Articles

HIPAA Breach Insurance

Breaking HIPAA compliance can not only result in fines and lawsuits but can damage your organization’s reputation and lower trust among consumers.

In October of 2020, the life insurance company Aetna agreed to pay $1,000,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services. This settlement was paid as a direct result of the company’s violations of HIPAA. What does HIPAA stand for? It is an abbreviation for the Health Insurance Portability and Accountability Act.

In late July 2021, UC San Diego Health reported that it experienced a four-month hack of multiple employee hacks that compromised the vital data of hundreds of thousands of patients. As a result, the company was accused of violating HIPAA and became the target of a class action lawsuit brought against the hospital by several patients.

These stories effectively demonstrate just how severe HIPAA violations can be and why your organization needs to ensure that it is protected. Breaking HIPAA compliance can not only result in fines and lawsuits but can damage your organization’s reputation and lower trust among consumers. This can be a critical blow to an organization in the healthcare industry, where consumer decisions are heavily influenced by trust and brand perception. Although you can take action to prevent breaches by implementing good security protocols such as regular penetration tests and phishing training for employees, there is no way to completely eliminate all risks. This is why many healthcare organizations are turning to HIPAA breach insurance. Cybersecurity insurance that is focused on addressing HIPAA breaches can help your organization be prepared for the unknown.

If you’re wondering, “what does HIPAA do?” or “what is the purpose of HIPAA?” you’ve come to the right place. Here at Trava Security, we have years of experience helping organizations and institutions in a variety of industries to prepare, respond, and detect cybersecurity threats. Read on to learn more about what HIPAA is, why compliance matters, and how HIPAA insurance can help you.

Questions?

We can help! Talk to the Trava Team and see how we can assist you with your cybersecurity needs.

What Is The HIPAA Law?

What does HIPAA protect? The law establishes standards for the security of protected health information (PHI). Protected health information includes all individually identifiable health information, such as medical histories, test results, and demographic data. The law applies to health insurance companies, most health care providers, and other organizations that handle health information electronically. Medicare, Medicaid, and all business associates that handle health information are also required to abide by HIPAA. Furthermore, there are also HIPAA guidelines for healthcare professionals. As with lawyers, doctors are required to maintain the confidentiality of patient data when storing or sharing it electronically. Healthcare professionals have had to pay large fines and go to prison for violating the privacy of patient data. This means that even if your organization simply provides subcontractor services to one of these types of companies or providers, you must also ensure that your organization is compliant with all HIPAA regulations.

The goal of the HIPAA law is to secure patient privacy by requiring organizations that handle patient data electronically to take steps to protect that data. There are serious consequences for each HIPAA violation. The fines for a HIPAA breach are divided into 4 tiers depending on the severity of the breach (what data was compromised and for how many patients).

  • Tier 1: Minimum fine of $100 per violation up to $50,000
  • Tier 2: Minimum fine of $1,000 per violation up to $50,000
  • Tier 3: Minimum fine of $10,000 per violation up to $50,000
  • Tier 4: Minimum fine of $50,000 per violation

These are only the legally required minimums. In 2018, Anthem Inc. (now known as Elevance Health) agreed to pay $16 million in fines for a series of HIPAA violations that exposed the records of nearly 79 million patients. As you can see, HIPPA violations can be highly costly.

What Is HIPAA Compliance?

The HIPAA regulation was born out of a recognition that technology was increasingly being used to transmit and communicate medical data and information. The speed and efficiency of this communication enable healthcare providers and professionals to deliver higher-quality services to patients. However, storing all of this data electronically also creates the risk that the data could be exposed by cyber criminals and hackers. HIPAA sought to strike the ideal balance between protecting patient data and enabling the smooth flow of information between health insurance companies and healthcare providers. If you are still wondering, “what is HIPAA and what is its purpose?” the four main rules of the law may help to clarify the issue.

The first HIPAA rule is the Privacy Rule. This is the rule that is arguably the most important of the four and focuses on preventing the disclosure of private health information. Any HIPAA compliance examples will be built around this central rule. The Privacy Rule mandates that healthcare organizations must control who can access PHI and under what conditions while guaranteeing the right of any patient to view their own PHI. The privacy rule also requires medical records to be retained for a minimum of six years.

When it comes to practical compliance, the HIPAA Security Rule is key. This rule mandates that organizations must have three kinds of safeguards or controls to ensure the security of private patient information:

  • Administrative Safeguards (general controls over security processes)
  • Physical Safeguards (controls that restrict access to physical spaces and devices)
  • Technical Safeguards (comprehensive cybersecurity controls to protect all wireless networks, servers, and any other IT infrastructure)

The typical HIPAA compliance checklist will usually focus on the implementation of these three kinds of security controls within this Security Rule. Additionally, an average HIPAA compliance PDF will include a variety of auditing requirements, training programs, and other methods of securing the PHI data against theft or unauthorized access.

The last two HIPAA rules focus on post-breach requirements. They are the Breach Notification Rule and the HIPAA Enforcement Rule. The Breach Notification Rule requires organizations to notify the HHS Secretary and all affected individuals within 60 days of the end of the calendar year if the breach impacted less than 500 people. However, if the breach impacts more than 500 people, the organization must notify within 60 days of discovering the breach. Large-scale breaches also require organizations to notify a prominent media outlet. Finally, the Enforcement Rule enables the Office of Civil Rights (OCR) and the Department of Justice (DOJ) to enforce the fines and penalties that come as a result of HIPAA violations.

Do you know your Cyber Risk Score?

 

You can’t protect yourself from risks you don’t know about. Enter your website and receive a completely free risk assessment score along with helpful information delivered instantly to your inbox.

cyber risk score meter

HIPAA Compliant

Who has to be HIPAA compliant? The “covered entities” are described in four categories:

  • Healthcare Providers: All hospitals, clinics, surgeries, and any other provider, regardless of size, that transmits health information electronically.
  • Health Plans: All health insurance companies, dental, vision, and prescription drug insurers, as well as health maintenance organizations (HMOs). Long-term care insurers.
  • Healthcare Clearinghouses: Entities that process nonstandard information they receive from another entity into a standard. These are often third-party organizations that process healthcare information
  • Business Associates: All entities that receive or handle PHI. These are often subcontractors that provide services for healthcare providers and are required to transmit health information electronically as part of their services.

Individual HIPAA compliance will look different in each organization. For example, if your organization has a physical data center or device with access to sensitive data, this physical location will need to be secured with locked doors and monitored with security cameras. If your organization provides a website for patients or professionals to log in and view medical records, you will need to make sure that this is a HIPAA-compliant website. In this case, you would need to follow all web security recommendations, such as encrypting web forms, using SSL certification, and using only HIPAA-compliant web hosting providers. You would also want to secure your website with multi-factor authentication (MFA). These are the kinds of actions organizations are required to make under the HIPAA privacy rule. By securing your organization against intrusion, you can remain compliant and prevent a costly HIPAA violation.

HIPAA Security Rule

The key takeaway to remember about the HIPAA regulation is that it is broken up into four main rules:

  • HIPAA Privacy
  • HIPAA Security Rule
  • HIPAA Breach Notification Rule
  • HIPAA Enforcement Rule

The HIPAA privacy and security rules place preventative requirements on organizations, while the latter two rules deal with post-breach handling of data. From a cybersecurity perspective, the HIPAA Security rule is the most important. One of the most important requirements of the Security Rule is to conduct regular risk assessments to identify any hazards or threats that could compromise PHI. Based on these regular assessments, you are required to implement various security controls.

Although not required as part of HIPAA compliance, HIPAA breach insurance can be one of the best ways to keep your organization protected against the unknown. After taking every possible precaution, a cyber incident could still occur. You cannot afford to leave your organization exposed. That’s why Trava Security offers Cybersecurity Insurance as part of our comprehensive risk management solutions. This insurance includes coverage for stolen funds, lost business income, breach response costs, ransom payments, and c computer replacement for any and all devices lost through an attack.