PRA Insurance Agency Offers Privacy Liability Coverage

PRA Insurance Agency Offers Privacy Liability Coverage

Categories: Service Updates

Don Emory, Vice President at PRA Insurance, specializes in all lines of insurance for physicians and healthcare related risks with over 25 years experience in the field of insurance. His insurance experience includes a number of years with a large regional captive brokerage which represented a physician professional liability insurance company where his primary focus was the development and delivery of other insurance products to their existing and new clients. He began his insurance career with Safeco Insurance Company holding various positions in their commercial lines underwriting and marketing departments. He is a graduate of California State University Northridge with a Bachelor of Science degree in Economics and holds an Associate in Risk Management (ARM) designation.

Below, he offers information on Data Breach and Liability.


In California, legal protection for health information comes from a combination of federal and state laws. The California “Confidentiality of Medical Information Act” (CMIA) is the state law which addresses the privacy and security of medical information. Although the Federal “Health Insurance Portability and Accountability Act of 1996” (HIPAA) established the baseline for health information privacy and security in all states, federal laws do not preempt state laws. When a state’s law is more protective than federal law on the same matter the more stringent law will apply.

HIPAA privacy protections establish circumstances under which “Protected Health Information” (PHI), information that can identify an individual, held by covered entities can be accessed, used or disclosed.

The Privacy Rule sets out when PHI can and cannot be used or disclosed without patient authorization.

HIPAA Security Rule mandates appropriate safeguards – administrative, physical, and technical to ensure the confidentiality integrity and security of PHI.



Individuals must be notified when there has been a breach involving health information that is not secured through encryption if the information is“reasonably believed to have been acquired by an unauthorized person”.


Notification must be provided within 5 business days after discovering a breach. Must include a general description of incident, type of information breached, date and time of breach, toll free telephone number for more information and toll free telephone number and address of the three major credit bureaus if the breach exposed a Social Security, Driver’s License or California Identification Number.


Department of Health after investigation may assess up $25,000 per patient whose medical information was accessed, used or disclosed without authorization. In addition, up to $17,500 can be assessed for any subsequent violations.


Certain entities, (clinics, health facilities, home health agencies and hospices) may also have to notify the California Department of Health. If more than 500 California residents are affected, the entity must also notify state attorney general.


Privacy Liability, otherwise known as cyber liability, cyber security, data security or information security, is an evolving exposure for organizations that collect and maintain their customer’s personal information.

Organizations which handle, transmit, store or process “Personally Identifiable Information” (PII) are subject to strict reporting and notification requirements in the event of a “data breach”, the unauthorized access, use or disclosure of PII. For health care providers, the reporting and notification requirements to governmental agencies and their patients can be more stringent with potential for fines and penalties.

HIPAA, the principal federal law regulating information privacy, applies to a broad category of health care providers. HIPAA privacy protection establishes the circumstances under which PII can be access, used or disclosed. The Confidentiality of Medical Information Act, the California law which also addresses the privacy and security of medical information, expands federal law. The unauthorized access, use and disclosure of PII from a data breach triggers response requirements and opens up potential financial obligations for health care providers to affected customers and patients.

Privacy Liability Insurance coverage is designed to cover the cost to respond to the data breach, unauthorized access, use or disclosure of PII or PHI, which are protected under state and federal breach notification laws.

Privacy Liability Insurance coverage provides protection for the following areas:

  • First-party coverage protects you against the direct costs suffered by your business such as customer notification costs, potential governmental agency fines, and public relations expenses.
  • Third-party coverage protects you against costs incurred for damage caused to others which you are obligated to pay.

Privacy Liability insurance coverage can include and assist with the following:

  • Initial consultation to assist with the potential data breach
  • Establish appropriate data breach response plan
  • Assist with the investigation to determine the cause of the data breach
  • Secure data breach notification firm for credit and debit monitoring and identity theft
  • Pay the cost to hire a public relations firm
  • Provide defense expenses and cover potential fines and penalties

Coverage quotations available to Coastal Physician Purchasing Group Members through PRA Insurance Please contact Don Emory / PRA Insurance / (800) 910-6535 /

Do You Need More Information?

We have answers for you!

Contact Us Today