Do you have all bases covered when it comes to the issue of network security and data privacy risks? Michael Egan, senior vice president–unit manager at Lockton Companies, offers his perspective.
While exposure to medical malpractice remains a principal risk of financial loss for physician practices, network security and data privacy concerns continue to increase significantly. It is progressively more likely that when we pick up the paper, watch the news, or scan the Internet, a new report will appear about a business responding to a hacker, a data breach, or a privacy issue. What has changed to make these incidents more frequent?
1. An increasingly sophisticated criminal element;
2. An explosion of technology enabling the collection and storage of massive amounts of data (not always with timely and adequate training to protect the security of data); and
3. Increased regulatory scrutiny and enforcement of data privacy and security laws.
Securing an appropriate insurance solution, with adequate coverage limits, can be essential to ensuring the financial health of a physician group practice.
Federal privacy regulation
The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 with the intent of protecting against the breach of personal health information (PHI). From late 1999 to early 2005, little significant change occurred relative to HIPAA.
In 2009, the American Recovery and Reinvestment Act (ARRA) was signed into law. Title XIII of ARRA outlined the Health Information Technology for Economic and Clinical Health Act (HITECH).
HITECH brought $31 billion in stimulus to grow the healthcare infrastructure and promote the use of electronic health records. In return for the stimulus, HITECH also imposed new requirements, new provisions for aggressive enforcement, and significant potential monetary penalties connected with the breach of PHI.
In September 2009, Health and Human Services (HHS) issued an interim Final Rule for breach notification. The passage and implementation of HITECH was described by HHS Office for Civil Rights (OCR) director Leon Rodriquez thus: “This final omnibus rule marks the most sweeping changes to the HIPAA privacy and security rules since they were first implemented. These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a healthcare provider, or one of their business associates.”
It was not until January 2013 that the HIPAA Omnibus Final Rule, which took effect in September 2013, was finally published. Some of the most significant changes are:
• Covered entities and business associates are both directly liable to the OCR for compliance with the Final Rule, and both may be assessed civil money penalties for noncompliance.
• The term ‘business associate’ was expanded and business associate agreements must now be executed with subcontractors.
• The standard for determining notification requirements for a breach has been lowered to presume a breach has occurred, unless the covered entity can demonstrate a low probability that PHI has been compromised.
• A covered entity must provide requested records in electronic format whenever possible.
2013 breaches and enforcement actions
Based on data within the HHS website, in 2013 there were nearly 180 breaches of PHI which exceeded 500 records. According to the Ponemon Institute report, 94 percent of healthcare organizations have suffered data breaches; the cost of a breach is estimated at nearly $200 per record. It would seem that a breach of PHI is more a question of when, and not if, for healthcare organizations.
With the Interim Rule introduced more than four years ago and the Final Rule in place for one year, experts believe OCR will step up the assessment of civil money penalties against healthcare organizations that have experienced a breach of PHI. This trend is perhaps heightened by the Office of Inspector General’s December 2013 report that was especially critical of OCR’s diligence in carrying out its enforcement of the HIPAA and HITECH security requirements.
In 2013, OCR issued six resolution agreements with settlements ranging from $50,000 to $1,700,000. The costs of breach investigation, notification, and any third-party lawsuits are in addition to these settlement amounts.
Available insurance options
A vital component of any cyber liability risk management program is a complete insurance solution to address the exposure to loss. The consequences of a data breach or privacy incident are numerous and can be severe. Financial loss can result from:
• Third-party liability lawsuits (possibly class action) alleging damages resulting from the breach or incident;
• Civil money penalties assessed by a regulatory body;
• Defense of allegation;
• First-party breach response costs, including:
—Legal consultation expenses;
—Computer forensic and investigation expenses;
—Public relation consultation and advertising expenses;
—Postage expenses and other notification costs; and
—Credit monitoring and identity theft services to impacted patients;
• Network asset protection, including:
¬—Cost to restore digital assets; and
—Loss of income or increased expenses resulting from a cyber event;
• Cyber extortion and cyber terrorism.
The majority of physician malpractice carriers now provide an automatic cyber coverage grant as part of their professional liability coverage. The coverage provided is generally broad, responding to most of the exposures outlined. However, the limits provided with this automatic coverage are typically only $50,000 to $100,000 per incident.
Given the heightened regulatory scrutiny; the increased attention from the plaintiffs’ bar, and the significant investigation and notification costs, these ‘throw-in’ limits are increasingly becoming inadequate to respond fully to an actual data breach or privacy incident. Higher limits of liability are available from numerous carriers, resulting in a competitive marketplace.
The insurance marketplace in the cyber liability space has expanded greatly in recent years, in response to both client need and the increasing awareness of the exposures present. The market is acutely dynamic and diverse, requiring a focused and experienced broker to navigate through all the options and assist in selecting the most appropriate coverage structure.
Michael Egan is senior vice president–unit manager at Lockton Companies. He can be contacted at: MsEgan@lockton.com
Michael Egan, Lockton Companies, Data Privacy, HIPAA, ARRA, HITECH, US