Forget HIPAA and HITECH; beware privacy

By Rebecca Bole on October 30, 2014

The world’s largest Cyber Risk event for P&C Professionals was held October 28, 2014 in New York. Advisen Cyber Risk Insights conference attendees left with a solid understanding of the full range of

I sat down to the Healthcare Spotlight at this week’s Advisen Cyber Risk Conference expecting to hear 90 minutes of discussion on the old chestnuts of HIPAA and HITECH regulations – only to learn that if healthcare organizations are still focusing on these laws, they’re well behind the game.

Instead, Kimberly Holmes, vice president of product development at OneBeacon stated her intention to focus on the proliferation of state privacy laws.

Not surprisingly, California is leading the way in this regard (with recent tightening of its security breach statute notification to just 10 days). But Massachusetts, Texas and Florida are nipping closely at its heels.

Stuart Panensky, partner at law firm Traub Lieberman Straus & Shrewsberry outlined a dense web of state regulations that any healthcare provider must comply with, regardless of where the firm does business.

“Healthcare providers must look to the data and the various jurisdictions your data could cross,” Panensky said. “The regulations follow the data itself, not the locations in which the company does business.”

Crucially, there is an alarming lack of consistency between states as to its privacy regulations and how they are being interpreted and enforced.

Texas laws, for example, purport to cover healthcare companies “doing business” in the state – but fails to define the term, according to healthcare risk management consultant Sheila Hagg-Rickert.

“Keeping up with the multitude of different rules is a real burden for multi-state companies,” Hagg-Rickert said.

And litigation is increasing at a fast pace too. Stanford Hospital recently settled a class action lawsuit for $4 million after a young business associate posted hospital data on a “homework help” website in a bid to get help with a project. Crucially, there was no federal oversight fine in the $4 million settlement.

Sutter Health paid $3 million to settle a case where no link was found between the theft of identities and the theft of 2 unencrypted laptops.

Increasingly, healthcare providers are coming under regulatory scrutiny and the eyes of the plaintiffs bar, but with little apparent consistency or pattern. How on earth is a healthcare to remain compliant with all regulations if they have not been handed a clear version of the rules of the game?

Rebecca Bole is EVP & Editor-in-Chief at Advisen. She has nearly 20 years of experience in the international insurance markets, both as an underwriter and a journalist. Contact Rebecca at rbole@advisen.com.