US Pro Insurance Services
Digital email

Final HIPAA Rule on Breach Notification – A Breach is Now Something Different

Cyber Liability Underwriting Exposures
From the wires of our valued carrier partner Beazley, an industry leader in Cyber Insurance programs, this edition of CLUE shares with our customers valuable changes in notification requirements in regards to Personal Health Information. This news is especially signifcant for the heatlhcare industry and its related vendors, such as hospitals, assisted living facilities, and healthcare practices. Below is the article reproduced as written with the permission of Beazley.


Final HIPAA Rule on Breach Notification – A Breach is Now Something Different

Philadelphia, 18 January 2013

A key change to the notification requirements for breaches involving protected health information (PHI) could make a significant difference to healthcare providers, health plans and their vendors, increasing the risks of their failing to notify affected individuals.

Katherine Keefe, head of Beazley Breach Response Services, a dedicated unit within specialist insurer Beazley that helps clients manage data breaches, said:

“The long awaited final HIPAA rule readdresses the breach notification requirements first enacted under the Health Information Technology for Economic and Clinical Health Act (HITECH) and changes the game fairly materially.”

Under the current interim rule, a breach is defined as an inappropriate use or disclosure of PHI involving significant risk of financial, reputational or other harm. The final rule changes this definition by stating that an impermissible use or disclosure of PHI is presumed to be a breach, unless the covered entity can demonstrate that there is a low probability that the PHI has been compromised.

“In particular,” Ms Keefe noted, “the final rule requires that four factors be considered when determining if PHI has been compromised. First, the nature and extent of the PHI involved. Second, the unauthorized person who used the PHI or to whom the disclosure of PHI was made. Third, whether the PHI was actually viewed or acquired. And fourth, the extent to which the risk to the PHI has been mitigated. The government makes very clear that that each of these factors must be considered when evaluating impermissible uses or disclosures of PHI, and that compliance policies need to include these factors.”

Ms Keefe said that the final rule would likely make healthcare providers and health plans (and their business associates, which are also covered by the rule) even more wary about failing to notify affected individuals of inappropriate uses or disclosures of PHI. Even under the interim rule, in force since 2009, more than 21 million victims of “large” healthcare breaches (affecting 500 people or more) have received notifications.

While the final rule is slated to take effect on March 26th, compliance by covered entities and business associates is required by September 23, 2013.


Breach Response Costs

Your cyber policy should include reimbursement for legal and forensic expenses, customer support, credit monitoring and notification as a part of its breach response costs coverage.

Unencrypted devices

Carriers are adding exclusions for mobile devices storing or transmitting unencrypted information. Be sure all information is encrypted, or implement a policy against transmission or storage of unencrypted information on any mobile device.

Other Lines of Business

US Pro Insurance Services has more than 40 years of combined experience in D&O, E&O, and other Specialty Lines products. We are recognized nationally as a leading source of information on D&O, E&O, EPLI and Cyber products/coverage.