November 24, 2009

On October 30, 2009, the U.S. Department of Health and Human Services issued an interim final rule with request for comments in an attempt to strengthen its ability to enforce rules under the Health Insurance Portability and Accountability Act (HIPAA). The interim final rule relates to the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted as part of the American Recovery and Reinvestment Act (ARRA) of 2009. The ARRA established a tiered civil penalty structure for HIPAA violations. The HITECH Act significantly increases the penalty amounts for violations of the HIPAA rules and encourages prompt corrective action.

One of the most significant changes involves the HITECH breach notification requirement applicable to HIPAA covered entities and associations, including group health plans. Under this requirement, HIPAA covered entities must notify individuals when there is a breach of unsecured protected health information. Plans must provide notice to each affected party and, in certain situations, the Department of Health and Human Services (HHS) without unreasonable delay and in no case later than sixty days after discovering the breach.

Before the HITECH Act, the HHS could not impose a penalty greater than $100 per violation or $25,000 for all identical violations. The new act increased civil penalty minimums to a $100 to $50,000 range, depending on severity, and increased the maximum penalty to $1.5 million per year. Penalties will also be assessed even when the covered entity did not know it violated HIPAA rules, unless the covered entity corrects the violation within thirty days of discovering the violation. Prior to the Act, covered entities could bar the imposition of monetary penalties for these types of violations.

The HHS is implementing these new rules to strengthen HIPAA protections and rights related to an individual's health information. According to the HHS, the strengthened penalty structure will encourage health care providers and health plans to ensure that their compliance programs are effectively designed to prevent, detect and quickly correct violations of the HIPAA rules.

The interim final rule with request for comments conforms the HIPAA enforcement regulations to the revisions made by the HITECH Act. The new rule will become effective on November 30, 2009, and the HHS will accept and consider comments received by December 29, 2009.
Health plans need to achieve compliance with these new rules by determining whether safeguards are currently in place to prevent breaches, by implementing systems to detect breaches, by implementing breach notification policies and procedures and by training members of the plan on the new systems.

Are You Covered?
As complex Fiduciary Liabilities expand and change, the Fiduciary Liability experts at ULLICO Casualty Group, Inc.* react to changing regulatory risks by customizing our policies for the needs of our trustees. To ensure that you are covered, first work with your broker or insurance representative to check your policy's definition of "wrongful act" to ensure that it includes coverage for breaches of fiduciary duty under HIPAA and similar laws. Under the typical policy that we offer with Hudson Insurance Company, rated "A/Excellent" by A.M. Best,** the policy definition of "wrongful act" expressly provides coverage for breaches of fiduciary duty under HIPAA and similar laws. Next, check your policy's limits of liability for HIPAA penalty coverage, as many companies provide sub-limits of coverage for HIPAA liabilities. Although policy terms and conditions vary, we typically offer full policy limits for fines, penalties and defense costs for Health and Welfare Plans. And for Non-Health and Welfare plans, we typically provide a maximum limit of $1.5 million for HIPAA penalty coverage or up to the policy limits, whichever is less. Again, terms and conditions vary for each policy, and we encourage you to check with your broker or insurance representative.

Please contact your broker or a ULLICO Casualty Group underwriter with any questions regarding this coverage. For further information regarding our products, contact us at our toll free number: 888.315.3352. You can also access our website: www.ullico.com/casualty.