Do you ever get the feeling that there’s a shoe dangling over your head and it’s about to drop on you? According to agency management consultant Judi Newman of Phaze II Consulting, Inc., if yours is an agency that is doing employee benefits business and you haven’t taken steps to comply with HIPAA and HITECH laws, you might want to grab a hard hat.

The figurative shoe in this case—compliance with the Health Insurance Portability and Accountability Act (HIPAA)—wasn’t as complex early on, Newman points out. Back in the early 2000s, health and benefits records were still in file folders for the most part so it was easy enough for P-C agencies to secure the files simply by putting them in locked cabinets and secluding benefits staff so discussions with clients could be private.

Truth be told, Newman says, most property/casualty agencies weren’t especially interested or concerned about HIPAA compliance back then. Yet she continued to discuss it with her clients, she would write articles about it for the IIABA’s Virtual University newsletter, and she would market her “Agent and Broker HIPAA Compliance Toolkit.”

“I would get the occasional call from an agency that had a client who asked whether they were HIPAA compliant,” she confides. “If the client were big enough that the loss of that client would dent the agency’s wallet, they’d get on the ball.”

But a lot has happened since those early years, less than a decade ago—both inside the insurance industry and in the wider world. For one thing, P-C agencies stepped up their employee benefits production. Technology improvements made it easier and less expensive to maintain records electronically. Correspondingly, data breaches became more prevalent. And, perhaps most significantly, the American Recovery and Reinvestment Act of 2009—ARRA—(a/k/a the economic stimulus package) became law.

Tucked away in the notoriously voluminous stimulus package is Title XIII, subtitled “Health Information Technology for Economic and Clinical Health” (HITECH). It’s Title XIII, Newman says, that is the game changer for property/casualty agencies doing even the slightest bit of benefits business. The changes don’t alter the privacy and security rules issued under HIPAA, she says—they build on them. Oh, and by the way, the compliance deadline was February 17, 2010.

Newman draws on some figures available from affinity groups serving the benefits world when she states that less than 20% of the P-C agencies that have benefits operations are in compliance. “Agents don’t understand that these laws affect them,” she says. “It’s not that they don’t care.”

What’s changed?

“Insurance agencies involved in the sale and service of group health insurance coverage are ‘business associates’ of ‘covered entities,’ their clients,” Newman explains. “If an agency sells one group health policy, the agency becomes a business associate.”

That’s not new. What is new, she says, is that business associates (the agency) must now comply with most HIPAA provisions. “For the first time since HIPAA was enacted, business associates are directly accountable to the government, and subject to civil and criminal liability, fines and penalties, for failure to meet HIPAA Privacy and Security Rules,” she adds.

Newman adds that HITECH also established the breach notification standards—the disclosure require­ments that must be followed when there is a breach of an individual’s “electronic protected health informa­tion” (e-PHI). Business associates are now required to notify the covered entity and individuals, as well as the U.S. Department of Health and Human Services (HHS), of breaches where consumer e-PHI is or may be compromised.

As of late October 2010, more than 510 million records have been breached, according to the Privacy Rights Clearinghouse, which started tracking data breaches in April 2005. With that in mind, Newman says agents shouldn’t focus on “if” they will be affected by a data breach; it’s more a matter of “when.”

“A breach could result from a lost or stolen laptop or other mobile device such as a flash drive or smartphone,” she notes. “And of course hackers are working all the time to get at this data.

“As a business associate, P-C agencies might not deal directly with e-PHI, but they do have access to it,” she explains. “When an agency sells a group health insurance plan and completes a census to get a proposal, that agent is accessing e-PHI and the agency has it on file.” And that makes them accountable under HITECH.

Additionally, Newman says, HITECH “creates substantial new opportunities for aggressive enforcement of HIPAA rules.” Whereas HHS didn’t have sufficient resources to conduct compliance audits pre-HITECH, periodic audits are mandatory under this legislation and appropriate resources have now been allocated. On the federal level, enforcement is overseen by HHS and the Office for Civil Rights. Closer to home, state attorneys general have been given authority to pursue business associates for HIPAA violations. Fines and penalties now range from $25,000 per violation and for willful neglect up to $1.5 million for the calendar year.

As Newman pointed out in one of her recent Virtual University articles, “As state attorneys general become more aware of how to pursue noncompliance by business associates, the greater chance there is that an agency will be audited. After all, it will mean dollars for the state’s coffers.” Effective January 2012, she adds, so-called whistleblowers as well as complainants get to share in the fines and penalties.

IIABA members can access Newman’s articles on HIPAA and HITECH through the Virtual University. The Big “I” has also developed an executive summary on implementing HIPAA’s privacy requirements. Its outside counsel has written a memorandum on final HIPAA privacy regulations. Both documents are available to members at the Big “I” Web site (www.independentagent.com).

Getting your house in order

Newman offers agencies a HIPAA compliance audit. “I have 28 pages of questions,” she reports. “I meet with various people in the agency—the privacy officer, the security officer. For every question, I cite the part of the law that stipulates a particular requirement. I spend a lot of time with the IT folks because they’re in charge of making sure that the data is secure.

“You must follow the rules,” she emphasizes. “HIPAA security rules were developed by the National Institute of Standards and Technology. It’s bigger than just insurance agencies. It affects the whole medical world.

“So while these protocols haven’t been written expressly for insurance agencies, agents still need to know what they are so they can be built into the agency’s security program,” she states.

Newman says her audit includes questions about workforce security—what people can and cannot do—including specific agreements with employees about not taking work home. Some of the other areas she explores include:

• information access management

• workstation access

• facilities access security

•device and media controls

•hard drive destruction

•password control

•security awareness and training

• security incident procedures

“The audit culminates in a completed assessment as well as a written report with specific recommendations to achieve compliance,” Newman explains. “Of utmost importance is having HIPAA-specific written documented policies and procedures as required by the law.”

Coverage offerings

In light of the prevalence of data breaches and increasing regulation with respect to data privacy, carriers such as The Chubb Group of Insurance Companies and The Hartford have responded by developing cyber insurance policies.

“Traditional insurance programs aren’t designed to respond to the additional costs that an organization has to incur to notify individuals following unauthorized access to those individuals’ personal information,” observes George Allport, a vice president in Chubb Specialty Insurance. About 50% of Allport’s time is devoted to the ongoing support and development of CyberSecurity by Chubb^SM which he says helps protect all types of commercial organizations against losses resulting from data security breaches.

The Hartford’s CyberChoice 2.09^SM is a relatively recent enhancement of the carrier’s suite of cyber liability products. “Think about how technology has evolved in just the last three years,” says Michael Dandini, senior vice president of Hartford Financial Products. “Insurance products have evolved as well.”

“Cyber liability is still a comparatively new product,” notes John Merchant AVP of cyber, e-media and miscellaneous professional liability within the Hartford Financial Products unit.

“The coverage has been around for about 10 years, but it has undergone a significant evolution.”

Dandini says he and Merchant are helping agents and their clients become more familiar with the cyber liability products as well as the complex cyber risk landscape for which the products are designed. “Not only are agencies trying to teach their clients about the exposures inherent in cyber risk, the agencies themselves have many of the same exposures,” Dandini notes. “After all, agencies keep personally identifiable information. As such, they are grappling with the same issues as their clients.

Dandini, Merchant and their team also help agents understand that the cyber liability sales process tends to be longer because of the amount of client/prospect education that must occur.

Chubb’s Allport also educates agents and their clients. He’s been working with the CyberSecurity product since 2005 and says he spends a good deal of time traveling around the country giving presentations on cyber risk. In 2010, he gave some 20 presentations. “The presentation that I give to agents and brokers alerts them that HIPAA/HITECH presents a risk to them and their clients. I try to help them understand that risk and also prepare them to discuss the risk as well as the insurance response with clients and prospects,” he explains.

“Out of all the organizations in the United States that face this exposure—and every company does—insurance agencies are one of the more complex and diverse,” Allport continues. “It’s not just because of HIPAA/HITECH, by any means. Agents may be a business associate under HIPAA, but a lot of agencies aren’t. That said, they still have massive amounts of client data—social security numbers, driver’s license numbers. Under almost all the state laws that I’ve looked at, notifications must go out if there is unauthorized access to driver’s license information.”

While some of this data may be used for underwriting purposes, there is also an abundance of personal information in claim files. If it is breached, notification is required. And if that doesn’t complicate matters enough, different states have different definitions of what is personal information as well as different notification protocols. As of October 2010, 46 states had enacted legislation requiring notification of security breaches involving personal information. While there are areas of similarity among the state laws, Allport, Dandini and Merchant all emphasize, there’s no consistency.

“If you have a data breach that involves individuals in multiple states, somebody has to go in and identify which individuals in which states need to be notified and then look at the individual state law pertaining to the notification. Then you need to make sure your notification is crafted properly so that you’re fulfilling all of the requirements within that law,” Allport points out. “It gets to be mind boggling.” And it can be expensive.

Allport says that some studies indicate that the current cost per record following a breach is between $30 and $50. That includes forensics, notification, credit monitoring services and other public relations efforts to restore consumer trust following a breach. He says CyberSecurity by Chubb covers those additional costs. He adds that there is an endorsement to the CyberSecurity policy that provides coverage for the defense of a regulatory action. “That anticipates action by HHS, the Office of Civil Rights or by any other governmental or quasi-governmental body, including a state attorney general,” he says.

Hartford’s Dandini and Merchant explain that CyberChoice 2.09 is a hybrid policy form that provides both first-party expense and third-party liability coverages. “In the event of a data breach,” Merchant explains, “first-party expenses cover costs related to notification and credit monitoring for affected individuals, crisis management/public relations, and computer forensics.

“A regulatory investigation or proceeding is also a possibility,” he notes. Looking specifically at HIPAA/HITECH, Merchant says: “If an organization violates any portion of either of those laws and is assessed a fine or penalty, CyberChoice 2.09 provides coverage.”

Merchant goes on to say that the policy also provides liability coverage for companies that experience the loss or theft of third-party non-public personal information. “Companies that collect or store massive amounts of non-public personal information often view that data as an asset,” he points out. “However, it can also be a liability, and if lost, it can lead to lawsuits alleging invasion of privacy and/or identity theft. If enough data is lost, these suits can become class actions.”

Additionally, Merchant says, CyberChoice 2.09 covers “disconnected” devices such as laptops and any mobile device containing personal information.

Of course the best defense is a good offense. Both Chubb and Hartford want to know about an organization’s security policy as part of the underwriting process.

Dandini says Hartford’s underwriting process “looks favorably on a company that will hire a third party to do penetration testing. For example, many hire ‘ethical hackers’ to test their systems under controlled circumstances. They then produce a report detailing the holes in the business’s security—should there be any. You want to hire a third party in addition to your own internal IT person. Trust, but verify.

“Most businesses use a third-party auditing firm for their financials,” Dandini continues. “Why wouldn’t a business use a third-party organization to test its own controls relative to penetration and compliance with state and federal regulations? It’s just good, proven risk management.”

For more information:

Phaze II Consulting, Inc.

Contact: Judi Newman

E-mail: judinewman@aol.com

Phone: (239) 481-6001