Malpractice Insurer Covers Breach CostsInterview with Bill Fleming of The Doctors Company
In an exclusive interview, Bill Fleming, assistant vice president at The Doctors Company, describes the new Cyberguard program, which provides coverage of the costs involved in:
The program covers up to $50,000 in expenses per physician for no additional premium.
Fleming advises physicians to minimize the risk of a breach by making widespread use of encryption, creating detailed guidelines for online communication with patients and training their staff on prevention steps.
HOWARD ANDERSON: This is Howard Anderson, managing editor at Information Security Media Group. Today we are talking with Bill Fleming, assistant vice president at the Doctors Company, which sells malpractice insurance to physicians and now offers coverage of privacy and security risks as well. Thanks for joining us today Bill.
BILL FLEMING: My pleasure, thank you.
ANDERSON: I understand the addition of this new privacy and security coverage was prompted by customer requests. Do you think that was largely the result of the HITECH Act, which creates tougher fines for HIPAA violations and requires the reporting of breach incidents?
FLEMING: I think that is part of it....The push for electronic medical records, both from a payer perspective and also just from a quality perspective, has also been a driver. The Red Flags Rule from the Federal Trade Commission, which is more of a consumer protection law, also drove our need to do this, and also state regulations. There have been a number of states that have passed laws related to either financial privacy or medical privacy or both.
All of those in combination drove us to add this benefit.
ANDERSON: So who is eligible for the new Cyberguard coverage?
FLEMING: It is all of our solo practitioners and all of medical groups up to 100 physicians, which is...most of our insureds.
ANDERSON: Any plans over the long haul for expanding coverage to larger group practices?
FLEMING: We do some business in that arena and we have that coverage available now. It is a little bit of a different product and it is for an additional premium.
ANDERSON: Speaking of that, what is the cost of this extra coverage for practices up to 100 physicians?
FLEMING: There is no additional charge either for new customers or for our existing business in receiving these benefits.
ANDERSON: So if I buy liability coverage from you this is included in that?
FLEMING: Exactly. If you buy liability coverage you automatically get Cyberguard.
ANDERSON: I understand that this new program covers regulatory and liability claims arising from the theft, loss or accidental transmission of patient information. So please walk us through the expenses that Cyberguard covers.
FLEMING: Well there are four areas that we cover with Cyberguard. One is network security and privacy, so that is coverage that will defend our member against a claim made against them for a privacy breach. For example, if a medical record or medical information is made available to someone who ought not to have access to it and the patient sues, then we will defend them and pay any damages that they owe.
We also cover regulatory actions. So if the Federal Trade Commission or the HHS Office of Civil Rights or a state regulator takes some action against one of our members, then we would pay to defend them. And if there were any resulting fines or penalties we would also pay those fines and penalties.
Next is patient notification and credit monitoring. So if there is a breach that results in a regulatory requirement, either at the state or federal level, to notify the affected persons, then we will both help in making those notifications and also pay the cost to make those notifications. If it is a financial breach that results in a credit-monitoring requirement, then we will also pay the cost for credit monitoring.
And then finally, we pay for data recovery. So if data is damaged or lost or stolen we will help pay the cost to recover that data.
The limits to the coverage are $50,000 per physician; whether a solo physician or multi-physician group, the limits apply for each physician....
ANDERSON: Just to make sure we are clear, that is $50,000 total per physician for all four categories and not for each category individually, correct?
FLEMING: That is right. They can pay up to $50,000 in any one category or in a combination of them.
ANDERSON: What advice would you give to physicians on the most important steps they can take to prevent information breaches in the first place so that they don't need to worry about coverage?
FLEMING: We would rather they have the policies and procedures and prevention measures in place to not really need to use our product, ideally, and we provide help to them in that area. We have some risk management benefits that we also provide.
I would recommend having written protocols for online communications with patients to protect their privacy. And then also on the technology side, they ought to consider whether encryption makes sense in their setting because that can have a major affect on their notification requirements, depending upon their state and what law might be in play.
And then also password-protecting laptops and other mobile devices is important. We see a fair number of claims that involve a digital camera, a flash drive, a PDA or a laptop that is either lost or stolen and results in a breach.
And also, employee training is important. What we see sometimes are claims that are not from a bad executive decision but just ordinary business. For example, a patient owes money to a practice and then declares bankruptcy for a variety of reasons. But in the bankruptcy process, the doctor's office had to provide information to support their claim to the bankruptcy trustee, and, in doing so, they provided medical records. The records got onto a public web site at the court, and that resulted in a breach. That was not a decision made at the executive level; that was an ordinary course of business decision. The person involved didn't have the information necessary to make the right decision about what information they should include in that situation.
So technology, prevention measures, employee training and protocols are important.
ANDERSON: Well thank you very much Bill. We have been talking today with Bill Fleming at the Doctors Company. This is Howard Anderson of Information Security Media Group.