Recent Trends in Records Breach – Check Your Insurance Policies
Recently we highlighted “Medical Records Requests” and “Breach of Confidentiality” as two of the five legal issues that most often impact social workers. This impact leads to lawsuits, licensing board inquiries, and HIPAA information breach liability, particularly regarding HIPAA HITECH 45 CFR part 160 that holds social workers liable for a third-party data breach. This is in addition to first-party client information breach liability for which social workers have already been subject to. Information breach can be any paper or digital information regarding the client, and can be caused by the first party or third party actions.
So what is going on and what is the recent trend? A recent survey of six major liability insurance carriers with reference to their respective professional liability claims experience and claims adjudication with lawyers nationally have surfaced some valuable tips. (Claims Journal; “Seeing Rise in Malpractice Claims Severity”; 7/3/14) There is an overwhelming and increasing number of claims arising from client information breached through stolen or lost laptops and devices, and 75% of insurance carrier respondents listed this as the most likely cause of a breach. Beyond this is the second most frequent breach, which is caused by information exchange and the related steps involved regarding information exchange.
The practitioner must know the relevant status and touch points of client records. This includes who receives the records, where the records are stored, how the records are stored, how the records are transported or sent digitally, and how the records are shared. Each one of these touch points represents a link in the chain of risk, and the social worker must verify that insurance coverage is in place to cover the perils. A social worker cannot assume that her/his employer will assume liability and that the employer’s liability insurance will extend to the social worker employee. The employer‘s priority is to the employer.
Beyond this, ask who is handling the records? There is a difference between first party and third party coverage in the insurance policy. There are many holes and exclusions in professional liability policies, and few cyber liability policies are on the market today. Many have exclusions, deductibles, and all have high premiums except for the Preferra Insurance Company RRG policies which have no deductibles, cover the major perils, and are exceptionally low priced. This value is reflected in the fact that the policyholders own the Risk Retention Group which is the insurance carrier, and not owned by a Wall Street traded profit motivated corporation. Not all professional liability insurance policies on the market today cover any or all information breaches. The few cyber liability insurance policies and endorsements on the market today may not cover all types of breaches and perils. None offer as low a premium as the Risk Retention Group.
So what is cyber liability and breach of patient information? A data beach is the release of secure information into an unsecure environment. This happens intentionally or unintentionally. A data breach or security incident occurs when confidential data such as client records, or personal financial data is copied, transmitted, viewed, stolen, or used by an individual, first party or third party, unauthorized to handle such information. This may involve information such as client names and phone numbers/email addresses, financial records, credit card, debit card, bank details, personal health information (PHI), personally identifiable information (PII), trade secrets, and intellectual property. Such incidents pose the risk of identity theft or other serious consequences.
The Federal government and many states have enacted laws with safeguards, notification requirements, and penalties to protect the security and confidentiality of information, and specifically medical information, as it is stored conventionally, electronically, and shared electronically. An example of this aimed directly at the healthcare professionals began in March 2013, when Congress passed the 45 CFR Part 160 HIPAA HITECH Law which became enforceable on many occupations including social workers and the behavioral health industry effective September 2013. This makes social workers liable for data privacy breach by third-party data management vendors used by social workers. Under HIPAA, and in many states under state law, the social worker is now ultimately responsible for protecting the client data no matter where the data is. The social worker has this duty, and the social worker is liable if the client data is compromised. This includes third-parties who the social worker hires to manage client records that become breached. This opens up many liabilities for the social worker in today’s technology driven world. The risks associated with doing business online and storing sensitive information electronically and on paper are increasing.
Simply losing a laptop, a mover losing a records file box or an envelope with a patient file in it, a burglar simply opening up a file drawer in the social worker’s office, a lost flash drive, or the social worker’s data management vendor accidentally faxing or emailing a patient record or form to the wrong phone number or email address, as well as a deliberate cyber-attack on the social worker’s data management vendor are all examples of data breaches which become the social worker’s responsibility.
As a Social Worker How Can I Get Protected?
Cyber Liability insurance coverage for small practices and social worker agencies is still relatively new to the insurance world. Except for the Preferra Insurance Company RRG, virtually no insurance carriers have it as an affordable insurance addition for social workers.
Some Professional Liability insurance policies provide data breach coverage if the breach occurs within the control of the practitioner only. The Preferra Insurance Company RRG provides Professional Liability insurance protection that covers data breach within the control of the practitioner.
Published September 2015