Security Shredding and Storage - a shredding industry publication
What Business Owners Need to Know About Changes to Health Information Laws and Insurance

By Ken Fontana and Mollie Day

Certain provisions of the American Recovery and Reinvestment Act of 2009 (ARRA) economic stimulus package, though specifically limited to the context of health data, have far reaching implications for businesses that manage protected health information (PHI). ARRA allots approximately $20 billion in financial incentives to help computerize America’s health records. The huge cash infusion will undoubtedly bolster the records management industry, but with this boon come new federal liabilities document handlers will need to consider.

Shredding contractors and document handlers are currently in a high growth sector of the economy, says Ed Jones, president of, an online research source for industries affected by HIPAA. As the electronic component of healthcare records grows, says Jones, “there will be a huge scanning and shredding opportunity for paper records which aren’t going to be retained. There is (also) going to be demand for backups of scanned and electronic data.” Jones cautions that businesses involved in records management and information destruction will need to become familiar with the myriad of new ARRA laws – and be mindful to stay compliant.

President Obama signed the ARRA into law on February 17, 2009. Prior to these new rules, document handlers who dealt with PHI were subject to HIPAA regulations. Under the new ARRA, the rules are very different. As of next February, “covered entities,” such as physician practices, hospitals and other “business associates” will have to comply directly with the HIPAA Security Rule. Penalties for non-compliance and breach of privacy and security have been increased significantly. In addition, ARRA has introduced the first federally mandated breach notification requirement. In the event of a breach of unsecured PHI, the new laws require certain entities to notify affected individuals, government agencies and the media.

Several ARRA provisions directly impact the record management industry. For instance, one provision expands the reach of HIPAA to require “business associates” of “covered entities” that handle PHI to comply with the Security Rule as if they were a covered entity. Under Title XIII of the ARRA, also known as the Health Information Technology for Economic and Clinical Health (HITECH) Act, records storage and destruction centers are recognized as business associates, governed by HIPAA. Vendors will be responsible for securing PHI when it appears in files – of any form or medium – precisely as a covered entity does today. The HITECH Act also requires business associates to develop and implement comprehensive written PHI security policies and procedures and implement safeguards. In instances of non-compliance, HIPAA violations can then be directly assessed against the vendor rather than just having a business associate contract terminated.

The new HITECH rules will be enforced by the US Department of Health and Human Services (
HHS). Currently, the Center for Medicare and Medicaid Services (CMS) enforces the HIPAA Security Rule and the Office of Civil Rights (OCR) enforces the HIPAA Privacy Rule.

Fines can be swift and sizeable. The FTC fined CVS Pharmacy $2.25 million for HIPAA violations in February of this year when it was determined that multiple CVS stores were discarding pill bottle labels and other sensitive customer information in open trash bins. Vendors who store and/or destroy documents for health centers could be holding several hundred thousand claims in one box. Under these circumstances, potential violations can be extensive. If the information is in electronic format the number of records exposed can increase significantly.

According to the HHS guide, a “breach” is defined as, “the unauthorized acquisition, access, use or disclosure of protected health information which compromises security or privacy or such information.” If a patient file box falls and spills patient medical records onto the floor, then naturally the vendor’s employee would access PHI in returning these files to the box. If the employee doesn’t disclose that information, then a HIPAA privacy violation has not occurred. If the employee spreads the information to others, then a HIPAA violation is clear.

Under the new HITECH Act, a vendor must notify its client of “the identity of each individual whose health information has been or can be reasonably believed by you to have been accessed, acquired, or disclosed” during a breach. Victims must be identified by first class mail. Furthermore, vendors may be required to notify the Secretary of HHS, the FTC and the individuals impacted by the breach, or their next of kin, if necessary.

The administrative costs of determining how the breach occurred, plus the cost of tracking down the victims’ current mailing addresses (compounded by the rates of postage), plus the cost of crafting the breach notification letter to ensure it meets the OCR guidelines could add up to a hefty sum for violators. It’s important to note that hospitals cannot waive vendors’ responsibilities in the event of a breach being investigated by OCR. And they will almost certainly not cover vendors’ costs of responding to the investigation or defending a legal action. In the event of a breach, the law allots a maximum of 60 days for these notifications. In addition, vendors must retain proof of these notifications, including evidence demonstrating the necessity for any delay. Monetary penalties are mandatory for violations involving willful neglect as of February 17, 2011.

Good contracts are a must for those who wish to protect the client, the vendor and the PHI in a HIPAA environment. Vendors will want to consider an insurance company that will cover the new laws. “Never accept a liability that is not covered by insurance,” says John Ulmer of Professional Records & Information Services Management (PRISM), a not-for-profit trade association. Standard Errors and Omissions, “umbrella” policies and general liability policies do not cover exposures under HIPAA. Most standard policies are designed to cover every market and are not specifically written to cover records management companies under the new laws.

In the past, standard policies may have provided ample support for a vendor. For example, if a vendor accepted records from a doctor and then lost them or sent them to the wrong business, the violations would be assessed against the doctor, who could then sue the vendor for neglect of contract. This is no longer true. Under the new rules, if a client sues the doctor, for example, then the doctor must sue the vendor. Given the circumstances, vendors should strongly consider a policy that is specially designed for the records management industry. They will want to review their policy with the insurance agent and determine how the policy will respond to events such as untimely release. In particular, vendors will want to review their exclusion policy.

Insurers, experts and lawyers agree that vendors and clients should be certain that measures to prevent and mitigate risks are accounted for under contract. “An appropriate insurer writing liability insurance is going to be mindful when looking at the safeguards,” says Jones. “Risk mitigation is the key to this,” he adds, noting that a risk analysis is one of the requirements of the HIPAA Security Rule.

The National Institute of Standards and Technology’s (NIST) document 800-66 (revision one) describes all of the steps needed to analyze and mitigate risk of threats and vulnerabilities that could lead to a business contingency or disaster. “I’m sure underwriters of liability insurance for business associates are going to be looking towards business associates having completed a written risk analysis, as required under the HIPAA Security Rule,” says Jones.

A risk analysis also makes good business sense. “Looking at what your risks are and at what insurance will cover those risks is key,” says Bob Coffield, a healthcare lawyer practicing at Flaherty, Sensabaugh & Bonasso, PLLC and blogging from Charleston, West Virginia. “Understand where your data is going. Map it out. Do an audit and understand where that data sits in your business. Deal with the higher risks and potential violations of higher areas first.” Vendors may want to note that certain policies can be written out for riders under standard coverage and can protect a vendor for the cost of breach notification and follow- up. “But most of those policies do not cover the actual damage,” Coffield cautions.

Coffield also offers some insight on the use of the Red Flag Rule language. Red Flag Rules require financial institutions and creditors to develop and implement written identity theft prevention programs, as part of the Fair and Accurate Credit Transactions (FACTA) Act of 2003. Healthcare providers who extend credit to a patient under a payment plan also fall under the Red Flag Rules. Compliance is required as of August 1, 2009, with compliance having been delayed twice from November 1, 2008 and May 1 of this year.

These rules require that if a red flag pops up – for example, if a false ID is used – then the liable party must investigate, mitigate and notify somebody in the event of a broader problem. “I may want to have Red Flag-like language under the contract,” says Coffield. “Or I may not include that type of language. In a case where something happens at the vendor level then I’m not responsible for reporting it. You need to be clear with your agent what you’re looking for – that’s true with any insurance.”

In the HIPAA environment, one thing a vendor will want to avoid in an insurance policy is “silence”, a condition in which the underwriter doesn’t specifically exclude certain violations. If there is “silence” on an issue, then the liability carrier may allow some coverage. However, if the loss is large enough then the liability carrier could claim not to cover the loss and the vendor would be forced to sue their own insurer.

Underwriters will be creating policies that suit business associates under the HITECH Act. “It’s going to be an important issue for vendors to make sure those polices are in place.” says Jones. What will a HIPAA policy cost? “Pricing is going to be based on a wide range of circumstances,” Jones adds, “such as the size of a business’ activity; written security policies and procedures; and what safeguards are already in place. Actuaries will determine exposures and set prices accordingly.”

The new laws are expected to change enforcement practices. Subsection 13410 (c) of HITECH Act requires civil penalties collected under the HITECH Act to be channeled back into HHS’s OCR enforcement budget. OCR is expected to be more proactive in its approach to the enforcement of the Privacy Rule. Prior to receiving the stimulus money, the OCR did not have sufficient staff to investigate allegations. However, enforcement resolutions have been on the rise since 2003, according to the OCR’s website. Much resolve has come through corrective action. The ARRA allocates $9 million to the OCR for purposes of execution.

“I clearly think we’re going to see enforcement ramp up. There’s actually going to be funding for it,” says Coffield.

Kenneth S. Fontana is an insurance broker based in St. Louis,
Missouri. His concentrated fields are Household Goods Moving and Storage and Records/Data Storage and Destruction operations. Fontana worked with insurers to design an insurance program exclusive to records management companies. If you should have any questions regarding this article topic, please contact Ken at 800-221-7686.

Social Media

Security Shredding on Linked In Security Shredding on Facebook Security Shredding on Twitter


Shredding machinery to cost-effectively meet your waste reduction and recycling needs.

Subscribe Today

Every other month, Security Shredding & Storage News brings you important stories about:

  • New Technology
  • Products
  • Laws
  • Processes

Security Shredding & Storage News features articles and services relevant to your daily operations.

Subscribe Today

Click here for printable mail in form, and Subscribe to Security Shredding & Storage News Today!

USIlluminations on Linked In

Member Login