Self-Funded Insurance plans are not immune from the many data breaches that have been occurring in the last several years. Not only has the number of breaches increased, but the level of sophistication used by hackers to steal date has also increased. Preventing a breach requires diligence but the alternative can be detrimental to an organization.
So what does an insurance plan do to help protect itself?
Because all plans have access to PHI (personal health information) and PII (personal identifiable information) they should understand the state and federal laws surrounding the privacy and security of participants PHI and PII. Health and welfare plans are subject to HIPAA (Health Insurance Portability and Accountability Act) and the HITECH (Health Information Technology for Economic and Clinical Health) Act. In addition, organizations that hold Massachusetts residents’ personal information must comply with 201 CMR 17.00, the Massachusetts data security law. Using secure email and other secure websites to transmit data will help encrypt data sent between parties. While plans are not responsible for personal information sent to them electronically by plan participants, it’s a best practice to offer a portal or other secure method for receiving sensitive data.
They should also be sure that their partner service providers, which include the TPA or ASO carrier, broker, consultant and stop loss carrier, carry cyber liability coverage and should be able to show proof of that coverage.
If something does go wrong, being prepared makes a big difference.
A plan can design a strong security or a formal incident–response plan prior to any incident. This can help cut down on the average response time and cost of a data breach.
Also, plans should consider buying Cyber Liability insurance coverage which will pay the policyholder’s notification cost, which can be quite steep. In addition, should an individual ever sue or seek financial damages in connection with a data breach, cyber liability insurance provides defense, settlement and judgement costs. Once a cyber -liability policy is triggered, the insurance company can provide the policyholder with access to experts to help resolve the situation, whether it be halting a breach in progress or help in the often complex notification process.