balances
Attorneys General Beginning to Use HIPAA Enforcement Authority
Accretive Health, Inc. sued by Minnesota AG• Suit followed breach of 23,000 patient’s PHI• AG used combination of HIPAA and state law to close
Accretive down in MN for two-year period• 7/31/12: $2.5M fine
South Shore Hospital sued by Massachusetts AG• Suit followed breach of PHI of 800,000 patient’s PHI on
unencrypted back-up tapes lost during shipment• 5/24/12: $750,000 fine
Research
Brown & Brown-Tampa Programs Division’s research to find the best product to meet your client’s needs yielded the Beazley Breach Response Select. Beazley Breach Response was involved in 6 of 9 major breaches in the United States last year sending out 9.6 million notices.
Excellent Coverage including Risk Management Services.
Policy HighlightsIf a breach occurs one call to report it & Beazley takes over…
• Privacy Liability• Privacy Notification Expense• Regulatory Liability
– HIPAA/HITECH Fines & Penalties• Network Security Liability• Media/Website Liability• Public Relations and Crisis Management Expense• Credit Monitoring Expense• Legal and Forensic Expense• Theft Resolution Services• Cyber Extortion Loss• Data Protection Loss• Business Interruption Coverage
Coverage Limits• Information Security & Privacy Liability $1,000,000*
• Regulatory Defense & Penalties $100,000*
• Website Media Content Liability $100,000*
• Payment Card Industry(PCI) fines and Cost $50,000
* Higher limits available upon request
Coverage Limits Continued
• Privacy Breach Response Services* – Notification to Individual Clients 25,000 individuals
– Credit Monitoring 3 Credits Bureaus for 12 months
– Identity Theft Resolutions Up to 5,000 cases
– Foreign Notification $50,000
*Breach Response Services are OUTSIDE of the Limits of Liability
• First Party Coverage– Cyber Extortion Included– Data Protection Loss Included– Forensic Expense $50,000**– Business Interruption Loss Included** higher limits available upon request
Scope of Services (1)Step-by-Step Procedures to Lower Risk
• Understand the scope of “personal information” (“PI”)
• Determine where PI is stored• Collect/retain the minimum
amount of PI required for business needs
• Destroy PI when no longer needed
• Risk assessment guidance• Develop and implement an
Incident Response Plan
On-line Compliance Materials
• Federal and state compliance materials
• Summaries of federal and state laws
• Sample policies & procedures
• Continuing updates and electronic notification of significant changes
Scope of Services (2)Periodic Newsletter &“Privacy Posts”• Sent by email• Significant changes in federal
and state laws/regulations• Breach and data security
news• Links to related On-line
information
Privacy Posts for events requiring immediate attention
Phone/E-mail Support
Consultants & attorneys answer questions, including:• Health care & HIPAA
compliance issues• Data breach prevention
issues• Data Security best practices• Computer forensic issues
Scope of Services (3)Training Modules
• On-line training material– Specific, to-the-point
• Awareness bulletins & posters
• Webinars– for privacy compliance and IT
staff
Handling Data Breaches
Guidance provided to:• Respond to a data breach
Questions???
Thank you& look forward to quoting for you soon!!!
Martha Oddo 813-222-4133 [email protected] Patel 813-222-4358 [email protected]