On January 23rd HCM held a webinar featuring our own Joe Dylewski and Jill Jordan, from Arthur J Gallagher. They discussed the importance of Cyber Security and HIPAA Policies for your practice. Check out the transcript of the webinar below:
Joe Dylewski: I have spent the majority of my career, almost 25 years now, in the IT side of business. I’ve held positions from everywhere from infrastructure manager, project manager, and I’ve had the opportunity to live and work overseas as a part of that. The last half of my career has exclusively been in healthcare. I got my footing in the HIPAA side of the business through application development. We were leading large projects that required HIPAA compliance and began really digging into the HIPAA requirements around the 2000-2003 timeframe.
Jill Jordan: I have spent the majority of my 15 or so years in the insurance business, on the brokerage side, mostly. I started with Gallagher in Houston in 2000, and was there doing PNC in the energy industry. Then I moved to Chicago and started working solely on the cyber risk services in ENO about six and a half years ago. My focus is now just on this arena.
Joe: Whenever I present on HIPAA I like to spend a few minutes doing a HIPAA 101, because I find that a lot of individuals aren’t completely familiar with what HIPAA is all about and what is contained in the HIPAA language. So if I can take us all back to 1996 when HIPAA was introduced. From an initiative standpoint, the real purpose of HIPAA, upfront, was to try and reduce health care cost. A lot of that had to do with the administrative time that was engaged in making health care run. For example, if anybody remembers or was involved in health care prior to ’96, when we would submit claims from a doctor’s office to an insurance company, or a hospital to an insurance company, a lot of that claim information was paper. So doctors would keep ledgers of all the patients they visited, and what the procedures were. And on the other end, that paper would be interpreted, claims would be adjudicated, payments would be sent, et cetera. Well, as you can imagine, that’s extremely inefficient. So, the real purpose was to try to drive some efficiency using electronics into healthcare. However, there were other pieces that they put in place with HIPAA; one of them was the insurance portability. So, the idea of being able to hold individual coverage and have that coverage transfer from employer to employer; fraud prevention, obviously with the introduction of electronics in this system, we wanted to be able to place an emphasis on being able to recognize and prevent insurance fraud.
And then this whole idea of administrative simplification; now this is generally the area where people have most familiarity. When we think of HIPAA, we think that it really equate to those forms that you sign at the doctors’ offices for their privacy, and what they can do with your information. Well, in reality, that privacy piece of HIPAA is one fraction of what HIPAA is as a law, because there’s also the idea of securing the information. Now, I’m going to spend a little bit of time discussing the differences between privacy and security. So, the privacy side talks specifically about what’s called “use and disclosure”; how a doctor or insurance company can use your information to treat you, to receive payment, or to maintain the healthcare operations. The other side of privacy is the disclosure piece, which is how and entity can release your information to a third party; in other words disclose it for some purpose, whether it’s approved. And where we get into unauthorized disclosures is that word we know as breach.
HIPAA-Title II Slide:
Now the security side, however, is a little different and is typically the area where I find the least familiarity in the market place. So, title II of HIPAA is named administrative simplification. Then there are three major sets of rules under the administrative simplification law. The first one was the electronic data interchange; so the idea of taking healthcare transactions and being able to transmit those from point A to point B electronically was all defined in HIPAA. The codes, the transaction sets were all identified. On the far right is the privacy rule, which we talked about a few seconds ago. In the middle is, now where we’re getting a lot of attention, the security rule. And the security rule deals with different steps and safeguards to protect electronic patient information. Administrative safeguards, physical safeguards, and technical safeguards. And a lot of that deals with the policies and procedures that are in place. It deals with the affects and the mechanisms that individuals or organizations have to protect that data, and, of course, being able to prove that.
Security Rule Slide:
So, we’ll talk about that security rule because the first thing that comes to mind when I talk with organizations about security is this whole idea of confidentiality. So, many believe that security is keeping that information confidential. But from a HIPAA perspective, security has to do with three key areas, in addition to confidentiality, the integrity and availability. Imagine that the integrity of the data is compromised, if you were a patient, and the data wasn’t correct, and you were attempting to receive care with incorrect data; I’ve seen it happen out there. In the third, and very important piece, is availability. So, once a hospital or physician practice runs to the electronic method of keeping medical records, imagine what it would be like if the information one day just wasn’t available for various purpose. These reasons could be a disaster, or a general system outage. So HIPAA deals with all three of those areas, and a breach could occur in any one of those areas.
Where is the PHI? Slide:
Let’s talk a little bit about the location of PHI, protected health information. On this diagram I’ve laid out a scenario, and I chose the lowest common denominator, which is a one physician practice. However, when you start looking and peeling back the onion on a physician practice, you find that the protected health system information that they hold is actually all over the board. You have, maybe, an IT services company that takes care of their equipment, so they have access to it. Document destruction, a shredding company has access to it. That patient information might not reside in their sight, they might be using a hosted electronic medical record software that is located elsewhere. So all of a sudden, you have this doctor’s information spread across this great deal of geography.
The HITECH Act Slide:
It’s important to understand that the protection of that health information has to be equivalent in everyone of those entities. So, the one thing I talk about in that slide is its one thing to recognize the risk and vulnerabilities that exist in a particular office, but keep in mind that scope of geography is much larger. So, we’re moving along in HIPPA from ’96, and these security and privacy rules have been in place since ’96. However, in 2009, something interesting happened in the healthcare market. And as part of the American Reinvestment Recovery Act, there was another act that was a portion of that called the Health Information Technology for Economic Recovery and Reinvestment, HITECH. And one of the things that happened in HITECH is the government recognized, based on where we stood electronically in the healthcare industry, that we needed to have a major push to get physician records electronic. If you think about this, 80% of patient records, as they exist today, exist in doctors’ offices; the remaining 20% exist in hospitals. Up until 2009, less than 1% of any doctor’s office had implemented electronic technology. So, the push for security from the HIPAA perspective was never that strong, they never had much to go on, although it was out there. Well, once HITECH came along, it introduced incentive or reimbursements for the implementation of electronic medical records. That reimbursement came in the form of Medicare funds and it was somewhere between $44,000 and $63,000, based on the type of business you did; whether it was Medicare or Medicaid. The practices and practitioners out there saw this, and saw it as their opportunity to finally have some organization help them implement their electronic medical record software. HIPAA looked at this and said “pause, stop, if we’re going to do this we have to make sure that these rules we’ve implemented in ’96 continue to be adhered to and everyone understands them.” With this reimbursement, all of a sudden, came this push for HIPAA, and HIPAA compliance and security compliance. One of the things they did to strengthen that was when a practice or practitioner is going to receive this reimbursement, they have a certain amount of requirements and measurements they have to meet.
HIPAA Enforcement Slide:
HIPAA compliance and security compliance was one of those measures. The other thing that came out of HITECH was to put some teeth around the HIPAA laws; so they beefed up the enforcement activity. Prior to HITECH, if there was a breach the maximum fine was $25,000. They’ve raised that to $1.5 million as a maximum fine; it’s now being enforced by the Office of Civil Rights. They’re also currently building an audit candidate list, so the Office of Civil Rights is going to be randomly auditing organizations on their HIPAA compliance. The other key phenomenon to happen out of all of this is that collected fines went to support the enforcement process, so it was a self-funding effort. Also, they appropriated dollars within HITECH for enforcement within the State’s Attorney General Office. Practitioners can face maximum OCR fines of $50,000 for falsely attesting to meaningful use measure #15; meaningful use measure #15 was this piece of those reimbursement dollars that required HIPAA compliance. The other thing that changed is that ignorance is no longer tolerated. Prior to HITECH, it was seen that people would get slapped on the wrist where they could claim “I didn’t know”, and were just told to fix things.
Compliance Effort vs. Risk Slide:
Ignorance is no longer tolerated, it’s now considered willful neglect. So, the idea with the enforcement activities and HIPAA in general, is that more effort you put into being compliant, the less risk you present. The government Office of Civil Rights identifies this by the least amount of effort done is considerable for neglect. So, if a breach occurs and the problem is mitigated it’s considered one category, if it’s not mitigated it’s considered this other category which means it’s willful neglect if the violation is not corrected. Then, the organization can willfully neglect it and correct the problem. The organization can have a breach due to reasonable cause and not willful neglect, in other words they don’t work on it but it was something that was missed or something was not ignored. Then, of course, the last is a breach that happens by exercising all the diligence but not being able to control that; and that’s important because breaches that occur are tagged with some sort of fine, and the idea is that the more effort you put in, the less riskier, and the more you reduce the potential fine and enforcement activities. Even in the most compliant organizations, breaches can and do occur, but the way that it’s enforced is based on how much effort has been put in to preventing that occurrence.
OCR Audits and Current Activity Slide:
So let’s talk about what they’re doing to find out and determine where and how these breaches are enforced. First of all, one of the things that’s happened over the last two years is a formal HIPAA audit protocol was developed; in other words, they didn’t have anything to evaluate an entity prior to 2010. So they contracted with a couple larger consulting firms, one of those actually created a HIPAA protocol for audit, and the other created an audit target list. They’re in the process of wrapping up the first year of those audits, and are now in the process of creating a second audit list that is going to include business associates. It’s important to know that, in terms of what triggers an audit, there are really three things. One of them is a self-recorded breach; if there are healthcare organizations on the call then we know that if a breach occurs they are required by law to report that, and depending on the size they may have to report it to different vehicles. The other way that a HIPAA breach or audit can occur is when a patient complains. For example, I’ve been involved in situations with clients where a patient has felt their privacy was violated and they complain to the Office of Civil Rights and it sparks a full on audit. The third is the idea of a random audit; these audits are the least probable. The probability of getting chosen for OCR for a random audit is very low. The other triggers are much higher.
Cyber Security Trends Slide:
So with that, I’m going to turn the presentation over to Jill for the cyber security.
Jill: I’m going to spend a few minutes talking about the trends when it comes to breaches then go into some insurance coverage’s that you can purchase to mitigate against, or help with, the cost associated with a breach. You’re looking at the trends over the last 5-6 years. A couple things to note on here is that it’s been steady as to the number of breaches as of September 2012; between 400-600 breaches is normal. The records exposed is also somewhat even, anywhere to 15-16 million to 25 million is the normal. You’ll see in 2009 and 2007 there were two large hits; those were very specific, large breaches. One was the TJ Maxx, back in 2007, and the Hartland breach was 2009, affecting a lot of grocery stores on the East Coast. 2007 and 2009 were anomalies. To go through a quick trend of what happened in 2012, the final numbers are 447 breaches and about 7 million records exposed. Of those 7 million, the medical healthcare industry is by far the largest group this past year. About 35% of the breaches were healthcare and about 13% of the records; right now they’re the number one industry as far as breaches. The government is number two, pretty much because of the number of records they hold, that breach makes sense. Education is number three, which includes both higher education and K-12. The healthcare industry is definitely seeing the most amounts of breaches. Just so you know on here, we’ve been talking about PHI; this obviously includes PHI and PII, which is personally identifiable information. PII is more on the financial side, including your name, address, with social security number, date of birth, driver’s license, any kind of account information including credit cards, debit cards, that sort of thing. So both sides are represented here, PHI and PII.
Cause of Breach Slide:
The next slide is a pie graph of the causes of a breach. About 40% of breaches are employee negligence, not intended; these are the lost laptop, lost flash drive, sending wrong information by email or mail to the wrong patient, not shredding paper documents when you should. The malicious or criminal acts are the hacker getting in, obviously. But it also includes rogue employees, people who have legitimate access to information, but they use it fraudulently or sell it. The system failure is when the actual network gets a virus and causes a breach. The significance of this breakdown is that the majority of breaches aren’t something you can combat with security on the network. IT security is a great step to be prepared, but you can’t do much about the negligence and innocent errors of people.
Major Risk Concerns Slide:
Human error is by far the biggest risk concern, not intentional, just someone making a mistake. Hackers, rogue employees, independent contractors, is another set of exposures when you outsource your IT, payroll, admin; you’re opening yourself up because you don’t have as much control over the securities information when you hand it over to a third party. Keeping track of that, understanding what insurance they have, what securities practices they have in place, keeping up with your contractors and independent vendors is important when it comes to keeping that information secure; because if it’s your information, it’s your responsibility. Even if you’re turning it over to someone else, if something happens, you’re the one on the hook with OCR. Mobile devices, cell phones, smart phones, tablets, desk tops, and laptops are also a risk. The regulatory environment, including HIPAA and the financial side, has quite a few laws as well, especially when it comes to state regulation of notification. HIPAA has its own set, which is broader than of a state’s financial, notification. Cloud computing, storing information offline, with a third party is becoming more of a concern just getting people to realize where the risk concerns are.
Response Cost Per Record Slide:
This page talks about cost. These are from a survey done by the Penomon Institute; they’re good figures. They’re a little bit off from what our experience is because Penomon brings into their study lost customers and loss of business which skew the numbers a little bit. What we see for notification discovery, forensics, and legal expenses; and those legal expenses would include navigating the notification laws. We see it typically between $10-15 for all of those combined. The $35 for credit monitoring and ID theft services is also a little high, it’s closer to $15-20; and ID theft services include call centers that people can call to find out what happened, what they need to do, what’s available to them, and it includes restoration services if someone had an ID theft. The average is $194 per record, including the response cost, the liability that arises from a breach, or also class action. $5.5 million is the average breach number, and 15% is for attorney fees on the liability.
Cyber Liability- Coverage Descriptions Slide:
The privacy regulatory action is obviously important in regards to the healthcare industry. If OCR does find out about a breach, so you have coverage only if you do find out about a privacy or security breach, so it’s not going to cover a random audit, it’s just going to cover a patient complaint if they find out they’ve had an audit from you or the state attorney. It will help with your investigative costs associated with the investigation, and also help with the fines and penalties if it’s insurable in the state.
The breach response coverage covers as soon as you have a breach or incident, finding out if you actually have an incident; so computer forensics, hiring a law firm or a firm to help with the notification law. The credit monitoring and theft ID services, also the hiring of a crisis management of public relations firm to help mitigate any reputational harm, which can be important. One note, the policies will usually cover notification when it’s required by state law. Again, with HIPAA it’s a little more far reaching so you have more of a chance of getting it covered. For example, if you had encrypted employee social security numbers compromised, it’s called voluntary notification if you want to let those people know anyway, even though it doesn’t trigger notification law. They will usually provide coverage, you just have to get carrier approval first; and usually, if they don’t cover it for the full amount of the breach response limit, they sometimes supplement it.
Coverage Descriptions Ctd. Slide:
These are coverage’s that are available under the cyber policy, you can get them elsewhere, so they’re optional under the cyber policy. Media liability, you can get a standalone policy, but you also have some coverage under the general liability coverage policy. GL’s are usually for advertising only, and it usually doesn’t include intellectual property infringement, so you might not have copyright or trademark infringement coverage, you might just have the personal injury. This, you can purchase a couple of different options under the cyber. It can be for your website, any information disseminated on your website. Or it could be internet phased, which would include your website, but also anything sent over the internet, intranet, anything sent over emails so it brings in a little more electronic data, anything electronic would be covered. Or you could get full media, which is also called enterprise media, multimedia, all kinds of things; that would cover both electronic and paper. So anyway you can view published information would be covered.
The cyber extortion is actually an add-on, usually, that goes on the policies. We can have it taken off; it doesn’t affect the premium too much. This is obviously just the kidnap and ransom of information. For example, someone could physically steal a server and a year later they come back and demand money or they’ll release that information. This would cover the investigative expenses, the negotiation, that sort of thing, plus the extortion itself. But it could also be that a hacker gets into your system or network and says “this is how we did this, this is how you can plug your holes, so pay us money or we’ll release the information.” Both of those situations would be covered.
Network interruption is similar to property business interruption, it’s just specific to your network being down for security breach reason; so if a virus brings it down, your lost business income would be covered and any extra expense would be covered. Again, you can find this in your normal property policy and could have supplement and extend to your network, which is why it’s an optional coverage. Also, some people don’t rely on their network being up for income. Yes, it relies on your service and what you do, but it doesn’t necessarily interrupt your income, so it wouldn’t be something someone needs. But we often do include it on any healthcare related policies.
The data recovery is a recreation or restoring or recreating data that has been damaged by a security breach. Again, it’s an outside cost, it wouldn’t cover your insides costs to do this.
So What Can You Do? Slide:
Now insurance, obviously, is just one piece of the risk management pie. You want to concentrate on prevention, be prepared in case you do have a breach, and be prepared to respond to it. All of those go along with the risk management. Prevention, having assessments preformed, both network and HIPAA, having some sort of response in place, even if it’s just knowing who needs to be contacted, do they know what vendors they would contact in case of a breach. Having the right limits and coverage in place can go a long way in transferring risk, just being prepared and knowing what you need to do in what time of breach will save a headache at that time.
Customer: With the new HIPAA rules that were just released last week, is there anything that’s really out there that we need to know immediately?
Joe: No, what happened was there was a revision or a consolidation of the HIPAA law that was called HIPAA omnibus. So what they did was take HIPAA components that include HITECH and the revisions over the years, and consolidated into a new, updated HIPAA. So in the near term, if you’re a covered entity or a healthcare provider insurance company, I think you still have to maintain the same amount of diligence as usual. The biggest impact that it will be the enforcement of HIPAA rules and laws on business associates. One of the things that they made very clear was this idea of transferring and making sure those audits are completed within the business associate community. Now, there are a couple of other pieces relative to covered entities that you have to think about. One of them is the whole idea of recording of use and disclosure. Ultimately, we’ve been waiting on this rule to be passed through final legislation but electronic medical record software is going to have to beef up or enhance their audit capabilities around uses and disclosures of protected health information because patients will have the right to request a list of disclosures and uses and for the organization to be able to provide that to them.