If you are a medical practice, dental practice, naturopath, chiropractor, or allied medical company providing services such as senior care or physical therapy, you are required to secure all medical records under the Federal Health Insurance Portability and Accountability Act or HIPAA. This includes all medical records that are stored electronically as well as paper files. There are serious fines and penalties for any breach or disclosure of protected health information (PHI) levied by the Federal Government as well as State penalties regarding the release of personal information such as; names, addresses social security numbers, credit card numbers, etc.
Should a data breach occur, under law, you are required to immediately investigate the extent of the data breach. That may require hiring a computer forensic specialist. You must notify in writing all parties whose information was compromised. Of course, notify Health and Human Services. With the exception of fines or penalties the cost estimate is $200 per record. In addition, there are potential legal consequences and the public relations fallout that must be dealt with promptly.
Common Misconceptions
Protecting data stored on the cloud is the responsibility of the cloud storage provider
Generally data stored remotely is not covered. However, depending on the contract with the cloud service company, many contracts indemnify the cloud storage provider in the event the system is compromised. This leaves the practice to deal with the repercussions.
The credit card processor is responsible if their system is compromised and patient data is released
It is the responsibility of the practice to notify their patients and follow protocol regarding a data breach. This may include 12 months of credit monitoring and leave the practice vulnerable to lawsuits.
My business owners policy includes this coverage
Most likely it will not be adequate insurance. While there may be provisions for replacement of lost data, general liability does not include the comprehensive coverage a practice will need.
Ways PHI can be compromised
- The server can be hacked from outside
- The server or devices, including desk top computers, laptops or other equipment which stores information are stolen or lost
- A virus attacks the hard drive and data is lost or frozen
- An employee unintentionally leaves information in plain sight or neglects to secure the files
- A disgruntled employee damages the system.
Extortion
Today, cyber criminals have the ability to infect your system with a virus that prevents access to data stored on the hard drive. A message is sent to the computer requesting a payment be made within a specified time frame or the data would be irretrievable. If, in fact, this results in the system being inoperable then activity in the practice would cease until the system can be replaced or restored.
Before there is an incident
Things you need to do in advance of a data breach
- Make sure you have trained all staff as to the proper procedures and practices to prevent an unintentional disclosure of PHI
- Complete an audit of the operation looking for areas of vulnerability
- Make sure your anti-virus software, encryption and firewalls are updated regularly and files are backed-up
- Be certain all devices are encrypted should they become lost or stolen. Don’t forget copiers and fax machines which also store data
- Make sure you have a comprehensive cyber liability insurance policy to protect the financial assets of the practice in the event all else fails and there is a breach
Insurance Protection
Cyber Liability Insurance
Cyber liability insurance will generally cover both 1st and 3rd party costs in the event of a covered loss. This means any lost revenue is protected, as well as replacement of data. But also, penalties, fines and notification cost as well as the cost to hire an attorney or bring in a public relation specialists
The cost of insurance is reasonable considering the exposure in the event of an incident.
Regardless of the precautions taken, the risk of a release of confidential information is highly likely. It is imperative to take steps to make sure the practice is protected
The DePuydt Agency
The DePuydt Agency specializes in cyber liability insurance which may include your HIPAA liability exposure. We can examine any current policies to see what coverage is currently in place and recommend any additional insurance that may be required. Contact us with questions.
Gary DePuydt
GARY DEPUYDT
COMMERCIAL LINES & EVENT INSURANCE SPECIALIST
Phone: 480.678.7889
Email: c@thedepuydtagency.com
