TMLT Offers Data Protection Coverage
Tex Med. 2012;108(4):43-48.
By Crystal Conde
In a health care environment that calls for electronically storing and exchanging confidential patient health information, physicians increasingly need a new type of insurance coverage: cyber liability. Pervasive distribution of patient data puts health care institutions and medical practices at risk for data breaches, which include theft or loss of paper and electronic records, laptops, and mobile devices, as well as sophisticated hacking schemes.
The Texas Medical Liability Trust (TMLT) began offering cyber liability coverage in December. (TMLT is the only health care liability claim trust exclusively endorsed by the Texas Medical Association.) The new coverage offers protection for network security breaches and privacy-related exposures faced by medical professionals.
Confidential patient information, including billing information, Social Security numbers, birth dates, and home addresses stored in patient medical records, and vendor and medical facility databases can be a gold mine for thieves.
For instance, in December 2010, the Harris County District Attorney's Office notified Texas Children's Hospital that someone had breached its accounts payable system. The culprit used names and Social Security numbers of some hospital employees and vendors who received checks from 1999 to 2011 to open fraudulent utility accounts.
Last September, Science Applications International Corporation (SAIC) reported the theft of backup computer tapes containing personal health information for nearly 5 million Military Health System TRICARE beneficiaries treated in the San Antonio area since 1992.
According to TRICARE, information on the tapes may have included Social Security numbers, addresses, phone numbers, clinical notes, laboratory tests, and prescription records. SAIC is a government contractor for the Military Health System.
Someone took the tapes from an SAIC employee's car while they were being transferred to a federal facility in the San Antonio area. TRICARE initially indicated the data stored on the tapes was at low risk of harming patients because "retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure."
Months after releasing the statement, two military veterans filed separate class action lawsuits against the U.S. Department of Defense and SAIC seeking free credit-monitoring services and $4.9 billion in damages from the theft.
TRICARE eventually directed SAIC to provide free credit-monitoring and credit-restoration services for one year to the 4.9 million beneficiaries potentially affected by the data breach.
What happened to Texas Children's Hospital and TRICARE isn't unusual, unfortunately. A quick web search generates links to thousands of articles on stolen media containing patient information; hacked medical databases; fraudulent activity using ill-gotten personal information; inappropriate disposal of patient and employee records; and lost or stolen paper records. The list goes on. These data breaches occur not only in large government entities and hospitals, but also in medical practices and other health care settings.
Reduce Exposure to Loss
TMLT Sales and Business Development Manager John Southrey says physicians can take the following basic steps to protect their patient health information:
- Collect the minimum amount of personal information necessary for practice purposes.
- Retain personal information for the minimum time necessary.
- Destroy sensitive data properly and thoroughly, and
- Implement a data security policy.
For additional guidance, TMLT policyholders and group administrators can access a cyber liability risk management website by visiting myTMLT, www.tmlt.org/myTMLT.
John Lubrano, PhD, president of Austin-based Protis IT Solutions, specializes in office automation and electronic health record (EHR) systems for medical practices.
He says any computing device can contain data susceptible to loss or theft.
"That includes servers, server disks, backup tape media, USB flash drives, desktops, laptops, smartphones, tablets, and CD or DVD media," Dr. Lubrano said. "The purpose of data encryption is to prevent the loss of data when the physical device holding the data is lost or stolen."
When tackling encryption as part of medical practice privacy and security management, Dr. Lubrano says encrypting everything is "expensive and highly inconvenient for any firm and its users."
Instead, he says, most practices should audit and identify the high-risk items and encrypt the data they contain.
From a data security perspective, the best option for smaller practices that have few systems or only one central EHR system, he says, is to have a system that does not store any EHR data on any device. For example, a hosted EHR or a cloud-based system would, by definition, have no data on any desktop, laptop, smartphone, or other device inside the physician practice. (See "Gathering Clouds," January 2012 Texas Medicine, pages 23-27.)
While no record-storage method is 100-percent secure against data breaches, Dr. Lubrano says cloud-based systems store data "in a secure data center where ample physical security is already provided. One can still copy data to removable devices, but these are usually not available to normal users."
Large medical groups likely will find backup media, USB storage devices, laptops, and smartphones at highest risk of potential data loss.
Dr. Lubrano says that loss or compromise of backup media can result in a total loss for a practice because these media contain a plethora of patient records.
To avoid this and other privacy and security nightmares, Dr. Lubrano recommends:
- Eliminating or reducing sensitive data at endpoints, which are devices in the company network that interface with users, such as desktops, laptops, tablets, and smartphones;
- Identifying your sensitive data exposure risk on laptops and smartphones or tablets; and
- Using data encryption in a practice's security procedures.
Dr. Lubrano suggests physicians exercise due diligence before hiring privacy and security experts to help ensure they're reputable, competent, and prepared to handle any adverse situations that arise.
"Obtain and review the contractor's privacy and security plan; ask for audits, documentation of audits, and the disaster plan; and test the system," he said.
Additional steps a practice can take to limit exposure to data loss or compromise include avoiding storage of sensitive data locally on desktops and portable devices, properly training employees to handle sensitive information, obtaining cyber liability insurance, restricting physical access to sensitive data, and limiting vendors' remote access to servers and systems.
Follow the Law
Hospitals and medical practices aren't the only entities affected by data breaches. Someone stole a laptop with information on 14,475 patients from Massachusetts eHealth Collaborative, an implementation services company last year, according to the company's President and Chief Executive Officer Micky Tripathi.
Massachusetts eHealth Collaborative has patient records because it often helps customers transfer patient demographic data from their old practice management systems to their new EHR and practice management systems. In the end, the company spent $288,808 in legal fees, credit-monitoring services for patients, printing, postage, mailing supplies, staff time, and media consultations. Fortunately, after payment of a $25,000 deductible, Massachusetts eHealth Collaborative's insurance covered some of the costs, except staff and media consultants' time, which added up to $161,800.
Companies like Massachusetts eHealth Collaborative are subject to federal and state laws and regulations in the event of privacy and security incidents. Ultimately, however, physicians are responsible when a contractor drops the ball on privacy and security.
Increased penalties under the Health Information Technology for Economic and Clinical Health (HITECH) Act, which amended the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules, and enforcement actions by the federal government and states' attorneys general have serious implications for physicians who fail to comply with the rules. Most important, according to Deborah C. Hiser, JD, is complying with the encryption and destruction requirements under HITECH, auditing electronic systems to detect security incidents and violations, and notifying patients quickly in the event of a breach, especially identity theft. Failure to do so can result in substantial penalties and oversight by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
TMA has developed resources, in conjunction with Ms. Hiser and Ana Cowan, JD, with the law firm of Brown McCarroll LLP, to help physicians comply with the HIPAA regulations. Both attorneys focus on health care regulatory and compliance matters. (See "HIPAA Compliance Help From TMA.")
HHS defines a breach as "an impermissible use or disclosure under the [HIPAA] Privacy Rule that compromises the security or privacy of the protected health information" and poses a significant risk of "financial, reputational, or other harm" to the patient.
Though the rules to implement certain HITECH requirements, including accounting and oversight of business associates, are not final, OCR Director Leon Rodriguez said they will be soon. Check the OCR website, www.hhs.gov/ocr, periodically for the final rules. (For more information about HIPAA and HITECH regulations and notification requirements, see "Mum's the Word," August 2010 Texas Medicine, pages 49-53.)
The federal government isn't waiting to enforce the law.
"Physicians can't wait on the final regulations to comply," Ms. Hiser said. "HITECH requires them to keep track of any security incidents, such as attempts to access the patient record system, regardless of whether they are successful. Physicians have to submit logs of all breaches of unsecured protected health information to the federal government."
The new regulations raise the penalties for HIPAA violations. Civil penalties for unintentional HIPAA violations range from a minimum of $100 per violation to a maximum of $50,000 per violation. Criminal penalties for fraud include a minimum $100,000 fine and up to five years imprisonment. Individuals who violate HIPAA with intent to sell, transfer, or use protected health information (PHI) for commercial advantage, personal gain, or malicious harm face a maximum $250,000 fine and 10 years imprisonment.
For more information about penalties, consult Section 13410 of the HITECH Act, www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechact.pdf.
Ms. Hiser says physicians would be smart not only to have a system to detect PHI breaches but also to encrypt all confidential patient information. The reason: Physicians and business associates must provide the required notification only if the breach involves unsecured PHI. HHS posted information on ways to render unsecured PHI unusable, unreadable, or indecipherable on its website, www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html.
"Physicians need to train their employees on the HITECH Act requirements and talk with their information technology consultants to make sure their systems can encrypt PHI and detect breaches," she said.
Crystal Conde can be reached by telephone at (800) 880-1300, ext. 1385, or (512) 370-1385; by fax at (512) 370-1629; or by email at firstname.lastname@example.org.
HIPAA Compliance Help From TMA
TMA has resources to help physicians comply with the Health Insurance Portability and Accountability Act (HIPAA) privacy and security regulations. TMA has a recorded webinar on HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act, presented by Deborah C. Hiser, JD, an expert in health care regulatory and compliance matters with the Austin office of Brown McCarroll, LLP.
The webinar guides physicians in preparing and implementing policies to comply with HIPAA and HITECH regulations. It is available through December 2013. For more information, contact the TMA Knowledge Center at (800) 880-7955, or visit the TMA Education Center, www.texmed.org/education.
TMA designates the webinar for a maximum of 1 AMA PRA Category 1 Credit™, including ethics and/or professional responsibility education.
In addition, TMA sells Policies & Procedures: A Guide for Medical Practices. Medical practices can tailor the guide to establish policies and procedures for tasks such as hiring employees and paying staff, developing an emergency response and preparedness plan, and much more. Ms. Hiser and Ana Cowan, JD, wrote the HIPAA and HITECH privacy and security manuals for TMA's policies and procedures guide. The manuals include template policies and forms for staff training on the HITECH Act requirements; business associate agreements that incorporate the HITECH amendments; breach risk assessments, and information on the use of email with patients.
Ms. Hiser recommends sharing the HIPAA/HITECH Security Compliance Manual with a practice's information technology officer or contractor. That officer can use the manual's complete list of HIPAA security requirements and template policies and procedures to develop a security program that complies with HITECH.
A hard copy of the guide with customizable CD is $295 for members and $395 for nonmembers. The customizable CD alone is $255 for members and $355 for nonmembers.
To order the guide, call the TMA Knowledge Center at (800) 880-7955 or email email@example.com.
Back to article
Texas Medical Liability Trust (TMLT) Sales and Business Development Manager John Southrey says medical practices are particularly vulnerable to computer hacking, viruses, and identity theft because of the amount of sensitive information they collect. TMLT decided to offer cyber liability coverage due to a need for the service.
"All individual and physician group policies, excluding scheduled/slot policies, have the new cyber liability coverage," Mr. Southrey said.
Because the coverage is so new, he says, TMLT hasn't had any cyber liability claims to date. TMLT's cyber liability coverage is available for physicians, medical groups, or for physicians and entities combined, and it's included with a policy at no additional cost. The policy covers what TMLT considers the four most important data breach and privacy liability exposures:
- Network security and privacy insurance that covers third-party claims from electronic and physical information breaches, virus attacks, hacks, identity theft, and defense costs for regulatory proceedings.
- Regulatory insurance that covers administrative fines and penalties a policyholder must pay because of an investigation by a federal, state, or local government agency resulting from a privacy breach.
- Patient notification and credit-monitoring costs coverage that includes all necessary legal, information technology forensic, public relations, advertising, call center, and postage expenses incurred by the policyholder to notify third parties about the breach of information. This coverage also will pay for credit monitoring for all affected parties.
- Data recovery costs insurance that includes all reasonable and necessary costs to recover and/or replace compromised, damaged, lost, erased, or corrupted data.
TMLT will pay these costs or pay on behalf of the insured. It will reimburse policyholders for regulatory fines and penalties.
TMLT's cyber liability coverage offers annual aggregate limits of $50,000 per insured physician or entity. Increased limits up to $1 million are available for purchase on a discounted basis. For more information, call TMLT at (800) 580-8658.
Back to article
April 2012 Texas Medicine Contents
Texas Medicine Main Page