Boomarang DBS Blog

How I Helped an Insurance Agency Achieve HIPAA Compliance

Posted by:

This past September I got a call out of the blue from an insurance agency manager who attended one of my first cyber security risk management classes two years ago.  They wanted to know if I still offered my safeguard program and would that help them show compliance with the HIPAA Security Rule, also called the Omnibus Rule, which was about to become effective September 23, 2013.  You see, I planted the seed of information by teaching a class about cyber security best practices and due diligence, then demonstrated the compliance framework adapted specifically for small businesses, non-profits and local government agencies.  The Omnibus Rule requires business associates of HIPAA covered entities to have a business associate agreement (BAA) that includes a risk management plan and employee training for safeguarding Protected Health Information (PHI) in the course of doing business.  This was the first time I had an agency take the initiative to become compliant with a Federal mandate, and for good reason.

The Dept of Health and Human Services (HHS) is definitely enforcing compliance on this particular section of HIPAA (Health Insurance Privacy and Accountability Act) and have increased fines and penalties, but that’s not the only reason.  According to the recent Lloyd’s of London report ranking risk perception internationally, Cyber-threat is the 3rd biggest and fastest growing risk factor in the survey of nearly 600 C-Suite and board-level executives, right behind high taxes and customer loss.  Until now most businesses have been largely complacent about cyber-threats but the cost and damage to reputation is driving them to implement safeguards and obtain specialty cyber insurance coverage.  Insurance Agencies who adopt a safeguard program themselves are better protected and prepared to help their clients mitigate cyber-risk exposures.  

So right now this agency is going through the employee training phase of their safeguard program, and after that they will have established a “cyber-security culture” which is an affirmative defense whenever they experience a data loss or breach.  They will document this in their compliance matrix which serves as a roadmap to achieving and documenting their good faith efforts toward cyber-risk due diligence. The next step is to help them get their clients under the same safeguard program which in turn makes them a safer risk and protects their best interests as well.  I look forward to seeing the results of this agency. I am actually proud of them, I’ve never seen an agency be this proactive before.  

 



Christopher Bomar

About the Author:

Christopher D. Bomar is the president and founder of Boomarang Data Backup and Security. A former Ohio licensed insurance agent, he is an author, speaker, instructor and consultant on data security risk management, best practices and due diligence. He specializes in Federal/State compliance and other regulatory matters relating to cyber security. Since 1999 Christopher has helped thousands of individuals and businesses to protect and recover data from total loss using online backup technology. He also teaches small businesses, non-profit organizations and local municipal governments how to implement best practices for safeguarding sensitive data and how to prevent data loss and theft. He currently teaches Continuing Education classes in Ohio and Kentucky for insurance agents, underwriters and adjusters. Christopher has served actively with several organizations including the Cincinnati Insurance Board, the Greater Cincinnati African-American Chamber of Commerce, Black Data Processing Associates (BDPA), the Cincinnati Business Incubator (CBI). He served as the 2007-2011 Consulting Services Director for the National Society of Black Engineers – Alumni Extension (NSBE-AE) Information Technology Think Tank (ITTT) Special Interest Group and is a regular presenter at NSBE Conferences since 2007.

Add a Comment