Senior living providers are facing a mounting danger of losing or compromising protected health information (PHI).
A Massachusetts hospital made headlines in May after announcing it will end up paying fines and remediation costs of more than $750,000 in a recent data breach settlement following the loss of thousands of consumers’ unencrypted personal and protected health information in 2010.
To prevent similar costly payouts, some companies are turning to a new form of protection: cyber insurance.
The types of breaches it covers range from simple human error to uncontrollable circumstances and malicious intent, all of which could have significant financial impact on companies.
Security and privacy obligations for senior living
Data breaches cost the healthcare industry an estimated $6.5 billion each year, according to a December study conducted by the Ponemon Institute, and it will likely continue to grow as more records become digitized.
Senior living providers are already required to maintain and protect a significant amount of both resident and employee data.
Under Title II of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), companies must follow certain procedures and guidelines for maintaining the privacy and security of personal health records (PHRs) and protecting them against fraud and abuse.
For a stand-alone retirement community, that might mean 250 records. For a national senior living provider with more than 200 locations, it could mean tens of thousands.
As of 2009, data breaches carried an average organizational cost of $6.75 million, according to the Ponemon Institute.
In addition to financial penalties, senior living providers could also be subject to public scrutiny.
The Health Information Technology for Economic and Clinical Health Act (HITECH), enacted in 2009, could require any company regulated by HIPAA to report data breaches to multiple outlets, including the Department of Health and Human Services, the media, and affected individuals.
Companies also regulated by the Securities and Exchange Commission have their own set of requirements they must follow.
Aside from the legal obligations and reporting requirements, there are “real costs” associated with data breaches, says Tracy Jurusik, who deals with liability insurance claims in her role as senior vice president at global insurance broker The Willis Group Holdings.
It can cost a company as much as $214 per record, she says. For a company like Brookdale Senior Living, with close to 650 properties and capacity for more than 63,000 residents, a record breach could cost north of $1.3 million.
“If you lose a lot of records, you’re looking at a pretty big exposure,” says Jurusik.
Cyber insurance is new to senior living
At this point, having a cyber liability insurance policy is a relatively new concept among senior living providers, but that might change.
In March, the Assisted Living Federation of America (ALFA) endorsed Willis to provide insurance and risk management services to its members.
Cyber liability policies will become a routine purchase for companies with room in their budgets, considering their exposure to security breaches, Jurusik says.
The insurance can cover (either partially or fully) the cost of notifying all relevant parties, monitoring the credit of affected individuals, the forensic costs associated with determining whether the information on a recovered disk or hard drive was accessed, or court costs if a company is sued.
Regardless of whether senior living companies decide to buy a cyber insurance policy, the HITECH Act requires anyone storing PHI to have a plan of action in the event they did experience a security breach, and assessing risk is paramount.
Senior living providers are at particular risk because of the nature of the information they store on residents, says John Atkinson, Managing Partner at The Willis Group Holdings.
USB drives, BlackBerries, laptops, electronic filing systems—these can all be used to access or store that protected health information, and they’re all liable to be misplaced, lost, stolen, or breached.
Any cyber attacks and incidents that put personally identifiable information such as Social Security Numbers (SSNs) and healthcare records in jeopardy require disclosure, says Atkinson.
“The real exposure for senior housing operators that have this personal information, whether in electronic or paper format, is having to rectify that situation if it were to be breached,” he says.
Security breaches aren’t all malicious or intentional. While it’s possible someone might break into an office to steal a laptop with company data and records, there was a case when a briefcase with resident files was lost because it was in the backseat of a stolen car, recounts Jurusik.
“When people think of cyber liability, they think of a hacker coming into the system and stealing information, but the most often situation we see is human error, where something’s lost or misplaced,” she says.
Companies that are maintaining thousands of individual records containing SSNs and health information need to assess their exposure level in the event health information was breached or lost, says Scott Ranson, Brookdale Senior Living’s chief information officer.
“It’s very important for organizations to have cyber liability insurance,” he says.
The more coverage a company has, the more their policy will cost, Ranson says, but as entities covered by HIPAA-regulations, long-term care providers should seriously consider cyber protection.
“You wouldn’t think about operating a building without having property insurance or casualty insurance,” he points out. “I wouldn’t think a company would want to have electronic medical records and HIPAA-protected information without having cyber liability insurance.”
Written by Alyssa Gerace
This article is sponsored by the Assisted Living Federation of America (ALFA) as part of its efforts to advance excellence and explore topics impacting the future of senior living. For more information about ALFA, visit www.alfa.org.