PRACTICAL CONCERNS: Cyber Liability Coverage

Claudia Dobbs

Almost a decade has passed since the first HIPAA Privacy and Security Rules went into effect. Ever since, physicians and their staff have labored to act in accordance with these regulations by developing and implementing policies and procedures that shield protected health information (PHI); by advising patients how their PHI may be used and their right to limit access to the data; by identifying business associates, safeguarding the transmission of electronic PHI, and much more.

This past decade has also witnessed massive expansion of technology that can be used to transmit and store PHI and promote collegial communication. These technologies include electronic health records, smartphones, email, communication portals, laptops, iPads, eICUs, telemedicine, social networks, and data storing “clouds,” to name just a few. The capability for physicians to communicate and collaborate electronically via HIPAA-compliant smartphone platforms such as DocBookMD is yet another example of innovative healthcare technology (see the article on DocBookMD elsewhere in this issue).

Although federal and state regulators encouraged the development and use of healthcare technology, they again raised the bar of responsibility for physicians by implementing the HITECH Act breach notification regulations, which went into effect in 2010. The HITECH Act reinforces the HIPAA rules, outlines a data breach notification process, and threatens significant fines for noncompliance.

In spite of doctors’ heightened awareness of both federal and state confidentiality rules and regulations, a 2011 Ponemon Institute study illustrates that healthcare data breaches are on the rise and that more work needs to be done to protect PHI, computing devices and patients harmed by data breaches.[1] Among the study findings:

• 96% of all healthcare providers who participated in the study had at least one data breach in the last two years.
• 49% of the respondents cited lost or stolen computing devices. 81% of the healthcare organizations in the study reported using mobile devices to collect, store and/or transmit some form of PHI.
• 49% of the participants admitted that their organizations do nothing to protect mobile devices.
• Only 29% of respondents agreed that prevention of unauthorized access to patient data and loss or theft of such data is a priority in their organization.
• 90% of the surveyed healthcare organizations indicated that the breaches caused harm to patients; however, 65% did not offer protection services to the affected patients.

These statistics are disturbing, but perhaps even more disturbing are the reported costs to participants in the study. The average economic impact of a data breach was $2.2 million. While this data reflects the costs of larger organizations rather than the typical medical group, it is an indication of the expenses associated with recovering from a data breach. In addition to these expenses, 81% of the respondents believed their organization suffered from time and productivity diminishment after a breach, followed by brand or reputation diminishment (78%) and loss of patient goodwill (75%). The average lifetime value of one lost patient rose from $107,580 in 2010 to $113,400 in 2011.

Does your malpractice insurance carrier protect you against privacy breaches with cyber liability coverage? Several types of coverage are available. MIEC, for example, provides a “DataGuard” endorsement for each physician’s policy.

The DataGuard protection covers most types of expenses policyholders may have to pay in the event of a privacy breach, with a limit of $50,000. This limit is a basic level of protection. DataGuard coverage includes:

Network security and privacy insurance. Coverage for both online and offline information, virus attacks, denial of service, first-party HIPAA violation coverage and Red Flag Regulations. This includes coverage for fines and penalties from privacy regulatory actions.

Patient notification costs and credit monitoring insurance. Coverage for necessary legal, PR, advertising, IT and forensic costs and postage expenses incurred by you to notify third parties of a breach of information. Will also pay for one year of credit monitoring for all affected parties.

Data recovery costs insurance. Coverage for reasonable and necessary sums required to recover and/or replace data that is compromised, damaged, lost, erased or corrupted.

Given the expenses involved in responding to a breach, MIEC recommends considering higher limits.

MIEC also provides an electronic platform that enables policyholders to understand and deal with these new and evolving exposures. Policyholders can explore these tools by logging into www.miec.com and clicking on the DataGuard link. The tools and resources on the website include compliance materials, implementation checklists, training programs and step-by-step procedures to reduce risk, such as information on the proper destruction of protected health information.

If you haven’t done so already, you need to implement the changes necessary to be in compliance with the HITECH Act. You should also revisit the HIPAA Privacy and Security Rules to ensure you are in compliance. (Information on complying with these rules can be found on www.miec.com.) If you do experience (or believe you have experienced) a data breach, you should call your professional liability carrier right away.

---

Ms. Dobbs is a loss prevention manager at MIEC.

Email: ClaudiaD@miec.com

Reference

1. Ponemon Institute, “Second annual benchmark study on patient privacy and data security,” idexpertscorp.com (2011).