The HIPAA/HITECH federal law, which became effective on March 26, 2013, put real teeth into a healthcare provider’s responsibilities regarding the use, collection and disclosure of Personal Health Information (PHI). In today’s environment, the potential release of personal health information or sensitive data because of a cyber attack, computer virus, improper disposal of paper records, insider criminal activity, technological malfunctions or even an employee mistake such as a lost or stolen laptop is a very serious concern. Offices of healthcare providers are especially vulnerable because they:
- Take in client social security numbers;
- Accept insurance;
- Take Medicare/Medicaid;
- Have a website or use an email;
- Use third party vendors;
- Process credit cards;
- Utilize bank account information;
- Store healthcare records and other non-public information.
A physician’s office may have firewalls, virus protection, anti-spam systems, and procedures to protect passwords and prevent employees from downloading dangerous material. But these measures are not foolproof. Failure to comply with the HIPAA/HITECH law could result in a fine of up to $1,500,000! In addition, the out- of-pocket costs without proper insurance coverage are staggering:
- Credit monitoring costs (estimated at $20 to $30 per record)
- Notification costs (estimated at over $200 per record)
- Significant attorney costs
The law requires that, among others, the following assurances be in place to safeguard personal health information:
- Business Associate Agreements requirements;
- Requirements to provide patients with electronic copies of their records;
- Mandates requiring businesses to have in place the following to protect personal health information;
- Confidentiality procedures
- Data encryption for electronic health record systems
- Incident response plans in the event of a data breach
- Staff training to promote compliance
A cyber liability insurance policy assists insureds in meeting the terms of these new strict regulations, enforced by the Office of Civil Rights. If you have a data breach, you can literally make one phone call to the “Breach Response Service” and they will take over.
The following coverages are provided under a cyber liability policy:
- Information Security and Privacy Liability Insurance—coverage for third party claims alleging a financial loss as a result of a breach;
- Regulatory Defense and Penalties Insurance– Coverage for forensic expenses (to determine the extent of the breach) as well as defense costs and fines/penalties for violations of privacy regulations;
- Website Media Content Liability Insurance– Coverage for online and offline media. Includes coverage for claims alleging copyright/trademark infringement, libel/slander, false advertising, plagarism, and personal injury;
- Privacy Breach Response Services Insurance- Includes all reasonable legal, public relations, advertising, IT forensic, credit monitoring and postage expenses incurred by the insured for notifying a third party of a pricacy breach;
- Data Recovery Costs Insurance – Includes all reasonable and necessary sums required to recover and/or replace data that is compromised, damaged, lost, erased or corrupted;
- Cyber Extortion Insurance – Coverage for extortion expenses and extortion monies as a direct result of a credible cyber extortion threat.
In addition, policyholders have access to tools to create policies and procedures in their practices as well as monthly newsletters to keep them abreast of the changing law. Online templates are available to create privacy notices, sample policies and procedures manuals, training courses for employees and security officers, phone and email support. You will also have online access to consultants and attorneys on data security issues.
John Gracey Backer, CPA
John Gracey Backer, CPA, is the Treasurer of Gracey-Backer, Inc., an Insurance Agency in Delray Beach, Florida specializing in All Lines of Malpractice, Professional and Personal Insurance for the Healthcare Provider. He can be contacted at 800-272-6055 ext 128, or at firstname.lastname@example.org.