Page 14 - 74321_NSAA_SpringJournal_Web
P. 14
Operations
When a ski area considers embracing such use of elec- few—also typically carry higher levels of insurance cover-
tronic data collection through its patrol operations, a num- age (including cyber-security insurance) to protect against
ber of issues should be considered. Most vendors who hacking and data breaches, and ski areas should inquire
provide such software already encrypt HIPAA-sensitive about the applicability and limits of such coverage when
fields (personally protected data, medical info, etc.) as negotiating these service agreements. Equally important,
part of the product and services, but this should be a key though, ski areas should also consider their own stand- No resort is quite like yours
part of your discussions with these vendors. Similarly, alone cyber-security insurance policies. Data breaches,
data ownership is also key. Often, the ski area owns this including those involving HIPAA-sensitive materials, are
data, even though it may be securely stored in cloud stor- typically not covered by general liability insurance. As
age space either owned by the vendor directly, or the cloud hacking incidents grow dramatically across all industries,
storage is leased from a large company (Google, for exam- ski areas are definitely not immune from such attacks—
ple). If the ski area owns all this data and ultimately con- whether the divulged information is credit card numbers
trols it, that may raise questions about the applicability of or private medical information.
any indemnification provisions in service agreements.
Accordingly, ski areas need to have protocols in place What are the requirements under HIPAA?
when using this software as part of their HIPAA risk HIPAA consists of four main regulations: the Privacy
management program. This could include, for example, Rule, the Security Rule, the Breach Notification Rule, and
requiring login passwords (and periodic password change the Enforcement Rule. The Privacy Rule requires “covered
requirements) and limits on who can access the data (e.g., entities” to have written policies and procedures in place
only supervisors, all patrollers, volunteers, but perhaps not to facilitate patients’ rights to access, restrict, and amend
allowing access beyond data input, and so on). their private health information. The Privacy Rule also
Industry vendors—including 1Risk, GeoAudit, creates administrative requirements governing a covered
Mountain Ops LLC, and Steep Management, to name a entity’s use and disclosure of patient information.
The Security Rule establishes guidelines for the pro-
tection of personal health information that is either main-
tained or transmitted electronically. Essentially, the
MEMORIES. Security Rule requires covered entities to employ technical
and physical data protection measures to ensure the secu-
rity of electronic protected health information.
ELEVATED. The Breach Notification and Enforcement Rules are
SPRUCE PEAK VILLAGE CENTER triggered when a covered entity engages in an impermissi- No financial services company delivers solutions quite like ours. We recognize that your business faces a unique set of
ble use or unauthorized disclosure of protected health infor- risks every day. Our team can help you assess and minimize those risks so you can focus on running your business.
mation. The Breach Notification Rule requires disclosure Let us show you why many of the largest resorts in North America have looked to us for solutions to protect their
of breaches to the affected individuals or patients, and sep- business now and for the long term.
arately to the Secretary of Health and Human Services
within 60 days of discovery of a breach. However, the Team up with us today.
Breach Notification Rule also outlines certain exceptions for
minor or inconsequential breaches, where the risk of harm Scott Myers, Sacramento, CA Bill Curtis, Lakewood, CO
916-558-4033 | scott.a.myers@wellsfargo.com
720-963-6546 | william.curtis@safehold.com
to an individual patient is very low. Penalties for violations
of HIPAA due to breaches or other noncompliant acts are Gardiner de Back, Sacramento, CA Ryan Patrick, Portsmouth, NH
603-559-1380 | ryan.patrick@safehold.com
916-558-4027 | debackpg@wellsfargo.com
governed by the Enforcement Rule and vary based upon Rob Andrews, Seattle, WA
photo: worthington images Human Services Office for Civil rights is responsible for 206-470-3284 | robert.e.andrews@safehold.com
the covered entity’s degree of culpability. The Health and
evaluating breaches to determine the appropriate penalty.
GOOD
DESIGN IS Due to the complexity of the requirements under
GOOD HIPAA, if you believe that your resort or patrol may be a
BUSINESS
covered entity, it is strongly advised that you consult with
counsel on how best to ensure your compliance.
Products and services are offered through Safehold Special Risk, Inc., dba Safehold Special Risk & Insurance Services Inc. in California, a non-bank insurance agency affiliate of Wells Fargo & Company. Coverage
is provided by unaffiliated insurance companies with the exception of crop and flood insurance which may be underwritten by Safehold Special Risk, Inc.’s affiliate, Rural Community Insurance Company.
© 2015 Wells Fargo Bank, N.A. All rights reserved. WCS-1241585
12 | NSAA JOURNAL | SPRING 2017
