Increase your agency strength

Please note that we are not attorneys and do not guarantee compliance with HIPAA.

GRA works with 50 agencies in these states…

Our HIPAA experience came when we were audited by a large carrier in 2010. 3 people 3 months. Had to be a better way.

Your HIPAA Requirements:

• Perform a risk analysis

• Document how your office handles PHI

• Train your staff regularly

• Develop a spirit of compliance

Insurance Agency closes doors:

HIPAA breach forces company out of business

Joe owns National Agency. He first opened his doors in 1995. He grew to a 9-person agency by 2013.

In March 2013 a laptop was stolen from Joe’s car. It contained a complete database of his clientele.

His best carrier revoked his agent status in June 2013.

Multiple staff members moved from his company to other agencies.

In January 2014, HHSbegan its investigation.

Joe’s customer base began a slow decline.

Besides the loss of his unencrypted laptop, HHS also found that National Agency:

…used unsupported software,

…had disposed of a fax machine without wiping the personal information,

…had taken more than 3 months to notify the carrier,

…and did not have business associate agreements with any of its vendors.

By August 2014, the government issued a settlement agreement for $850,000 and a corrective action plan.

In September 2014, Joe said goodbye to his remaining staff and closed doors to National Agency

CLOSED

Fortunately, Joe’s story is fiction. However, it won’t be long until a similar story is in the local news.

He could have avoided this with a $2,000 investment.

Real Examples

DeLoach & Williamson

This South Carolina broker had a laptop stolen that contained PHI of 3,432 individuals.

Following the breach, they immediately launched an investigation and retrained the employee.

DeLoach & Williamson

They closed immediately

after the breach.

Anchorage Community Mental Health Services

Breach affecting 2,743 individuals due to outdated and unsupported software

Settlement reached in December 2014. Facility paid $150,000 to HHS and adopted a government-recommend corrective action plan.

Affinity Health Plan

Estimated up to 344,579 individuals were affected when multiple photocopiers were returned without having been erased.

Settlement reached in August 2013. Affinity paid $1.2 million and implemented a corrective action plan.

Adult & Pediatric Dermatology

During a breach investigation, HHS also found they failed to properly handle breach notification and the company waited more than a year before performing a risk assessment.

A fine was issued for $150,000, the company adopted a corrective action plan and must report its progress to HHS.

Pharmacy Chain

OCR investigated an incident that information was inappropriately revealed to a business associate. They determined the business associate did not misuse the information, however a business associate agreement was not in place.

A corrective action plan was established.

Blue Cross Blue Shield of Michigan

Personal information of 5,514 BCBSM members was printed out and used to access credit cards and gift cards. At least two employees were involved.

11 people were arrested.

Mass. provider settles HIPAA case for $1.5 million

Alaska settles HIPAA security case for $1,700,000

HHS settles HIPAA case with BCBST for $1.5 million

HHS settles lack of HIPAA safeguards case for $100,000

WellPoint pays HHS $1.7 million

County Government agrees to $215,000 settlement

HHS settles with health plan for $1.2 million

Hospice breach of less than 500 settles for $50,000

Don’t be like Joe

Breach: Stolen Laptop

• Implement a mobile device policy

• Keep a log of individuals with laptops

• Don’t store data on the laptop

• Utilize strong passwords and encryption

• Remind users not to leave laptop in an unsecure location

Breach: Outdated Software

• Schedule regular updates every week

• Document whenever updates are performed

• If you must use outdated software, apply other safeguards to protect the information

Breach: Improper Disposal

• Properly dispose of all media−Shred documents−Wipe or destroy equipment−Double check information is unavailable −Document disposal and destruction

Breach Notification

• Notify your carrier and HHS immediately

• Set up procedures to notify clients

• Document any perceived security incidents

Business Associates & Subcontractors

•Make a list of all your vendors, determine who has access to PHI

• Issue custom business associate agreements with all appropriate vendors

You can’t 100% protect against a breach

What you can do:

• Perform a risk analysis

• Document how your office handles PHI

• Train your staff regularly

• Develop a spirit of compliance

How PHI365 helps

Compliance Analysis

Documentation

Annual Training

Ongoing Compliance Program

Continuous Support

Compliance Analysis

Custom Documents

We work with you to create more than 700 pages

of documentation tailored to your company.

Ongoing Compliance

Access to compliance team

Annualtraining

Monthly Reminders

Updates to law

Privacy RemindersEntry Access Policy Review

Quarterly Breach Policy ReviewVulnerability and Penetration Testing Reminders

Social Engineering and PhishingConversational Awareness

Physical Document and Workspace SecurityAnd Other Timely Topics

Ongoing Compliance Topics

Marketing Opportunities

Yes, my agency is secure. Protecting your information

is our top priority.

Your HIPAA Requirements:

• Perform a risk analysis

• Document how your office handles PHI

• Train your staff regularly

• Develop a spirit of compliance

10 person agency:Setup $1,500Monthly $92.50

Michigan Group Benefits

“GRA’s PHI365SM solution is empowering. I feel my company and client data are now

better protected. GRA was very knowledgeable and continues to help me

reach HIPAA and HITECH compliance.”

– Michael Harp

GRA other services…

Questions?

Learn and Connect

www.grabenefits.com/blog

info@grabenefits.com

(517) 351-4908