Journal of AHIMA - January 2011

However, the bill would assess additional penalties on organizations that have experienced a security breach. Such organizations would have to provide each individual whose information was included in the security breach with a credit-monitoring service for two years after the breach at no cost to the individual. Moreover, entities may face penalties up to $5 million per violation.

The bill has been referred to the Senate Commerce, Science, and Transportation Committee. When the Senate reconvenes, the committee will determine whether to report the bill.

Cybersecurity Insurance

Given the threat of electronic data security breaches and the increasing size and scale of costs and penalties associated with such breaches, healthcare organizations may want to consider investing in cybersecurity insurance.

Common cybersecurity policies include coverage for hazards such as data privacy loss and repairs to company databases after system failures. Broader policies include coverage for costs of notifying customers in the event of a breach as required by the HITECH Act and loss of income from site failure.

Some policies even provide for crisis management coverage, including hiring an emergency public relations team and monitoring credit for affected persons (as would be required by the Data Security and Breach Notification Act of 2010). And some cybersecurity policies provide coverage for the acts of “rogue” employees in the inappropriate or even willful release of patient health information. Traditional liability policies might not cover deliberately inappropriate or illegal employee actions.

HIM Contributions to Cybersecurity Decision

Because they manage protected health information privacy, HIM professionals have a role in a facility’s consideration of cybersecurity insurance.

HIM professionals know the risks associated with data breaches and inappropriate uses and disclosures, and they are charged with managing employees whose rogue acts might expose the healthcare provider to risk. In addition, HIM professionals are generally the members of a provider’s administrative team that work most closely with the business associates that provide services utilizing protected health information and thus would be in the best position to know what risks exist in those relationships.

When making this decision, organizations may need to obtain
the privacy and security policies and procedures implemented
by business associates and make those available to the provid-
er’s insurance underwriters. HIM professionals (in cooperation
with the provider’s counsel) will be in the best position to know
whether these policies and procedures are compliant and pro-
vide adequate coverage of reasonably anticipated problems. To
the extent that a provider’s insurance coverage did not reach the
actions of business associates, HIM professionals should insist
that all business associates obtain and maintain such insurance,
adding the provider as an additional insured.

Notes

1. Ponemon Institute. “2009 Annual Study: Cost of a Data Breach.” January 2010. Available online at www.en- cryptionreports.com/download/Ponemon_COB_2009_ US.pdf.

2. Verizon. “2010 Data Breach Investigations Report.” Available online at www.verizonbusiness.com/resources/re- ports/rp_2010-data-breach-report_en_xg.pdf.

3. Symantec. “Symantec Internet Security Threat Report: Trends for 2008.” April 2009. Available online at http:// eval.symantec.com/mktginfo/enterprise/white_papers/ b-whitepaper_exec_summary_internet_security_threat_ report_xiv_04-2009.en-us.pdf.

4. Open Security Foundation DatalossDB. Available online at http://datalossdb.org.

References

“Cyber Security: Data Breach Insurance Gains in Popularity,” Bank Technology News, June 2007. Available online at www. americanbanker.com/btn_issues/20_6/-314043-1.html.

“Cybersecurity Insurance Gains More Adherents.” Homeland Security Newswire, June 24, 2010. Available online at http:// homelandsecuritynewswire.com/cybersecurity-insurance-gains-more-adherents.

Data Security and Breach Notification Act of 2010. Available online at www.govtrack.us/congress/bill.xpd?bill=s111-3742.

DuBois, Shelley. “Electronic Medical Records: Great, but Not Very Private.” Fortune, October 6, 2010. Available online at http://money.cnn.com/2010/10/06/technology/electronic_ medical_records_safety.fortune/ index.htm.

Risen, Tom. “Can Insurers Protect the U.S. from Cyber-Attack?” National Journal Online, February 10, 2010. Available online at www.nextgov.com/nextgov/ng_20100210_8138.php.

US Department of Health and Human Services. “Summary of the HIPAA Privacy Rule.” Available online at www.hhs.gov/ocr/ privacy/hipaa/understanding/summary/privacysummary. pdf.

Barry Herrin ( barry.herrin@smithmoorelaw.com) is a partner in the Atlanta office of Smith Moore Leatherwood LLP. Frankie Jones ( frankie.jones@ smithmoorelaw.com) is an associate in the firm’s Greensboro, NC, office.