Don Emory, Vice President at PRA Insurance, specializes in all lines of
insurance for physicians and healthcare related risks with over 25 years
experience in the field of insurance. His insurance experience includes
a number of years with a large regional captive brokerage which represented
a physician professional liability insurance company where his primary
focus was the development and delivery of other insurance products to
their existing and new clients. He began his insurance career with Safeco
Insurance Company holding various positions in their commercial lines
underwriting and marketing departments. He is a graduate of California
State University Northridge with a Bachelor of Science degree in Economics
and holds an Associate in Risk Management (ARM) designation.
Below, he offers information on Data Breach and Liability.
WHY DO I NEED PRIVACY LIABILITY COVERAGE?
In California, legal protection for health information comes from a combination
of federal and state laws. The California “Confidentiality of Medical
Information Act” (CMIA) is the state law which addresses the privacy
and security of medical information. Although the Federal “Health
Insurance Portability and Accountability Act of 1996” (HIPAA) established
the baseline for health information privacy and security in all states,
federal laws do not preempt state laws. When a state’s law is more
protective than federal law on the same matter the more stringent law
HIPAA privacy protections establish circumstances under which “Protected
Health Information” (PHI), information that can identify an individual,
held by covered entities can be accessed, used or disclosed.
The Privacy Rule sets out when PHI can and cannot be used or disclosed
without patient authorization.
HIPAA Security Rule mandates appropriate safeguards – administrative,
physical, and technical to ensure the confidentiality integrity and security of PHI.
CALIFORNIA BREACH REQUIREMENTS
Individuals must be notified when there has been a breach involving health
information that is not secured through encryption if the information is“reasonably believed to have been acquired by an unauthorized person”.
Notification must be
provided within 5 business days after discovering a breach. Must include a general description of incident, type of information breached,
date and time of breach, toll free telephone number for more information
and toll free telephone number and address of the three major credit bureaus
if the breach exposed a Social Security, Driver’s License or California
Department of Health after investigation may assess up $25,000 per patient
whose medical information was accessed, used or disclosed without authorization.
In addition, up to $17,500 can be assessed for any subsequent violations.
Certain entities, (clinics, health facilities, home health agencies and
hospices) may also have to notify the California Department of Health.
If more than 500 California residents are affected, the entity must also
notify state attorney general.
WHAT IS PRIVACY LIABILITY COVERAGE?
Privacy Liability, otherwise known as cyber liability, cyber security,
data security or information security, is an evolving exposure for organizations
that collect and maintain their customer’s personal information.
Organizations which handle, transmit, store or process “Personally
Identifiable Information” (PII) are subject to strict reporting
and notification requirements in the event of a “data breach”,
the unauthorized access, use or disclosure of PII. For health care providers,
the reporting and notification requirements to governmental agencies and
their patients can be more stringent with potential for fines and penalties.
HIPAA, the principal federal law regulating information privacy, applies
to a broad category of health care providers. HIPAA privacy protection
establishes the circumstances under which PII can be access, used or disclosed.
The Confidentiality of Medical Information Act, the California law which
also addresses the privacy and security of medical information, expands
federal law. The unauthorized access, use and disclosure of PII from a
data breach triggers response requirements and opens up potential financial
obligations for health care providers to affected customers and patients.
Privacy Liability Insurance coverage is designed to cover the cost to respond to the data breach,
unauthorized access, use or disclosure of PII or PHI, which are protected
under state and federal breach notification laws.
Privacy Liability Insurance coverage provides protection for the following areas:
- First-party coverage protects you against the direct costs suffered by
your business such as customer notification costs, potential governmental
agency fines, and public relations expenses.
- Third-party coverage protects you against costs incurred for damage caused
to others which you are obligated to pay.
Privacy Liability insurance coverage can include and assist with the following:
- Initial consultation to assist with the potential data breach
- Establish appropriate data breach response plan
- Assist with the investigation to determine the cause of the data breach
- Secure data breach notification firm for credit and debit monitoring and
- Pay the cost to hire a public relations firm
- Provide defense expenses and cover potential fines and penalties
Coverage quotations available to Coastal Physician Purchasing Group Members
through PRA Insurance Please contact Don Emory / PRA Insurance / (800)