For people involved with the distribution of medically underwritten insurance products, stories about hacking of big corporate databases may seem a little bit like reports of a few cases of Ebola cropping up on some distant continent.
Too bad for those folks, but you have appointments to remember and sales quotas to meet.
When Anthem Inc. (NYSE:ANTM) announced late Wednesday that it had detected an intrusion into one of its major databases, that was like seeing contagion control personnel in hazmat suits parking in your neighbor’s driveway.
Anthem has teams of compliance lawyers to understand the privacy and data security provisions in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) Act, which was part of the American Recovery and Reinvestment Act of 2009. Anthem also has teams of information technology specialists to apply its knowledge of HIPAA and the HITECH Act.
You may have to rely on whatever help insurers and technology vendors are giving you, along with the wise counsel of the techie sister-in-law who helped you set up your WiFi network.
Meanwhile, hacked health records can sell for more than $10 each, and sometimes for as much as $1,300 each.
Insurers may have insulated you from the hazards of holding anything that HIPAA defines as “protected health information” (PHI) by re-working its underwriting procedures. If not, you could find that performing a task as simple as asking prospects and clients to fill out a simple screening questionnaire could expose you to unexpected risks.
To learn more about HIPAA PHI risks, read on.
1. For HIPAA privacy and data security purposes, you’re probably a “business associate.”
The Centers for Medicare & Medicaid Services (CMS), an arm of the U.S. Department of Health and Human Services (HHS), has created a 10-page packet to help organizations determine whether they are “covered entities” for HIPAA purposes.
Most health plans are covered entities, and CMS has been getting serious about applying HIPAA privacy rules to health plans.
Some companies that look like something other than health plans may be covered entities in some situations. In other situations, they and their affiliates may act as “business associates,” or entities that use PHI and have to meet roughly the same privacy and data security requirements that health plans must meet.
In theory, a business associate that violated the HIPAA rules could face a civil penalty of up to $50,000 per violation. An associate found guilty of willful neglect and a failure to address a problem promptly could face a civil penalty of as much as $1.5 million per violation.
2. The HHS Office of Civil Rights could be starting “Phase 2″ audits any day.
CMS and HHS have applied the PHI rules to business associates since 2003, but, in practice, the HIPAA compliance enforcement body, the HHS Office for Civil Rights (OCR), has focused “Phase 1″ audits on covered entities, not business associates.
OCR officials began getting official approvals for the paperwork they would need to conduct “Phase 2″ audits, or audits of insurance agents and other business associates, about a year ago.