This page contains a Flash digital edition of a book.
“You can have the best protection in the world. But somebody else drops the ball, and it all comes back to you.”


from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) alleging someone had stolen the practice’s computers, includ- ing an unencrypted laptop. Along with other documentation, OCR requested a copy of the policyholder’s most recent security risk assessment.


Conducting a security risk assessment


the billing company and review it to de- termine the extent of sensitive patient information at risk. The attorney sent a letter to each of Dr. Brooker’s 22,000 patients to notify them of the possible compromise. She also set up a hotline Dr. Brooker’s patients could call with ques- tions and concerns about the potential data breach. Dr. Brooker says he received some an-


gry calls from patients, but so far there is no evidence that any of his patients’ data have been used inappropriately. “Somewhere around 1 or 2 percent of


the records had a name or a birth date or something similar,” he said. But Dr. Brooker isn’t out of the woods yet. He says he must update his prac- tice’s privacy protocols, and he faces po- tential federal fines, which he may have to pay out of pocket. (See “HIPAA Penal- ties Add Up,” page 33.) Fortunately, Dr. Brooker says, his


TMLT policy has covered thousands of dollars in attorney fees. “Otherwise, I would’ve spent $50,000 or $60,000 on lawyers by this point,” he said. “TMLT’s been extremely helpful and has protected me in this regard.” TMLT, which offers medical liability


insurance to Texas Medical Association members, began offering cyber liabil- ity coverage in December 2011. It has received more than 150 cyber liability claims, most of which involved breaches


28 TEXAS MEDICINE July 2014


of electronic protected health informa- tion (ePHI). TMLT is the only medical professional liability insurance company created and endorsed by TMA. John Southrey, manager of consulting


services at TMLT, says health care pro- fessionals underestimate the importance of cyber liability coverage. (See “Are You Covered?” opposite page.) He says TMLT can help physicians


comply with federal and state medical privacy and security laws, such as the HIPAA Omnibus Rule and the Texas Medical Records Privacy Act. TMA also offers services and resources. (See “Se- curity Guidance From TMA,” page 30.) TMLT’s cyber liability insurance will


protect practices financially should a breach occur. The insurance covers a breach notification to customers and business partners, expenses for legal counsel, information security and foren- sic data services, public relations support, call center and website support, credit monitoring, and identity theft restora- tion services. TMLT will pay up to $50,000 per


claim for policyholders, with no deduct- ible, including the cost of defense. Poli- cyholders can purchase a policy limit of up to $1 million at a discounted rate.


Evaluate your risk Mr. Southrey says last October, one TMLT policyholder received a complaint


is a key requirement of the HIPAA Secu- rity Rule and a core requirement for phy- sicians participating in the Medicare and Medicaid EHR incentive programs. Mr. Southrey says OCR will likely increase its focus on timely and thorough HIPAA security risk assessments this year. HHS developed the Security Risk As- sessment (SRA) tool to allow small- and medium-sized practices to assess their HIPAA compliance and mitigate privacy risks. The SRA website, www.healthit .gov/providers-professionals/security- risk-assessment, has user tutorials and videos to help physicians get started. The SRA tool also allows practices to


print a report to provide to auditors or keep on file in case of a security breach. TMLT offers access to cyber security tools and resources to help policyholders prepare for and respond to breaches. The Privacy and Security Toolkit can help health care professionals comply with privacy and security laws based on their practice size. The toolkit is available for purchase at tmlt.inreachce.com. TMA offers webinars and publications


to help professionals comply with priva- cy laws and manage ePHI; visit texmed .inreachce.com.


Mobile devices at greatest risk Many cyber liability cases occur because health care professionals do not encrypt sensitive information on their computers, laptops, or mobile devices. “Electronic PHI is being stored on


more portable devices than ever before, and it is a practical certainty that there will be more breaches involving these devices,” Mr. Southrey says. HIPAA requires the secretary of HHS to publicly post information about breaches that affect more than 500 patients. The HHS breach notification webpage, http://bit.ly/BreachTool, lists many instances in which unencrypted


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64  |  Page 65  |  Page 66  |  Page 67  |  Page 68