With the implementation of electronic medical records and the sharing of patient data by health care providers forming or participating in Accountable Care Organizations (ACOs), there is an increased risk of liability for breaches of the privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA).
The Office for Civil Rights (OCR) reviews each HIPAA violation complaint it receives to determine whether an investigation is warranted. Potential statutory penalties for a breach of HIPAA may be as high as $1.5 million. In fact, after a recent OCR investigation, a Massachusetts hospital agreed to pay that amount to the U.S. Department of Health and Human Services to settle alleged violations of the HIPAA security rule.
To guard against HIPAA breaches, health care providers should act now to:
- Review their HIPAA policies and procedures and update them to reflect changes imposed by the HITECH Act.
- Conduct a risk assessment to identify potential weaknesses in privacy and security safeguards, take steps to mitigate those weaknesses, and revise their HIPAA policies and procedures to reflect those steps.
- Provide employee training on HIPAA policies and procedures
- Purchase an insurance policy that provides coverage for breaches of HIPAA privacy and security requirements.
The issue of insurance often arises when a health care provider enters into a business associate agreement with a vendor. The health care provider may request the vendor to indemnify the health care provider for any breaches of HIPAA, but the vendor will usually not agree to do so since they do not have insurance that provides coverage for violations of HIPAA.
This issue also arises in connection with the formation of ACOs. The ACO may ask participating health care providers to purchase a policy that provides coverage for HIPAA violations, while an ACO participant may ask the ACO to purchase HIPAA coverage and to list the participant as an additional insured.
Although there are a number of insurers offering insurance policies that are intended to provide coverage for HIPAA, a health care provider needs to be aware of whether potential liabilities, such as penalties that may be assessed by the OCR for a breach of HIPAA, are covered by these policies.
If you have any questions concerning HIPAA or would like assistance in updating your HIPAA policies and procedures, please contact Rochelle H. Zapol, a partner in Prince Lobel’s Health Care Practice and the author of this Alert. You can reach Rochelle at 617 456 8036 or rzapol@PrinceLobel.com.
If you would like assistance in evaluating insurance issues related to HIPAA, please contact Thomas M. Elcock, a partner in Prince Lobel’s Insurance and Reinsurance Practice. You can reach Tom at 617 456 8155 or telcock@PrinceLobel.com.