HIPAA Lesson 2: Insurance, Training Can Protect Against Violations Due to Employee Error, Cyberattacks

Posted on in Education/Training

By Dorothy de Souza Guedes

International cyber terrorists and criminal hackers using ransomware can breach your organization’s cybersecurity and expose business information. But when it comes to violations of HIPAA involving unauthorized access to patient protected health information (PHI), the cause may be surprisingly less complicated.

“It’s human error that’s leading to a lot of these breaches, not overseas hackers,” said Bill Wilson, vice president, VGM Insurance Services.

Specialty insurance policies protect a business from the financial damages due to high-tech and low-tech security breaches, but training employees can help prevent the problem from occurring. To be covered by policy, there is an application process that requires the applicant to document security measures in place, which may prompt a business owner to increase cybersecurity. Insurance and education go hand-in-hand, Wilson said.

Employee errors

Employee errors that have resulted in HIPAA violations have included disclosing information in phone messages, discussing treatments or procedures where they may be overheard, labeling files in a way that discloses diagnoses or inadvertently faxing or emailing patient information to the wrong person.

When it comes to cybersecurity breaches and attacks in all industries, the 2014 Ponemon Institute study noted 30 percent were caused inadvertently by negligent insiders.

Errors include opening malware-laced email attachments or losing a cell phone or laptop that was used to access patient records. Both could expose your computer network – and your business – to cyberattacks, resulting in lost business and HIPAA violations.

Insurance protection

And even if your organization isn’t penalized with a hefty HIPAA penalty, costs to better secure PHI and ePHI (electronic PHI) after a breach can bankrupt a small business.

There are two types of insurance policies that can protect your business in the event of a breach:

  • Up to $50,000 coverage for investigation and defense of HIPAA violations is provided under the Professional Liability Enhancement endorsement available from VGM Specialty Underwriters.
  • Cyber Liability Insurance available through VGM Insurance Services protects against cyberattacks of all types, including those that result in potential HIPAA violations via unauthorized access to PHI.

Because each business is unique, no two cyber policies are the same, Wilson said. VGM Insurance can advise business owners how to fill in the gaps between first- and third-party liability policies.

And providers contracting with health systems are commonly required to carry cyber insurance. “It’s just part of doing business,” Wilson said.

Low-tech employee HIPAA violations

HIPAA violations can be surprisingly low-tech. Paper records also fall under HIPAA, and a cyber insurance policy can pay for related violations. For businesses providing health care services to in-home clients, paper records are often transported off-site.

Take the example of a Florida-based national respiratory care and homecare giant, which was slapped with $239,800 in civil penalties after an Arkansas center manager abandoned nearly 300 patient records under a bed and in a kitchen drawer when she moved out of her home. Like others of the organization’s staff, the manager regularly kept unsecured patient records in the car she shared with her husband.

Investigators learned that neither the manager nor anyone else at the organization even knew the documents were missing until months after they were reported by the manager’s estranged husband, who found the records but was not authorized to have access. He told his wife’s employer, then filed a complaint with Office for Civil Rights (OCR), which investigates HIPAA violation complaints.

Policies and staff training

OCR found the organization’s HIPAA violation went beyond one employee’s carelessness. Investigators learned that even after it discovered the breach, the company took no steps to prevent further disclosure. Although its policies did not specifically address the security of records taken off-site, the organization claimed its employees had received adequate training on privacy policies. OCR disagreed, noting that the organization “offers no real evidence describing the training curriculum.”

Training for Staff

HIPAA mandates that employee training must be backed by enforceable, understandable policies. Annual HIPAA training of employees is a must, but how do you know if you’re learning the most current HIPAA information?

VGMU Online Learning offers a three-part series of HIPAA courses. The first, “HIP001 – Understanding HIPAA,” is designed to teach HIPAA basics, including faxing, social media and text messaging PHI. The second course, “HIP002 – Working with HIPAA,” focuses on workplace policies and employee training, giving common scenarios that HME employees may face. The final HIPAA course, “HIP003 – Managing HIPAA,” discusses the duties of the privacy officer, a role required by HIPAA for an organization to be in compliance.

Employee education should also include cybersecurity training to limit access to PHI and protect your entire network. Easy cybersecurity training for employees should include:

  • Creating strong passwords or pass phrases
  • Requiring remote access protocol
  • Saving and downloading work files with sensitive information
  • Recognizing the signs of phishing attempts
  • Spotting fraudulent emails

What you should know

Need more information about insurance coverage for investigation and defense of HIPAA violations? Contact Bill Wilson, vice president, VGM Insurance Services, at 800-205-0091 or [email protected].

Is educating about HIPAA on your to-do list? VGMU Online Learning HIPAA classes are included in a VGMU subscription or can be purchased separately. For more information, call Megan Kraft, inside sales and customer service manager, at 888-786-6628.

ACES’ Border Patrol offers network security at discounted rates to VGM members.