Multiple Insurance Policies Should Include HIPAA Coverage

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that safeguards patient health information. It also gives people access to their records and the right to request corrections.

In addition to protecting patient privacy related to identity and protected health information, HIPAA rules are meant to reduce health care fraud and establish industry standards for electronic billing and recordkeeping. The Office of Civil Rights monitors compliance, investigates violations and enforces penalties.

Individuals or organizations subject to HIPAA regulations are called “covered entities.” According to the U.S. Department of Health and Human Services (HHS), covered entities include:

• Health care providers who electronically transmit health information in connection with HIPAA-covered transactions. Examples include doctors, clinics, psychologists, dentists, chiropractors, nursing homes and pharmacies.
• Health plan organizations, including private, corporate and government programs that pay for health care. Examples include company-sponsored health plans, Medicare, Medicaid and military health care programs.
• Health care clearinghouses, which process health information received from other entities in nonstandard formats or mediums into standard formats, or vice versa. Examples include billing services and community health information systems.

HHS also requires HIPAA compliance for any organization considered to be a “business associate” of a health care provider, health plan or health care clearinghouse.

It’s crucial to understand your company’s obligations regarding HIPAA. It’s also crucial to have insurance coverage for errors that lead to violations of the law. Below are some details that can help you stay in compliance.

Business associate responsibilities

Recognizing that most health care operations require outside business services, HIPAA’s Privacy Rule allows transmission of private medical records and identifiable information to third parties as needed. Its Security Rule provides guidelines for administrative, physical and technical safeguards to protect data.

Examples of business associates include accountants, financial service and billing providers, lawyers, third-party administrators, medical transcriptionists, data analysts, consultants and pharmacy benefits managers.

When a covered entity establishes a partnership with a new business associate, a written contract or another agreement must verify that the business associate understands and agrees to follow the HIPAA Privacy Rule. The document should define the intended use of the data, the appropriate safeguards expected, the data breach protocols and the criteria for contract termination.

Any identifiable data points or protected health information exchanged must be limited to the minimum information required for the business associate to perform its contracted service.

The business associate may not use any information it receives from the covered entity for its own independent use or purposes, except as needed for its proper management and administration.

Manage your risk and secure the right insurance

The information shared above is only a general summary of HIPAA. With so many nuances, mistakes can happen. The average financial penalty for such a mistake now stands at $1.5 million, according to the HIPAA specialist company Compliancy Group.

The penalties for individual HIPAA violations are divided into tiers based on culpability and severity. You may face:

• Civil monetary penalties, which range from just over $100 to more than $68,000.
• Criminal penalties, including fines and imprisonment, especially when an investigation uncovers intentional violations.
• Corrective action to ensure all HIPAA-required policies and procedures are in place as intended.

Whether you’re assessed a penalty or absolved of culpability, both scenarios can require significant financial resources. This is where adequate insurance protection comes into play.

Your insurance policies should include HIPAA protection

A HIPAA violation can occur on many fronts, so it’s critical to understand the specific HIPAA protection each type of insurance provides.

• Depending on the policy and circumstances, medical malpractice insurance may cover costs associated with HIPAA violations. Discuss policy exclusions with your insurance professional.
• Vicarious liability insurance can protect your organization if you face a HIPAA violation due to actions or omissions made by your employees, independent contractors or other business associates acting on your behalf.
• Unless specifically excluded, most professional liability, or errors and omissions (E&O), policies cover expenses related to HIPAA violations caused by negligence, errors, lapses in privacy standards or other omissions.
• Most directors and officers (D&O) insurance policies include associated HIPAA violations. This type of protection is especially important for covered entities.
• Your cyber liability insurance should be designed for health care and related industries. Often referred to as HIPAA breach insurance, this type of policy should cover first- and third-party expenses related to a breach. First-party expenses are the costs you incur due to a cyberattack on your systems. Third-party expenses are for claims made by other parties, like customers or business partners, who suffer damages because of your cyber breach. Many insurance providers also include risk management resources and advice to help you lower your cyber exposure.

Avoid claims in the first place

While adequate insurance is crucial, there are also ways to lower the risk of a claim in the first place.

Effective strategies include ongoing training, data encryption, security procedures for devices and documents, proper document disposal and active system monitoring. You should also assign HIPAA oversight to an individual or department to monitor procedures, stay up to date on HIPAA changes, and apply government-provided privacy and security resources and tools.

Document everything related to HIPAA. This includes your HIPAA policies and procedures, communications related to HIPAA, training and monitoring processes, and signed business associate agreements.

If you suffer a data breach, don’t wait for someone else to report it. Report a breach within 60 days as required by HIPAA. By exercising good risk management and having solid HIPAA insurance coverage, you can help protect your firm from financial problems associated with health information records and transmission.