TMLT Has Physicians Covered
Law Feature — July 2014
Tex Med. 2014;110(7):27-33.
By Kara Nuzback
One shipping mistake nearly cost Andrew Brooker, MD, his professional reputation and hefty attorney fees. Last April, his Pennsylvania billing service asked him to mail 22,000 patients' electronic health records (EHRs) because the documents were too extensive to send electronically.
Dr. Brooker downloaded the patient information onto a password-protected disk and shipped it to Pennsylvania. When the billing company received the disk, it downloaded the information, then shipped the disk to a local information technology (IT) group. But the disk ended up at the wrong address, never to be recovered, says Dr. Brooker, an Amarillo orthopedic surgeon.
"You can have the best protection in the world," he said. "But somebody else drops the ball, and it all comes back to you."
Immediately, he contacted the Texas Medical Liability Trust (TMLT) and discovered cyber liability coverage is part of his insurance policy.
TMLT paid a lawyer to obtain the information contained on the lost disk from the billing company and review it to determine the extent of sensitive patient information at risk. The attorney sent a letter to each of Dr. Brooker's 22,000 patients to notify them of the possible compromise. She also set up a hotline Dr. Brooker's patients could call with questions and concerns about the potential data breach.
Dr. Brooker says he received some angry calls from patients, but so far there is no evidence that any of his patients' data have been used inappropriately.
"Somewhere around 1 or 2 percent of the records had a name or a birth date or something similar," he said.
But Dr. Brooker isn't out of the woods yet. He says he must update his practice's privacy protocols, and he faces potential federal fines, which he may have to pay out of pocket. (See "HIPAA Penalties Add Up.")
Fortunately, Dr. Brooker says, his TMLT policy has covered thousands of dollars in attorney fees.
"Otherwise, I would've spent $50,000 or $60,000 on lawyers by this point," he said. "TMLT's been extremely helpful and has protected me in this regard."
TMLT, which offers medical liability insurance to Texas Medical Association members, began offering cyber liability coverage in December 2011. It has received more than 150 cyber liability claims, most of which involved breaches of electronic protected health information (ePHI). TMLT is the only medical professional liability insurance company created and endorsed by TMA.
John Southrey, manager of consulting services at TMLT, says health care professionals underestimate the importance of cyber liability coverage. (See "Are You Covered?")
He says TMLT can help physicians comply with federal and state medical privacy and security laws, such as the HIPAA Omnibus Rule and the Texas Medical Records Privacy Act. TMA also offers services and resources. (See "Security Guidance From TMA.")
TMLT's cyber liability insurance will protect practices financially should a breach occur. The insurance covers a breach notification to customers and business partners, expenses for legal counsel, information security and forensic data services, public relations support, call center and website support, credit monitoring, and identity theft restoration services.
TMLT will pay up to $50,000 per claim for policyholders, with no deductible, including the cost of defense. Policyholders can purchase a policy limit of up to $1 million at a discounted rate.
Evaluate Your Risk
Mr. Southrey says last October, one TMLT policyholder received a complaint from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) alleging someone had stolen the practice's computers, including an unencrypted laptop. Along with other documentation, OCR requested a copy of the policyholder's most recent security risk assessment.
Conducting a security risk assessment is a key requirement of the HIPAA Security Rule and a core requirement for physicians participating in the Medicare and Medicaid EHR incentive programs. Mr. Southrey says OCR will likely increase its focus on timely and thorough HIPAA security risk assessments this year.
HHS developed the Security Risk Assessment (SRA) tool to allow small- and medium-sized practices to assess their HIPAA compliance and mitigate privacy risks. The SRA website has user tutorials and videos to help physicians get started.
The SRA tool also allows practices to print a report to provide to auditors or keep on file in case of a security breach.
TMLT offers access to cyber security tools and resources to help policyholders prepare for and respond to breaches. The Privacy and Security Toolkit can help health care professionals comply with privacy and security laws based on their practice size.
TMA offers webinars and publications to help professionals comply with privacy laws and manage ePHI.
Mobile Devices at Greatest Risk
Many cyber liability cases occur because health care professionals do not encrypt sensitive information on their computers, laptops, or mobile devices.
"Electronic PHI is being stored on more portable devices than ever before, and it is a practical certainty that there will be more breaches involving these devices," Mr. Southrey says.
HIPAA requires the secretary of HHS to publicly post information about breaches that affect more than 500 patients. The HHS breach notification webpage lists many instances in which unencrypted devices were the source of stolen patient records.
In February 2011, someone stole an unencrypted laptop from the vehicle of a Texas Health and Human Services Commission employee. The laptop contained ePHI for nearly 1,700 patients, including names, dates of birth, Medicaid identification numbers, procedure codes, and diagnoses. The agency punished the employees involved for failing to encrypt the data on their laptops.
A thief took an unencrypted laptop from Methodist Charlton Medical Center in Dallas in April 2011, potentially exposing 1,500 patient records. Afterward, the clinic revised its encryption policy.
Mr. Southrey says physicians can mitigate their risk of breach by encrypting their laptops and mobile devices. Encryption renders patient data unreadable so even if hackers access ePHI, they can't read it. Only physicians or authorized employees can access encrypted data.
A HIPAA-secure app is available for physicians. TMA offers DocbookMD, a free app for members that automatically encrypts messages sent on your smartphone or tablet. Using DocbookMD, physicians can send HIPAA-compliant messages containing text and photos at times when texting is the fastest way to send important information. Download the app here.
Physicians can work with their software vendors to ensure all computers and electronic devices include encryption software. For desktop or laptop computers, a system administrator, or in the case of smaller practices, a hired contractor, will typically install and configure the encryption products. Practices also can contact their EHR or practice management system vendors about encryption technology.
After implementing the encryption software, physicians should be able to encrypt and decrypt data simply by specifying which information they want to protect.
Most operating systems carry built-in encryption programs like these:
What to Do in Case of a Breach
If you suspect a breach of confidential information, HIPAA requires you to make several important notifications.
You must alert affected patients in writing within 60 days of the discovery of the breach. If you have insufficient contact information for more than 10 affected patients, you must post the notice on the homepage of your practice's website for at least 90 days or send the notice to a major media outlet in the area.
If the breach affects more than 500 patients, you must also provide notice in prominent media outlets within 60 days of discovery of the breach.
Practices must notify the HHS secretary of all security breaches through an electronic breach report form.
If a breach affects more than 500 patients, the secretary must post it publicly on the HHS website, commonly called the "Wall of Shame." Mr. Southrey says negative media attention can cut into a practice's profits.
"Consequently, practices may experience a significant reduction in income due to a drop-off in patient appointments," he said.
Cyber security can be confusing, and TMLT can help. Mr. Southrey says some health care professionals mistakenly believe that a HIPAA security risk analysis is optional for small practices or that EHR vendors automatically secure and encrypt patients' records.
"Those are all wrong assumptions with potential adverse ramifications, as state attorneys general and the federal government are becoming more emphatic in enforcing privacy and security compliance," he said.
Mr. Southrey says it is important for physicians to minimize their risk of violating privacy and security laws by reviewing their practice's processes, policies, and procedures and comparing them with the requirements in the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule; the Health Information Technology for Economic and Clinical Health Act; and the Texas Medical Records Privacy Act.
Money for the Taking
According to Fourth Annual Benchmark Study on Patient Privacy and Data Security, a March report by independent research corporation Ponemon Institute, health care organizations pay about $188 per stolen record.
When someone hacked into a network server at St. Joseph Health System in Bryan last December, the hacker stole more than 400,000 patient records. In a February 2010 case, someone stole three unencrypted external backup drives from a San Antonio dentist's locked office, exposing 21,000 patient records. According to the Ponemon Institute's estimate, the breach could have cost the dentist nearly $4 million.
The Ponemon Institute study also found data breaches cost U.S. health care organizations an average of $2 million over the past two years.
"Based on the experience of the health care organizations in this benchmark study, we believe the potential cost to the health care industry could be as much as $5.6 billion annually," the report states.
TMLT offers first- and third-party coverage to protect organizations from financial collapse if a breach occurs. First-party, or digital asset, coverage includes:
- Restoring or recovering lost or damaged computer programs and data;
- Paying for credit monitoring and breach response services;
- Notifying patients of a breach;
- Offering help with crisis management and media relations; and
- Covering the practice in cases of cyber extortion and cyber terrorism.
Cyber terrorism normally involves a thief demanding money in exchange for the return of private information, Mr. Southrey says.
First-party coverage also includes lost income and extra expenses caused by the breach. For example, if a computer program or data glitch interrupts an insured physician's practice, TMLT's cyber liability coverage will pay for utilities and employee salaries during the period it takes to restore the program or data. TMLT will also cover extra expenses needed to pay staff overtime to restore lost data or to subcontract data-processing work to an IT vendor.
TMLT will also pay for income the practice would have expected to earn during the recovery process and all expenses incurred to continue business operations.
Third-party coverage deals with claims related to security and privacy breaches, regulatory investigations, and claims related to media liability, such as libel and slander; false advertising; and copyright, trademark, or domain name infringement, Mr. Southrey says.
TMLT strongly recommends physicians purchase more than the default $50,000 coverage. Mr. Southrey says several policyholders who experienced an ePHI breach used their $50,000 limit on defense and notification fees alone.
"At that point, the control of all further investigation, defense, and remediation falls upon the insured physician entirely," he said.
Physicians can also purchase standalone cyber liability coverage from TMLT, which offers higher policy limits and broader coverage.
But insurance is no substitute for an active cyber security program, Mr. Southrey says. Health care professionals need to review and update their privacy and security policies and procedures and enhance their IT security.
Kara Nuzback can be reached by telephone at (800) 880-1300, ext. 1393, or (512) 370-1393; by fax at (512) 370-1629; or by email.
HIPAA Penalties Add Up
Compliance with HIPAA regulations is more important as physicians face steeper penalties for breaches of protected health information (PHI) and as the U.S. Department of Health and Human Services Office for Civil Rights cracks down on violations.
Federal law increased penalties for HIPAA violations up to $1.5 million per violation. Civil penalties range from $100 to $50,000 per violation. Criminal penalties for lying to defraud a victim include a maximum $100,000 fine and up to five years in prison. Anyone who violates HIPAA rules to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm faces up to a $250,000 fine and 10 years in prison.
Back to article
Are You Covered?
John Southrey, Texas Medical Liability Trust's (TMLT's) manager of consulting services, says the company recommends practices conduct a cyber insurance review to ensure they have coverage that addresses regulatory fines, breach notification costs, first-party coverage of digital assets, and cyber extortion in which a thief demands money for sensitive patient information. Here are some sample questions TMLT recommends physicians ask themselves to evaluate their practices' cyber security:
- How are you currently safeguarding electronic patient data?
- Are you using encryption or other secure methods of preventing access to patients' protected health information?
- Do you keep your antivirus and antispyware software active and up to date at all times?
- Do you use hardware and/or software firewalls to block outside access to your computer systems and unauthorized outgoing activity?
- Do you currently have any coverage for cyber liability losses, and if so, how comprehensive is the policy?
- Do you understand your responsibility in notifying your patients if there is a cyber-related security breach resulting in invasion of their privacy?
- Have you considered the costs of lost production, lost time by employees working to fix the problem, and the overall loss of efficiency and potential reputational loss from a cyber claim?
If you think cyber security is lacking at your practice, learn more about TMLT's cyber liability coverage.
Back to article
Security Guidance From TMA
TMA offers physicians privacy and security guidance in Policies & Procedures: A Guide for Medical Practices, which can be tailored to meet a practice's needs.
Jeff Drummond and other attorneys with the Dallas office of Jackson Walker, LLP, wrote the HIPAA policies and procedures manual for TMA's guide. It features updated forms that will keep you in compliance with the latest regulations.
A hard copy of the guide with a customizable CD is $299 for members and $399 for nonmembers. The CD alone is $259 for members and $359 for nonmembers. To order the guide, call the TMA Knowledge Center at (800) 880-7955 or email knowledge[at]texmed[dot]org.
TMA also offers webinars, podcasts, and publications to help professionals comply with privacy laws and manage electronic protected health information (ePHI). All are available for purchase online.
The Changing World of Physician Communication in the Face of HIPAA and HITECH, a TMA publication, discusses the risks associated with using electronic mobile devices.
TMA's on-demand webinar, Complying With HIPAA and Texas Privacy Laws, highlights the latest changes to federal law and helps physicians comply with the latest HIPAA requirements.
Complying With HIPAA Security is available as a podcast or an on-demand webinar. The one-hour program details administrative, physical, and technical safeguards for physicians to ensure the security of ePHI.
HIPAA Training for Medical Office Staff is another on-demand webinar that educates administrators and clinical staff about the importance of complying with HIPAA and other privacy regulations.
TMA is also planning a series of seminars on HIPAA and risk management to begin in September.
Back to article
July 2014 Texas Medicine Contents
Texas Medicine Main Page