What Is Your Agency Liability When Employees Steal PHI?
April 16, 2015
By Michael Ramsby
President, GRA Benefits Group
Most of the HIPAA breaches you have heard of lately involved an unknown outside entity hacking into a company’s network and accessing protected health information (PHI) and or personal financial information. So, most agencies think a breach won’t happen to them because why would a hacker waste time coming after the small amount of records you have? But, what if the thief was an employee? What is your agency’s liability?
Recently, a large Michigan-based insurer had an incident involving an employee taking screen shots of customer information and used the information to commit credit card fraud. More than 5,000 subscribers were affected.
That insurer has a compliance program in place. Their employees sign confidentiality agreements and take HIPAA training regularly. They employ access controls, encryption and ensure strong passwords. Someone was still able to steal information from them.
When the government investigation is done, the insurer may not be liable because of their compliance programs. But, if this was your agency and one of your employees committed this crime, would you be liable? If you do not have a compliance program in place and do not embrace the spirit of compliance in your agency, you could be looking at fines upwards to $1.5 million for each breach.
You can’t 100% protect yourself from a theft. Even with the best safeguards in place, insider threats can only be reduced, never eliminated. But if you have a compliance program in place, you will be much better off with the government, your carriers and your clients.
Sign up for one of GRA Benefits monthly HIPAA webinars to learn about implementing a compliance program at your agency.