• For the Daily Double

  • “What is exposure to the chance of injury or loss; a hazard or dangerous chance?” 

    The answer is: RISK

    In my recent newsletters, we have been discussing risk in many forms, shapes and sizes. Additional definitions of Risk are:

    •  The degree of probability of such loss.
    • The amount that the insurance company may lose.
    •  A person, or thing, with reference to the hazard involved in insuring him, her, or it.

    Another theme word has been Mitigate:

    • To lessen in force or intensity, as wrath, grief, harshness, or pain; moderate.

    Why, you ask, the emphasis on these two words? Because these two words top the “most often used” in the Office of Civil Rights (OCR) Resolution Agreements and you will find these two words threaded through-out all the publications pertaining to the Health Insurance Portability & Accounting Act of 1996 (HIPAA). The Director of the OCR, Leon Rodriquez, has been quoted using these terms many times.

    What do the experts that provide services to those that handle Protected Health Insurance (PHI) have to say in regards to risk and mitigating a potential risk?

    Jane Anthony, Vice President, and Sales Executive for L/P Insurance Services handles multiple lines of insurance coverages. She has seen the first-hand experience of the effect from her clients not having the proper governance and compliance oversight. After a violation, her client of many years was forced to close their doors and is no longer able practice medicine. In addition, Jane cautions our readers, to be aware of the exclusions that are stated in the insurance policies. There could be language that would prevent an insurance company from paying out on a claim, should it be proven that a governmental regulation was violated, such as HIPAA, False Claim or Red Flag. There are HIPAA regulations at the both the state and federal government level. By understanding the exclusion language and the insurance coverage of your policies, you are mitigating a possible risk of potentially having no coverage. Jane recommends that you consult your insurance broker to review your coverage on an annual basis.

    In addition to having the correct insurance coverage, there is another risk that everyone who owns and uses a computer, mobile devices for personal or business undertakes daily; hacking, identification theft, spyware to name a few. Recently I spoke to Rusty McCurdy, President and owner of MMA Systems. I asked him to give us an understanding from an IT prospective on what steps should a professional service business, who handles Protected Health Information (PHI) such as an Attorney, CPA, Medical Provider or Medical Clinic should take in order to mitigate against the risk of a breach or other events that can make their systems inoperable. ”First, you should ensure that your data is encrypted. The recent HITECH law of 2009 strongly suggests encryption. However, with the recent breach of over 80 million clients of Anthem Insurance, we will be seeing a much needed change from encouraged to mandatory encryption.”  Another area in which most industries handling PHI get tripped up on, performing a regular Risk Assessment. This task has been a part of HIPAA for over 9 years. Understanding the wellness of your systems is fundamental in today’s technology world. 

    Attorney Troy Wallin of Wallin Hester, PLC, has some insight from a legal perspective on the steps you and your staff should take if you find yourself a victim of a breach or some other compromised situation.  “First, you should gather all information regarding the incident and preserve all records and electronic data, as this will become necessary to disclose should any litigation proceed from the incident.  Second, you should report the incident to your insurance company and legal counsel immediately. Third, as part of any incident investigation, you should interview your staff and other witnesses as soon as possible in order to determine exactly what took place and preserve memories and thoughts surrounding the incident.  Finally, understand that you have various defenses that can be raised in the event any allegations are brought against you or your company.  It is never a pleasant situation to deal with any claims against yourself or your business, but proper planning and immediate action when the incident arises can help alleviate much of the confusion and stress that might otherwise exist.”

    Thanks to our experts for sharing their thoughts and insights.

    March 1st is the deadline which entities must report their PHI breaches.  PHI breaches affected less than 500 patients or clients in the previous year of 2014. Looking at 2014, with the massive numbers of reported breaches of over 500; any wagers on the final number? We will explore this further in our next newsletter. 

    Judith Lindsay