Articles
E & O Insurance
Since an E&O insurer cannot gauge the risk nor police the degree to which a broker is compliant with the privacy and security rules they will not insure it.
So to put it another way your firm is naked from a risk management perspective in terms of its insurance cover.
HIPAA HITECH is not some toothless DOL or ERISA law nor the HIPAA of 2003. WHY?
- HHS is going to use fines to fund enforcement.
- The state Attorneys General keep a portion of any fines they levy.
- There is a “tip line” setup and any whistleblower get to keep a portion of any fines they help create.
What is your risk? Let’s start with your reputational risk alone.
The last time that any of us heard the word “tattle tale” was probably in grade school but with HIPAA HITECH it is joining the lexicon of the healthcare and employee benefits worlds.
- There is the “tattle” rule that requires a BA, ie a broker or consultant, to report breaches to HHS on their own customers or face penalties themselves. Nice way to lose a client and tons of revenue.
- Even scarier is the "tip line" that is setup for "whistleblowers" to report breaches and the financial incentives they have to do so. A portion of any fines levied as a result of a whistleblower’s actions goes to that person.
So now every person in your own organization, the carriers or former staff could have a field day at your expense…and your E & O won’t pay a penny in your defense.
Are you paying attention now?
- A new “Tattle" rule requires BA’s to report their CE’s (clients and carriers) breaches.
- Local media notification is mandatory if a breach involves 500 or more lives allow the state Attorneys General to take legal action on privacy/security violations.
- Establish new criminal and civil penalties for noncompliance that apply to BA’s as well.
Penalty Fees
| Violation |
Penalty |
Maximum per Year |
|
Tier A – Did not Know |
$100.00 | $25,000.00 |
|
Tier B – Reasonable cause, not willful neglect |
$1,000.00 | $100,000.00 |
|
Tier C – “Willful Neglect”, corrected |
$10,000.00 | $250,000.00 |
|
Tier D – “Willful Neglect”, uncorrected |
$50,000.00 | $1,500,000.00 |
So your organization’s only defense against HIPAA HITECH penalties and reputational risk is to get compliant, stay compliant and be sure to encrypt your email when transmitting PHI.