As the issues of rising health care costs and increased absenteeism due to health problems grow, wellness programs are seen as an effective method of improving employee health and morale and decreasing health-related costs for employers.
In order to realize improved employee health and a good return on investment (ROI), you need to choose the right wellness program for your company. Success is dependent on both employee engagement and support from all levels of management. To choose the right program, you will need to determine your organization’s needs and resources and then match that with the appropriate type of wellness program.
Employee Needs and Interest
Assess your workplace to determine your employees’ health problems and fitness levels, as well as their interest in different types of wellness programs. Consider using surveys, focus groups and health risk assessments to learn more about the health status and interest areas of your employees. Areas of focus for a wellness program may include disease prevention, fitness, smoking cessation, alcohol and substance abuse counseling, nutrition education, mental health help, weight loss and stress management. In order to engage employees, your wellness program must fit what they perceive to be a need and must be something that they are willing to participate in.
Resources and Management Support
For a wellness program to succeed, leadership on all levels must also buy in to the wellness program idea. To ensure the support of management, inform managers about the program early on and encourage them to participate. Communicate the program’s goals and benefits clearly and often.
Types of Programs
Workplace wellness programs encompass an extremely broad range of activities and initiatives in the workplace, and universally accepted definitions or categories have not yet emerged. However, wellness programs can generally be categorized based on the level of effort and time commitment necessary to make them successful and based on the type of activities included in the program. Following are three general categories of wellness programs.
Screening events – The least-involved types of wellness programs are screening activities. These are health risk assessments which can be self-administered questionnaires or biometric screenings. The goal of these programs is to give employees information on their health status and possibly prompt changes to achieve better health.
Health education and promotion activities – These wellness programs aim to improve employee morale, educate and possibly prompt some behavioral changes. You can consider providing educational sessions and materials for employee groups, or you might provide individual or group counseling sessions for such topics as smoking cessation or alcohol or drug abuse. Other types of wellness promotion programs may include changing policies or procedures around the workplace, such as switching to healthier cafeteria or vending machine offerings, or promoting walking meetings instead of meetings in a conference room.
Prevention and intervention measures –These wellness programs might include a weight-loss initiative, a walking competition or similar ideas that attempt to influence employee behavior. Typically these programs require up-front investment by the employer in planning, potentially bringing in outside counselors or resources, providing any necessary equipment (such as pedometers or a scale for weigh-ins) and offering various incentives or rewards for participants as they meet their fitness goals. This type of highly involved program will likely see the best ROI, but it needs a high level of support from management and high employee engagement in order to be successful.
When deciding on and planning your wellness program, you also need to consider how the program is classified for the purpose of legal compliance. Based on regulations under the Health Insurance Portability and Accountability Act (HIPAA) and the Affordable Care Act (ACA), a wellness program can fall into one of two basic categories that determine what guidelines it must adhere to. These categories are participatory and health-contingent wellness programs, with the health-contingent category additionally broken into two subcategories: activity-only and outcome-based.
Participatory wellness programs simply require an employee to join the program; for example, an employee may attend a session about nutrition or participate in a health screening, with no regard to whether the employee actually changes any behavior or meets any health standards.
A health-contingent wellness program requires the participants to satisfy a standard related to a health factor in order to obtain a reward. For an activity-only wellness program, the employee would complete a health-related activity, such as walking or following a specified diet. For an outcome-based wellness program, the participant must meet a health-related goal, such as not smoking or satisfying certain exercise goals. Both types of health-contingent wellness programs must follow additional requirements—such as providing a reasonable alternative standard and not exceeding specified incentive limits—in order to be in legal compliance.
Contact The Buckner Company for resources
Workplace Wellness: Choosing the Right Wellness Program
© 2013 Zywave, Inc. All rights reserved
We are excited to announce that our CEO, Terry Buckner, has been featured in the 2015 edition of Life in Utah magazine. In the article “Investing in People”, Terry talks about the importance of recruiting top talent in order provide excellent service to our community. Terry believes, “Serving the community not only helps the community, but our business because it allows others to get to know us. People will do business with people they know and trust. Service helps build a great community and a strong business.”
Read the rest of the article here on page 28.
According to a 2013 Workplace Wellness Programs study by the RAND Corporation, about half of U.S. employers offer wellness initiatives. These programs may include wellness screenings, interventions and more complex programs.
What Is Workplace Wellness?
Workplace wellness refers to the education and activities that a worksite may sponsor to promote healthy lifestyles for employees and their families. Examples of wellness initiatives include such things as health education classes, subsidized use of fitness facilities, internal policies that promote healthy behavior, and any other activities, policies or environmental changes that affect the health of employees.
Do Wellness Programs Really Work?
When sponsoring a wellness program, the main hurdle to success is engaging your employees in the program. According to RAND’s wellness study, slightly less than half of employees participated in simple wellness programs such as clinical screenings or completing health risk assessments. The benefits of wellness programs can only be realized if a significant number of your employees take part in the efforts.
Why Workplace Wellness?
Wellness affects your company’s bottom line in many ways—in particular, it can lower health care costs, increase productivity, decrease absenteeism and raise employee morale. Because employees spend many of their waking hours at work, the workplace is an ideal setting to address health and wellness issues. The U.S. Centers for Disease Control and Prevention (CDC) promotes the formation of workplace wellness programs because, according to one of its studies, employees in companies with “a strong culture of health” are three times as likely to actively strive to improve their health. There are numerous benefits to workplace wellness when employees see the value and participate.
Control costs. Health care costs are a significant portion of a company’s budget, so strategically targeting this expense can benefit an employer’s bottom line. An investment in your employees’ health may lower health care costs or slow the cost increases. Employees with more health risk factors, including being overweight, smoking and having diabetes, cost more to insure and pay more for health care than people with fewer risk factors. A wellness program can help employees with high risk factors make lifestyle changes to improve their quality of life and lower costs, while also helping employees with fewer risk factors remain healthy.
More productive employees. Research shows that workplaces with wellness programs have employees who are more productive at work.
Less missed work. Healthier employees mean fewer sick days, which is another benefit companies generally achieve through wellness programs. Plus, employees’ healthier behavior may translate into better family choices, so employees may also miss less work caring for ill family members. Reduced absenteeism can yield significant cost savings and return on your wellness investment.
Reduced workers’ compensation and disability costs. Employees who make healthy changes and lower their health risk factors often have a reduced chance of a workplace injury or illness or a disability. In both cases, this can save the employer money, not just on insurance premiums and benefits paid out, but also on the replacement cost of recruiting and training a new worker to replace one who is out of work for health reasons.
Higher morale and improved recruiting. A company that cares about its employees’ health is often seen as a better place to work, and wellness programs can attract top talent in a competitive market. In addition, expressing a commitment to your employees’ health can improve employee morale and strengthen retention. Employees can experience many potential benefits after joining a wellness program, including:
- Increased well-being, improved self-image and higher self-esteem
- Improved coping skills with stress or other health factors
- Reduced risk for developing chronic or life-threatening conditions
- Increased motivation to improve health
- Improved overall health
- Lower costs for health care (fewer doctor visits, lower premiums, less need for expensive care, etc.)
- Access to needed social support, as co-workers also strive toward healthier lifestyles
- Improved job satisfaction
- Safer and more productive work environment
Employees who experience these positive changes and benefits will often feel more loyalty to the company and be more grateful for the company’s commitment to their health. Contact The Buckner Company for resources to help you develop your wellness program.
Workplace Wellness: Why Promote Wellness?
© 2013 Zywave, Inc. All rights reserved
Why Do I Need Cyber Liability Insurance?
One of the biggest stories of the 2013 holiday shopping season had nothing to do with the hottest toys or the increased reliance on online shopping: Hackers infiltrated Target’s point-of-sale system in December and gained access to the credit and debit card information of 40 million customers and the personal information of 70 million more.
Luckily, the Minn.-based chain has over $100 million of cyber liability insurance, according to sources.
As technology becomes increasingly important for successful business operations, the value of a strong cyber liability insurance policy will only continue to grow. The continued rise in the amount of information stored and transferred electronically has resulted in a remarkable increase in the potential exposures facing businesses. In an age where a stolen laptop or hacked account can instantly compromise the personal data of thousands of customers, or an ill-advised post on a social media site can be read by hundreds in a matter of minutes, protecting yourself from cyber liability is just as important as some of the more traditional exposures businesses account for in their commercial general liability (CGL) policies.
Whereas CGL, commercial property and commercial theft policies can cover damage to your tangible property, none of these will provide coverage for loss of data, which is considered intangible. Intangible property values often far outweigh tangible property, making cyber liability coverage a no-brainer if you maintain a strong online presence or handle a customer’s private information. Awareness of the potential cyber liabilities your company faces is essential to managing risk through proper coverage.
Possible exposures covered by a typical cyber liability policy may include:
- Data breaches – Increased government regulations have placed more responsibility on companies to protect clients’ personal information. In the event of a breach, notification of the affected parties is now required by law. This will add to costs that will also include security fixes, identity theft protection for the affected and protection from possible legal action. While companies operating online are at a heightened risk, even companies that don’t transmit personal data over the internet, but still store it in electronic form, could be susceptible to breaches through data lost to unauthorized employee access or hardware theft.
- Intellectual property rights – Your company’s online presence, whether it be through a corporate website, blogs or social media, opens you up to some of the same exposures faced by publishers. This can include libel, copyright or trademark infringement and defamation, among other things.
- Damages to a third-party system – If an email sent from your server has a virus that crashes the system of a customer, or the software your company distributes fails, resulting in a loss for a third party, you could be held liable for the damages.
- System failure – A natural disaster, malicious activity or fire could all cause physical damages that could result in data or code loss. While the physical damages to your system hardware would be covered under your existing business liability policy, data or code loss due to the incident would not be.
- Cyber extortion – Hackers can hijack websites, networks and stored data, denying access to you or your customers. They often demand money to restore your systems to working order. This can cause a temporary loss of revenue plus generate costs associated with paying the hacker’s demands or rebuilding if damage is done.
- Business interruption – If your primary business operations require the use of computer systems, a disaster that cripples your ability to transmit data could cause you, or a third party that depends on your services, to lose potential revenue. From a server failure to a data breach, such an incident can affect your day-to-day operations. Time and resources that normally would have gone elsewhere will need to be directed towards the problem, which could result in further losses. This is especially important as denial of service attacks by hackers have been on the rise. Such attacks block access to certain websites by either rerouting traffic to a different site or overloading an organizations server.
New technological exposures continue to emerge. As your business grows, make sure your cyber liability coverage grows with it. The level of coverage your business needs is based on your individual operations and can vary depending on your range of exposure. It is important to work with a broker that can identify your areas of risk so a policy can be tailored to fit your unique situation.The Buckner Company is here to help you analyze your needs and make the right coverage decisions to protect your operations from unnecessary risk.
Cyber Liability Insurance, Why Do I Need Cyber Liability Insurance?
© 2013 Zywave, Inc. All rights reserved
Utah-based brokerage welcomes Denver agency to join their growing Intermountain West team in the acquisition that was finalized today.
Denver, Colorado – August 1, 2015 – The Buckner Company, one of the largest privately-owned agencies in the Intermountain West with offices in Utah, Idaho and Colorado, has acquired the assets of Denver Colorado based Keller-Lowry Insurance Inc. effective August 1st, 2015. Financial terms of the transaction were not disclosed.
Formed in 1972, Keller-Lowry has delivered quality insurance solutions to its clients with specializations in manufacturing, transportation, habitational and construction. Keller- Lowry becomes the platform for The Buckner Company of Colorado as Buckner continues to build out its regional footprint. The Buckner Company of Colorado is being led by Keith Braxton, the former CEO of Colorado Casualty Insurance Company and a veteran of the Colorado Insurance Community.
“We are very pleased to welcome Keller-Lowry to our firm” Chairman and CEO Terry H. Buckner said. “This is a substantial transaction for us and clearly places us among the top tier of regional brokerages in the nation. They represent the finest the industry offers and will fit very well into our organization.”
“Keller-Lowry is very excited about this transaction,” President Troy Sibelius of Keller-Lowry said, “It provides us with increased options for access to additional insurance carriers and coverages, and more importantly, allows us to broaden our capabilities to provide even better service to our clients. This partnership also provides us with the resources to help us achieve significant growth for our agency footprint here in Colorado. We look forward to the future with The Buckner Company.”
The Buckner Company is headquartered in Salt Lake City, Utah. Additional information is available at www.buckner.com. Media Contact: Lindsay Clark, The Buckner Company. Email: email@example.com, Phone: 801-937-6517.
The Buckner Company is a third-generation, family-owned business led by Chairman and CEO Terry H. Buckner. Since 1936, the company has been delivering exceptional service to clients, placing people before profits. With excellent client retention and a strong team of insurance professionals, The Buckner Company continues to be among the fastest growing agencies in the Intermountain West.
Many medical devices and life science companies contain configurable embedded computer systems that can be vulnerable to cyber-security breaches. In addition, as medical devices are increasingly interconnected via the Internet, hospital networks, other medical devices or smartphones, there is an increased risk of cyber-security breaches, which could affect how a medical device operates.
The Food and Drug Administration (FDA) has recently become aware of cyber-security vulnerabilities and incidents that could directly impact medical devices and Life Science Companies, including:
- Network-connected/configured medical devices infected or disabled by malware
- The presence of malware on hospital computers, smartphones and tablets, targeting mobile devices using wireless technology to access patient data, monitoring systems and implanted patient devices
- Uncontrolled distribution of passwords, disabled passwords, hard-coded passwords for software intended for privileged device access (e.g., to administrative, technical and maintenance personnel)
- Failure to provide timely security software updates and patches to medical devices, manufactured products and networks and to address related vulnerabilities in older medical device models (legacy devices)
- Security vulnerabilities in off-the-shelf software designed to prevent unauthorized device or network access, such as plain-text or no authentication, hard-coded passwords, documented service accounts in service manuals and poor coding/SQL injection.
The FDA has been working closely with other federal agencies and manufacturers to identify, communicate and mitigate vulnerabilities and incidents as they are identified.
For all device manufacturers:
Manufacturers are responsible for remaining vigilant about identifying risks and hazards associated with their products, including risks related to cyber security, and are responsible for putting appropriate mitigations in place to address patient safety and ensure proper device performance.
The FDA expects medical device manufacturers and Life Science to take appropriate steps to limit the opportunities for unauthorized access to medical devices. Specifically, it is recommended that manufacturers review their cyber-security practices and policies to ensure that appropriate safeguards are in place to prevent unauthorized access or modification to their medical devices and life science companies. The extent to which security controls are needed will depend on the company, its environment of use, the type and probability of the risks to which it is exposed and the probable risks to patients from a security breach.
In evaluating your device or product, consider doing the following:
- Take steps to limit unauthorized device or product access to trusted users only, particularly for those devices that are life sustaining or could be directly connected to hospital networks.
- Appropriate security controls may include user authentication, such as user ID and password, smartcard or biometrics; strengthening password protection by avoiding hard-coded passwords and limiting public access to passwords used for technical device access; physical locks; card readers; and guards.
- Protect individual components from exploitation and develop strategies for active security protection appropriate for the device’s use environment. Such strategies should include timely deployment of routine, validated security patches and methods to restrict software or firmware updates to authenticated code. Note: The FDA typically does not need to review or approve product software changes made solely to strengthen cyber security.
- Use design approaches that maintain a device or product critical functionality, even when security has been compromised, known as “fail-safe modes.”
- Provide methods for retention and recovery after an incident where security has been compromised.
- Cyber-security incidents are increasingly likely and manufacturers should consider incident response plans that address the possibility of degraded operation and efficient restoration and recovery.
Reporting Problems to the FDA
Prompt reporting of adverse events can help the FDA identify and better understand the risks associated with medical devices. If you suspect that a cyber-security event has impacted the performance of a medical device or has impacted a hospital network system, file a voluntary report through MedWatch, the FDA Safety Information and Adverse Event Reporting program.
Health care personnel employed by facilities that are subject to the FDA’s user facility reporting requirements should follow the reporting procedures established by their facilities.
Device manufacturers must comply with the Medical Device Reporting (MDR) regulations.
Contact the cyber security professionals at The Buckner Company today to discuss how to keep your health care facility safe and secure from cyber threats.
Information provided by :
Life Science Risk Manager
© 2013 Zywave, Inc. All rights reserved
Your car’s tire performance is essential to both its safety and its efficiency. Tires eventually lose traction and braking ability, and should be replaced when necessary. When your tires are in tip-top shape, they ensure that you stay safe behind the wheel.
Do Your Tires Need Replacing?
Here’s how to determine if you need to replace your tires:
- Inspect tread wear bars. These are small bridges that form between your treads. If you look at your tread pattern and notice the beginnings of these bars starting to form between the treads or running across the tires, and then become flush with the tires’ tread, you should replace your tires.
- Conduct the penny test by placing the coin upside down with Lincoln facing you in the center of the tread.
- o If you can see the top of Lincoln’s head or the metal above it, replace your tires immediately.
- o If Lincoln’s hair is partially visible, start comparing tire prices, as you will need new ones soon.
- o If you cannot see the top of Lincoln’s hair (tire tread should be as deep as his forehead), your tires do not need replacing yet.
Other Tire Tips
- Rotate your tires from the front to the rear in pairs.
- If you drive a four-wheel drive or all-wheel drive vehicle, replace all four tires when it is recommended in your service manual. The differences in tire diameter can cause permanent damage in your differentials if you do not do so.
- If you notice uneven wear on your front tires, your front end may be out of alignment. Have them checked and rotate your tires to the rear of the vehicle. This should correct the problem.
- Since tires do not wear evenly, perform the penny test at several points from the outside to the inside of the tires. Generally, tires will wear more on the inside but over-inflated tires will wear more in the middle.
- Test and replace your tires at the same time. If you drive with mismatched tires, you will not have the level of safety, performance and efficiency that a matched pair provides.
- Always keep your tires properly inflated.
To learn more about our automobile insurance coverages for new or used vehicles, contact us today!
According to the National Highway Traffic Safety Administration (NHTSA), an airbag propels out of a dashboard at 200 miles per hour – faster than the blink of an eye. Though they are designed to absorb the impact of a crash for adult motor vehicle passengers and drivers, children can suffer major injuries from an air bag.
Air Bag Safety Recommendations
To keep children injury-free while riding in your car, consider these safety recommendations:
- Place small infants in rear-facing child safety seats in the backseat. According to the American Academy of Pediatrics, babies properly buckled in a rear-facing car seat in the back of a vehicle are just as safe as if they were placed in a crib to sleep.
- Place toddlers over 1 year old and at least 20 pounds in forward-facing convertible safety seats in the backseat of the vehicle. Since these seats would situate the child several inches closer to the dashboard, they pose a risk for air bag injuries if they are placed in the front seat. Therefore, they must be placed in the backseat only.
- Place children who have outgrown convertible safety seats but do not fit correctly with a lap/shoulder seat belt in a car booster seat in the back seat of the vehicle.
- Children under age 12 should ride in the backseat of the vehicle with a seat belt securely fastened.
If you must ABSOLUTELY seat children under age 12 in the front seat, conduct the following safety precautions to reduce their risk of injury:
- Restrain children in a safety seat appropriate for their age.
- Push the seat all the way back to provide as much distance between the dashboard and the seat as possible.
- Require that children sit with their backs firmly pressed against the seat. Do not allow them to wiggle or lean forward.
- Tighten the seat belt as much as possible to reduce their movement in the event of a crash.
Remember: we do more than help you avoid claims and arrive at your destination safely. Contact us today to learn more about all of our insurance solutions for your auto, home and life!
With the increasing popularity of smartphones and tablets, access to online shopping websites is only a fingertip away for most consumers. Online retailers can expect $327 billion in sales annually by 2016; but this growth comes at a price. The online retail industry is an increasingly attractive target for major cyber attacks. The results—including tarnished reputations, lost sales and costly lawsuits— can be devastating.
This happened to Zappos®, a large online shoe and apparel store owned by Amazon. In January 2012, cyber criminals broke into Zappos’ internal network and stole personal information from 24 million customers, including names, addresses and the last four digits of credit card numbers. Zappos attempted damage control by informing their customers about the incident and advising them to change their passwords, but much of the damage was already done.
As an online retail business, your success is dependent on the health and security of your biggest tool—your network. In order to protect your network and keep your online business profitable, it is critical that you understand the risks you face.
Hackers and Hacktivists
Do you think hackers only target big brand retail websites that can gain them national attention? Think again. According to statistics reported by Symantec, an Internet security provider, cyber attacks on businesses with fewer than 250 employees increased from 18 percent in 2011 to 31 percent in 2012. Hackers have begun to realize that small to medium size online retailers make easier targets because they generally lack IT departments and the high-level security software that big retailers have.
A cyber attack could knock a small to midsize online retailer offline for days, causing them to lose sales, customers and their reputation. Worse yet, a single data breach could even force some small retailers out of business. Visa, Inc. estimates that 95 percent of the credit card data breaches reported to them happened with their smallest business customers.
Not all hackers are after customers’ credit card numbers. “Hacktivists” attack computers or computer networks as a means of political protest. They’re not just targeting government websites, though. In April 2011, hacktivist group Anonymous attacked the Sony® website in hopes of gaining attention about recent legislation called the Stop Online Piracy Act (SOPA). They gained attention, and Sony’s website was down for hours.
What is a DDoS Attack?
Hackers can attack online retailers in a number of ways, one of which is a DDoS attack. DDoS, or distributed denial of service, is a type of cyber attack in which a hacker floods your retail website with traffic and overwhelms your server to the point that your legitimate customers are unable to access your site. DDoS attacks can last a few hours to a few days; meanwhile, your company loses out on business and may incur the cost of bringing in an IT specialist to investigate and stop the attack.
Can You Prevent a DDoS Attack?
Corero, a network security company, reports that DDoS attacks have risen 30 percent in recent years. This could cause a huge loss for online retailers, especially if the attack occurs on Cyber Monday or during the busy holiday shopping season. Although many times DDoS attacks occur on larger brand online retailers, no retailer is immune. Small and midsize companies that rely on larger e-commerce providers or payment processing companies could be affected if those larger companies come under attack.
With DDoS attacks, you’ll usually never find the source of the attack. Instead, focus on procedures to carry out once an attack happens, including communicating the incident to customers.
Mitigate the DDoS Risk
To mitigate some of the DDoS risk, it is important to understand your Web hosting environment. Some examples of Web hosting include:
- Shared hosting. Multiple websites share a single server. This is the most common and economical option for small companies, as the host already has a DDoS response plan in place.
- Cloud hosting. This is a newer platform where the hosting is decentralized and users are only charged for the services they use, not a flat fee.
- In-house hosting. A company, such as a larger online retailer, hosts its own site and assumes all of the responsibility for DDoS attacks.
Many small and midsize online retailers use shared hosting because they don’t have IT departments and the capabilities to host their own sites. When selecting a Web hosting service, consider the following:
- Does the hosting company cater only to e-commerce clients or to a variety of clients? The behavior of other users on the server could impact the performance of your website.
- How many websites are packed on a single server?
- What type of DDoS response plan does the host have in case of a cyber attack to the network?
Hackers love to steal credit card data, and online retail websites have plenty of that. With the increased use of wireless networks, data theft can occur more easily. Cyber threats include fraud, worms and viruses.
Most websites use secure socket layers (SSL), which are supposed to guarantee that log in, password and credit card information is safe during a customer’s online shopping. SSL relies on special electronic certificates issued to a secure website, but each browser validates the certificates in a different way. Keep in mind that SSL is not immune from hacking, and beware of fake certificates.
Mitigate Data Breaches
Are you providing your customers with a secure online shopping experience? Consider the following:
- Comply with the Payment Card Industry-Data Security Standard (PCI-DSS). Merchants who don’t can get fined by credit card companies.
- Purchase as much security as you can afford. Consider how much lost customer data or lost customers would cost your company.
- Maintain continuous vigilance of your site and know your real customers.
- Have firewall segmentation between wireless networks and point-of-sale networks, or in front of any network that comes in contact with credit card information.
- If you suffer a data breach, communicate this to your customers.
Cyber security is a serious concern for online retailers of all sizes. We are here to help. Contact The Buckner Company to learn about our risk management resources and insurance solutions, such as Internet/Media Liability, Security and Privacy Liability and Identity Theft insurance today.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) addresses the privacy of individuals’ health information by establishing a federal standard concerning the privacy of health information and how it can be used and disclosed.
As health care institutions began storing larger volumes of private health data digitally, the need to protect this sensitive data from loss or theft grew.
To address this risk, the U.S. Department of Health and Human Services (HHS) issued HIPAA’s Privacy Rule and Security Rule in August 1996.
The Privacy Rule standards address the use and disclosure of individuals’ health information (called “protected health information”) by organizations subject to the Privacy Rule (called “covered entities”) as well as standards for individuals’ privacy rights to understand and control how their health information is used.
The Security Rule establishes a national set of security standards for protecting certain health information that is held or transferred in electronic form.
All covered entities were required to be in compliance by April 14, 2003, for the Privacy Rule and April 20, 2005, for the Security Rule.
What is a Covered Entity?
HIPAA defines “covered entities” as
- Health care providers
- Health plans
- Health care clearing houses
If you are not sure whether your organization is a covered entity, the Centers for Medicare & Medicaid Services (CMS) has an easy-to-follow chart available at www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/HIPAAGenInfo/AreYouaCoveredEntity.html.
HIPAA Requirements for Your Organization
Essentially, HIPAA has two primary components that your firm must follow:
- Administrative simplification, which calls for use of the same computer language industry-wide
- Privacy protection, which requires covered entities to take “reasonable” measures to protect patient health information
If your organization is a covered entity, you must comply with the following:
- Implement a required level of security for health information, including limiting disclosures of information to the minimum necessary to accomplish the intended purpose. This standard does not apply to:
- Disclosures to or requests by a health care provider for treatment purposes
- Disclosures to the individual who is the subject of the information
- Uses or disclosures made pursuant to an individual’s authorization
- Uses or disclosures required for compliance with HIPAA’s Administrative Simplification Rules.
- Disclosures to HHS when disclosure of information is required under the Privacy Rule for enforcement purposes.
- Uses or disclosures that are required by other law.
- Designate a privacy officer and contact person
- Train employees on privacy policies
- Establish sanctions for employees who violate privacy policies
- Establish administrative systems that can respond to complaints about health information, respond to requests for corrections of health information by a patient, accept requests not to disclose for certain purposes and track disclosures of health information
- Create a privacy notice to patients concerning the use and disclosure of their protected health information
Cyber Liability and HIPAA
Patients’ health information is extremely sensitive and should always be handled with the utmost care. All it takes is a simple misclick or misspelling to send private information to the wrong person. Such a mistake could lead to a lawsuit and/or fines.
It’s important to remember that HIPAA protects patients, not covered entities. That’s why it’s critical that your organization has a cyber liability insurance policy to cover any potential data breaches. According to the Ponemon Institute’s Cost of a Data Breach Survey, the average per record cost of a data breach was $188 in 2012, and the average organizational cost of a data breach was $5.4 million.
If a Data Breach Occurs
If a data breach occurs, notify your state’s public health department immediately. Failing to do so can result in fines upward of $250,000.
Under HIPAA, covered entities must immediately notify affected individuals following the discovery of a breach of unsecured protected health information.
Covered entities that experience a breach affecting more than 500 residents of a state or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the state or jurisdiction.
In addition to notifying affected individuals and the media (where appropriate), covered entities must notify the Secretary of breaches of unsecured protected health information.
You can never see a data breach coming, but you can always plan for a potential breach. Contact The Buckner Company today. We have the expertise to ensure you have the proper coverage to protect your company against a cyber attack.