By Jack Anderson
July 14, 2014
The Health Insurance Industry is Leaking HIPAA Data
(Over 3 Million Patient Records)
We have been helping insurance agencies and producers get HIPAA compliant, stay compliant, and prove compliance with our Compliance Meter® since 2010. Our privacy and security expert partner Rebecca Herold, CISSP, CIPP/US, CIPP/IT, CISM, CISA, FLMI, www.theprivacyprofessor.com has experience with health insurance companies going back to the 1990’s.
While the companies working with us have recognized their responsibilities under HIPAA the vast majority are still in either a state of ignorance or denial. The carriers, who are considered covered entities should have been HIPAA compliant long ago. The agencies and producers who are business associates were required to be HIPAA compliant as of September 23, 2013.
A cursory examination of the Wall of Shame which records HIPAA data breaches of more than 500 records reveals that insurance companies are leaking data, in fact by my calculations they have leaked over 3.5 million patient records. Most of these were lost or stolen laptops, and other unencrypted mobile storage devices but there were some more creative leaks.
•One company donated a file cabinet to a non-profit organization but forgot to remove the thousands of paper patient records it contained
•An employee stole over 20,000 patient records by sending them to his personal email address
•A company put insufficient postage on some tapes and they disappeared into the postal system
•A hard drive was reported missing with thousands of patient records
•8,000 patient records were set up in an accessible file on the Internet
•A call center worker for a health insurance company left a backpack with patient data at a Starbucks
•A salesman entered an incorrect group number and sent thousands of patient records to the wrong party.
•Nine servers disappeared from a data center with nearly 2 million patient records
The list goes on and on but the message is clear, protect your patient data by getting HIPAA compliant and staying HIPAA compliant.
These examples were for HIPAA data breaches of over 500 records but what about smaller breaches? They still need to be reported and in 2012 there were over 13,000, 61% of which were paper breaches. Industry experts agree that many more small breaches are never reported either through ignorance or deceit.
As we look at the health insurance industry we see the greatest risk for small breaches at the producer level so we have developed some special programs for that group.
.
Our first health insurance client in 2010 was an early adopter who realized that a HIPAA data breach could be a serious financial blow to his company. He hired an outside firm to do a HIPAA risk assessment and was the referred to Compliance Helper to help him remediate or mitigate the risks identified. Once we got them through this process he asked me what they could do about the several hundred producers who sent them health insurance applications since, they were clearly business associates. The HIPAA Omnibus Rule was not yet in effect so technically they did not need to be HIPAA compliant unless they had signed a business associate agreement stating that they were. The challenge for us was the fact that these were independent 1099 workers with generally less than 5 employees and fairly low revenues. We developed a special program now called HIPAAssure™ Micro for that market. We made it simple, easy to use and inexpensive.
That first client now requires all of his producers to sign a business associate agreement and has recommended that they look at HIPAAssure™ Micro as a solution.
Whether you are a carrier, an agency, a master general agency or a producer you have an obligation to get HIPAA compliant, stay compliant, and be prepared to prove your compliance.
For a free HIPAA compliance checklist go to www.compliancehelper.com or if you want further information, including a demonstration of our services, email me at jack@compliancehelper.com