Data Breach Coverage: A New Reality
Side Note: As many physician practices are transitioning, or on the verge of transitioning, to electronic medical records (EMRs), a specific kind of medical liability is growing. The risk of a data breach is becoming more and more significant for physicians. Electronic medical records, combined with the Health Insurance Portability and Accountability Act patient privacy requirements, and the newer Health Information Technology for Economic and Clinical Health (HITECH) Act patient privacy requirements passed in 2009, could create an administrative mess and a massive financial loss for physicians and their medical practices if their patients’ personal information becomes compromised. The headaches include fines from the government (state and/or federal), required notification of patients, payments for breached-patient identity monitoring, lost business, legal defense and damages awarded, and loss of medical practice reputation and repair, to name a few. And, like all health care costs, these costs are rising each year. As a result, many med mal providers are beginning to offer data breach (or cyber) insurance.
Ironically, smaller physician practices often feel that they are at a lesser risk for a data breach. But often, it is smaller medical practices that are at a higher risk and leave themselves open to major liability risk. This is because smaller practices often do not have a dedicated information security staff member. In fact, a study done by CDW in December 2010, mentioned in the article below, found that of 200 practices that have not yet transitioned to EMRs, 34% did not have network firewalls, 28% did not use encryption, and 30% did not even utilize anti-virus software.
The good news is that this newer form of insurance is offered by MyMedicalMalpracticeInsurance, a division of Cunningham Group. Sensing its importance, several of our major med mal carriers have started including this type of coverage in its general med mal policies. For those policies that do not include this coverage, a separate cyber policy can be purchased. Because this kind of coverage can vary from carrier to carrier, a physician should know the kind of coverage he or she wants and know what is covered (or not) in the policy he or she is purchasing. Also know that having this type of coverage does not exempt a doctor from still having to comply and meet with all relevant government health care information regulations. And, even if a physician’s medical practice has a policy that covers a data breach, he or she should still be proactive and strengthen the practice’s data security and have in place appropriate policies and procedures to prevent such a breach and reduce liability and exposure.
If you would like to lower your med mal rates, or inquire about cyber insurance, complete our free, no-obligation, quote request.
Thinking of buying data breach insurance? Here are some things to consider
Technically Speaking. By PAMELA LEWIS DOLAN, amednews staff. Posted Jan. 31, 2011.
A new type of insurance is designed to protect health care organizations from a crippling financial loss in the event of a data breach. The stand-alone insurance policies would cover the expenses a practice can expect when a data breach occurs. And those expenses are rising each year.
The per-patient costs associated with a breach have risen to more than $200 for notification and loss of income, according to the Ponemon Institute, a research firm in Traverse City, Mich. And the government now has the power to impose hefty fines against health care organizations that fail to protect their patients’ privacy. A policy covering these costs may offer peace of mind to practices that would be devastated if a worst-case scenario happened, say sellers of data breach insurance.