US Pro Insurance Services

HIPAA and Cyber Insurance – A Business’ Existence is at Stake


HIPAA, the ACA, and the Hi Tech Act all have been brought to the forefront of mainstream media coverage of Cyber exposure. The convergence of these laws and protecting privacy of data brings looming cataclysmic consequences with the October 1 implementation of the Affordable Care Act and enrollment into the health care exchanges. The compliance with HIPAA requirements, already mandating the protection of such data, is a daunting task for these new entities in a world experiencing a threefold increase in identity theft over just two years ago.

US Pro is America’s Cyber Insurance Experts, and as such we spend every day searching for Cyber Insurance stories impacting the commercial business community, and underscoring the dramatic importance that Cyber Insurance can play in the existence of their business. With the new health care law in full effect, and HIPAA and the Hi Tech Act mandating strict privacy compliance, and the already increased presence of Cyber theft, you can expect to see a dramatic rise in events and the costs for these events to commercial business will be exponential.

A look into some recent events, as well as some fascinating statistics as reported to the Office of Civil Rights (OCR) , an agency of HHS.

From the Minneapolis Star Tribune report:
A MNsure employee accidentally sent an e-mail file to an Apple Valley insurance broker’s office on Thursday that contained Social Security numbers, names, business addresses and other identifying information on more than 2,400 insurance agents. An official at MNsure, the state’s new online health insurance exchange, acknowledged it had mishandled private data. A MNsure security manager called the broker, Jim Koester, and walked him and his assistant through a process of deleting the file from their computer hard drives. Koester said he willingly complied, but was unnerved.

Affinity Health Plan
A high profile HIPAA data breach at Affinity Health Plan caused by PHI on a discarded photocopier has resulted in a 1.2 million fine by Health and Human Services. A discarded photocopier, you read that right. It didn’t help that the CBS Evening News bought the used photocopier and was able to retrieve PHI.

“OCR conducted an investigation and found that “Affinity impermissibly disclosed the protected health information of these affected individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives.”

In addition, OCR found that “Affinity failed to incorporate the electronic protected information storied on the photocopier hard drives in its analysis of risks and vulnerabilities as required” under HIPAA”

PHI on mobile and integrated devices is an overlooked problem when it comes to HIPAA privacy and security. Hopefully this will serve as a education warning to other HIPAA covered organizations.

Texas Health Harris
In one of the biggest HIPAA privacy breaches of 2013 – and among the largest to date – Texas Health Harris Methodist Fort Worth is notifying some 277,000 patients that their protected health information has been compromised after several hospital microfilms, which were supposed to be destroyed, were found in various public locations.

Texas Health Fort Worth had contracted with Toronto-based Shred-it to destroy the confidential patient information, but the microfilms were not actually destroyed, as had been agreed upon in the contract, officials say. Instead, a local resident found a portion of the microfiche in a nearby park in May. Additionally, three other sheets of microfiche were found in two other public areas.

The records on the microfiche contained patient names, addresses, dates of birth, medical record numbers, clinical information, health insurance information and in some cases Social Security numbers.

According to a Texas Health website notice, Shred-it assured the hospital that the microfiche remaining in its possession was disposed of. When asked why the other microfiche sheets were not properly destroyed, Shred-it did not respond to Healthcare IT News for comment by publication time.

Watson says the microfiche was limited to Texas Health Fort Worth patients who were seen between 1980 and 1990. Patient notification letters were mailed out starting July 11.

OCR Statistics and Facts
OCR reported it received 85,239 complaints, suggesting that it received 1,558 in August, marking the second straight month in which complaints exceeded 1,000. In July, OCR received 1,117 complaints, which represented a sharp increase over the 774 the agency received in June. Of the 30,886 HIPAA complaints that fell within OCR’s jurisdiction, 21,271 required corrective actions by covered entities (CEs).

An analysis by HIP/SA found that the agency determined that 597 complaints required CE action August, a steep increase over the 315 complaints that required action in July and the 303 complaints in June. Investigations of the remaining 9,615 complaints within OCR’s jurisdiction found no violation. The agency said it had resolved 91% of all the complaints that it had received. However, that statistic included a large number of complaints (47,883) that did not fall within OCR’s jurisdiction. Overall, about 27% of total complaints resulted in some corrective action by CEs. This trend has been growing since the HITECH Act breach reporting requirements went into effect in September 2010.

At that time, approximately 22% of covered entities had to make changes as a result of a complaint. OCR’s numbers indicated that it had 7,102 in some phase of the investigative process in July. It had 7,006 in June and 7,160 in May.

OCR referred more than 518 cases to the Justice Department for possible criminal prosecution, indicating it made no referrals in August. Referrals for criminal prosecution do not necessarily mean the Justice Department will act. Often, these decisions are left to the U.S. Attorneys in whose jurisdictions action may be required. The U.S. attorneys typically determine where to put their prosecutorial resources.

OCR released a memo to the public reminding them and the healthcare community, that patients are entitled to access to their medical records at reasonable costs. The most common types of covered entities that had to take corrective action were:
• Private Practices;
• General Hospitals;
• Outpatient Facilities;
• Health Plans; and
• Pharmacies

The agency recently revealed that the Justice Department had agreed to pursue 54 of the referrals since OCR started the complaint system in April 2003. The privacy areas investigated most often were:
• Impermissible uses and disclosures of protected health information (PHI);
• Lack of safeguards of PHI;
• Lack of patient access to their PHI;
• Uses or disclosures of more than the Minimum Necessary PHI; and
• Lack of administrative safeguards of electronic PHI.

A quick eye-balling of the data, and you can come up with a ranking of the states with the most breach incidents:
California (68), Texas (47), Florida (35), New York (35), Massachusetts (22), and Indiana (21). And these ranking results more or less correlate with records exposed: California (3.98 million), Texas (.24 million), Florida (2.7 million), New York (2.4 million), Massachusetts (1 million), and Indiana (.1 million). These results are perhaps not that surprising since these states are the homes of major hospitals and other medical facilities. To paraphrase Willie Sutton, medical data thieves go where the PIIs are.

All of this serves as a reminder of the importance to every business to secure Cyber Insurance, and further delay continues to compromise the integrity of your insured’s business every day they go uninsured. Write us today at for an immediate quote.