“What is exposure to the chance of injury or loss; a hazard or dangerous chance?”
The answer is: RISK
In my recent newsletters, we have been discussing risk in many forms, shapes and sizes. Additional definitions of Risk are:
The degree of probability of such loss.
The amount that the insurance company may lose.
A person, or thing, with reference to the hazard involved in insuring him, her, or it.
Another theme word has been Mitigate:
To lessen in force or intensity, as wrath, grief, harshness, or pain; moderate.
Why, you ask, the emphasis on these two words? Because these two words top the “most often used” in the Office of Civil Rights (OCR) Resolution Agreements and you will find these two words threaded through-out all the publications pertaining to the Health Insurance Portability & Accounting Act of 1996 (HIPAA). The Director of the OCR, Leon Rodriquez, has been quoted using these terms many times.
What do the experts that provide services to those that handle Protected Health Insurance (PHI) have to say in regards to risk and mitigating a potential risk?
Jane Anthony, Vice President, and Sales Executive for L/P Insurance Services handles multiple lines of insurance coverages. She has seen the first-hand experience of the effect from her clients not having the proper governance and compliance oversight. After a violation, her client of many years was forced to close their doors and is no longer able practice medicine. In addition, Jane cautions our readers, to be aware of the exclusions that are stated in the insurance policies. There could be language that would prevent an insurance company from paying out on a claim, should it be proven that a governmental regulation was violated, such as HIPAA, False Claim or Red Flag. There are HIPAA regulations at the both the state and federal government level. By understanding the exclusion language and the insurance coverage of your policies, you are mitigating a possible risk of potentially having no coverage. Jane recommends that you consult your insurance broker to review your coverage on an annual basis.
In addition to having the correct insurance coverage, there is another risk that everyone who owns and uses a computer, mobile devices for personal or business undertakes daily; hacking, identification theft, spyware to name a few. Recently I spoke to Rusty McCurdy, President and owner of MMA Systems. I asked him to give us an understanding from an IT prospective on what steps should a professional service business, who handles Protected Health Information (PHI) such as an Attorney, CPA, Medical Provider or Medical Clinic should take in order to mitigate against the risk of a breach or other events that can make their systems inoperable. ”First, you should ensure that your data is encrypted. The recent HITECH law of 2009 strongly suggests encryption. However, with the recent breach of over 80 million clients of Anthem Insurance, we will be seeing a much needed change from encouraged to mandatory encryption.” Another area in which most industries handling PHI get tripped up on, performing a regular Risk Assessment. This task has been a part of HIPAA for over 9 years. Understanding the wellness of your systems is fundamental in today’s technology world.
Attorney Troy Wallin of Wallin Hester, PLC, has some insight from a legal perspective on the steps you and your staff should take if you find yourself a victim of a breach or some other compromised situation. “First, you should gather all information regarding the incident and preserve all records and electronic data, as this will become necessary to disclose should any litigation proceed from the incident. Second, you should report the incident to your insurance company and legal counsel immediately. Third, as part of any incident investigation, you should interview your staff and other witnesses as soon as possible in order to determine exactly what took place and preserve memories and thoughts surrounding the incident. Finally, understand that you have various defenses that can be raised in the event any allegations are brought against you or your company. It is never a pleasant situation to deal with any claims against yourself or your business, but proper planning and immediate action when the incident arises can help alleviate much of the confusion and stress that might otherwise exist.”
Thanks to our experts for sharing their thoughts and insights.
March 1st is the deadline which entities must report their PHI breaches. PHI breaches affected less than 500 patients or clients in the previous year of 2014. Looking at 2014, with the massive numbers of reported breaches of over 500; any wagers on the final number? We will explore this further in our next newsletter.
Personal Information Collected Online
•Personal Information means personally identifiable information such as information provided via forms, surveys, applications or other online fields including name, postal or email addresses, telephone, fax or mobile numbers, or account numbers.
•Before or at the time of collecting personal information, JAL will identify the purposes for which the information is being collected.
•JAL will collect and use personal information solely for the purpose of fulfilling specific contracted engagements or for other compatible purposes, unless consent is obtained from the company and/or individual concerned or as required by law.
•JAL will retain personal information as long as necessary for the fulfillment of a specific contract or for a specific purpose.
•JAL will collect personal information as deemed lawful and where appropriate with the knowledge and/or the consent of the individual or company.
•Personal data should be relevant to the extent of necessary purposes and should be accurate, complete and up-to-date.
•JAL will protect personal information by reasonable safeguards against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.
•JAL will make readily available to customer’s information about our policies and practices relating to the management of personal information. Terms and Conditions
JAL is committed to conducting our business in accordance with these principals in order to ensure that the confidentially of personal information is protected and maintained. By accessing this website, you are agreeing and bounded by these Website Terms and Conditions of Use, all applicable laws and regulations. If you do not agree with these Terms and Conditions, you are prohibited from using or accessing this website. The materials contained in this Web Site are protected by all applicable copyright and trade mark laws.
Our Online Notices are subject to change. Please review it periodically. If we make changes, we will revise the “Last Updated” date at the top of this Notice. Any changes will become effective the date the revised Notice is posted on the Site.