Did You Know… that the number of people falling victim to identity theft has more than doubled since 2003? In 2003, five million people were victims of identity theft. In 2012, that number jumped to 12.5 million. And the number of people affected by data breaches in the U.S. continues to climb each year.
In the prior decade, most data breaches were caused by human error (such as lost devices or records being exposed in insecure ways). Now, breaches have become more targeted and sophisticated with a large and growing number of breaches being caused by hackers and cyber criminals. Because data can now reside in multiple locations, including unsecured smartphones, laptops and tablets, and can be transported to an infinite number of locations, thieves have more areas to target. Most experts agree that the problem of data breaches will get worse before it gets better, with breaches expected to become not only more frequent, but also more severe.
There is also more awareness of data risk than there was a decade ago, thanks in large part to the Health Insurance Portability and Accountability Act (HIPAA), the HITECH Act, the Red Flags Rule and state data breach notification laws that require disclosure and corrective action by healthcare organizations.
How Much Does a Data Breach Cost a Practice?
A data breach at even a small physician practice could easily run into the hundreds of thousands of dollars — enough to cripple a practice running week to week financially. Some expenses physicians can expect to incur when a breach occurs include legal fees, IT forensic costs, notification costs, credit monitoring costs, public relations expenses to salvage patient goodwill and advertising expenses to make the public aware of the steps that have been taken to address the breach. There may also be significant penalties assessed against a practice involved in a data breach, which may range from $100 to $50,000 per violation. The Department of Health and Human Services’ Office for Civil Rights has made clear that no practice is too small to be fined.
Are You Complying With the Latest Requirements?
Physicians are becoming increasingly aware that compliance with regulations like HIPAA is imperative. While training and preparation of compliance plans is something many practices can accomplish, there remains a challenge to control the multitude of data found on laptops, smartphones, memory sticks, human resources systems and other devices that are used in day-to-day operations of a medical practice.
Physician practices should have complied by September 23, 2013 with a final set of HIPAA federal privacy rules. Under the new rules, doctors now must assume the worst-case scenario in the event of a possible privacy breach. Previous regulations had required a practice to notify affected patients and the federal government only if it determined that a breach involving patient records had occurred and that it carried a significant risk of financial or reputational harm to patients. The new rules eliminate that standard, and replace it with a stricter one. Now, any incident involving patient records is assumed to be a breach, and unless a practice conducts a risk assessment that proves a low probability that any protected information was compromised, the breach must be reported. This new standard is expected to result in many more official reports of breaches, as well as additional work and costs to physician practices. (For the full rule, go to www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf.
HIPAA typically has focused on healthcare professionals, health plans and other entities that process health insurance claims. But because some of the largest security breaches have involved healthcare providers’ business associates, many of the law’s requirements were extended to these entities as well as their subcontractors. For physicians, a business associate may be any firm that handles patient data, such as a storage provider, a shredding company or a benchmarking firm that measures physician performance. With contractors becoming as fully liable as everyone else affected by HIPAA, physicians’ offices are going to take on additional legal responsibilities. For example, if someone paid to shred patient files instead throws the documents into a trash bin and causes a breach, the practice also is subject to enforcement violations caused by that business associate. Although the rules specify September 23 as the compliance date for the new regulations, healthcare professionals have an extra year to revise existing business associate agreements to become compliant.
Additionally, physicians need to stay abreast of new risks that are identified as needing attention. For example, the Department of Health and Human Services now wants photocopy machines examined as part of data security. Physician practices need to make sure that all personal information is wiped from hardware before it is recycled, thrown away or sent back to a leasing agent. For more information on safeguarding sensitive data stored in the hard drives of digital copiers, go to http://business.ftc.gov/documents/bus43-copier-data-security.
Are You Adequately Insured Against Data Breach Risks?
Physicians will certainly continue to work hard to assure compliance and prevent protected health information breaches. Unfortunately, however, even the best prepared practices may not be able to prevent a breach from occurring. Consequently, every practice should have a plan in place regarding how best to handle a breach if it does occur and must be cognizant of the potentially high financial cost that comes with a breach.
Many organizations now consider cyber security threats to be as big as — or bigger than — the threat of a natural disaster or fire. Just as those organizations carry insurance for the relatively small chance that a tornado or fire destroys their businesses, many now are looking at policies that will cover the potentially devastating impact of a data breach. There are specialized insurance products available that are directed at the healthcare provider market and address the particular liabilities faced by physician practices.
Even though data security insurance can be quite inexpensive, particularly when compared to the average claims paid out, physicians often do not pay as much attention to this type of coverage as they should. To many physicians who are busy maintaining their practices while installing electronic health records and meeting the requirements of meaningful use, weighing the options of data security insurance may feel overwhelming. Yet as more and more breaches are publicized, along with the amount of associated fines, more practices are working with their brokers to make sure they are managing their data security risks adequately. At the very least, physicians should look deeper at their existing coverage to see what, if any, of these types of risks may be covered by their liability insurance policy. The peace of mind that comes from adequate protection will be well worth the investment.
Patricia A. Costante is Chairman and CEO of MDAdvantage Insurance Company of New Jersey.