Risk management sounds like a euphemism for insurance. How better to manage risk than to insure around or over it? Things aren’t always as they seem, though, especially for the difficult risk management needs of health care professionals. A recent development illustrates why it is important that risk management be viewed as a comprehensive, repetitive process. Risk management professionals should be consulted frequently in this process. Insurance is the core, vital part of that process, but it is not a be-all and end-all for risk management.

By now, health care professionals are aware of the dynamics that the Health Insurance Portability and Accountability Act (HIPAA) have changed. This is especially the case with the recent enactment of the HITECH amendments and amplifications to that statutory scheme (requiring notification of a data breach for health information, among other things). Over the fifteen years in which HIPAA concepts have been around, the focus has shifted from the reduction of pre-existing condition carve outs (part of the “portability” of the Act) to the blossoming requirements for keeping protected health information confidential.

HIPAA and its regulations now require “covered entities” to do things such as:

• Develop and implement written privacy policies and procedures
• Designate a privacy official
• Train all workforce members on its privacy policies and procedures
• Maintain reasonable and appropriate administrative, technical, and physical safeguards
• Prevent intentional or unintentional use or disclosure of protected health information

Covered entities include health care providers, health insurers, and billing clearinghouses. By regulation and by contractual obligation, it also includes the “business associates” of those covered entities.

The regulations are complicated enough to be scary. What’s even scarier is the fact that there can be substantial and even enterprise-threatening fines and penalties for violating the privacy requirements of HIPAA and HITECH.

A pair of examples suffices to illustrate the point. In the first, the federal Department of Health and Human Services levied a $1,000,000 fine on Mass General Hospital for having lost documents containing names and medical record numbers of 192 patients. In the second, according to a report in the Journal of AHIMA, an Indiana practice group’s collection effort resulted in sending files to the attorney for collection. Health information was not reacted (blacked out) and the patient’s HIV positive status was revealed in public records. The result? A medical “malpractice” loss of $1.25 million dollars.

Notice the quotations around the term “malpractice.” This is not an event normally or traditionally associated with malpractice. No scalpel slipped; no surgical sponge was left in; no diagnosis was missed. How could the practice group be responsible and how could it be responsible in “malpractice” for the disclosure?

Partially, the answer lies with the HIPAA and HITECH. The statutes do not authorize a private patient lawsuit based solely upon the statutes. The enforcement must come through entities like HHS. However, in many states, a patient still maintains a right to an action in negligence in a situation such as this, and is likely to use the HIPAA standards to identify what the standard of care is.

That may seem to be a distinction without a difference. In many instances, it may be. But in the world of insurance and risk management, there is a difference. That difference is whether the practitioner’s medical malpractice policy will respond to a non-traditional malpractice claim that involves a confidentiality breach or a disclosure of information.

Medical malpractice insurance policies vary greatly from carrier to carrier. Some will specifically provide coverage for data breaches; others will not. Many policies contain specific definitions of “covered services” or “covered acts.” Those covered events may understandably not cover data disclosure. A carrier with a policy written that way might justifiably take the position that a data breach is not the practice of medicine and not subject to insurance. Many policies, no matter what the insuring agreement says, do not cover “fines and penalties.” That exclusion has some interplay in this arena as well. Close attention to the exclusions, declarations page, the insuring agreements, and the definitions is in order.

The answer under a general liability policy is not much better. Definitions preclude coverage, as a general proposition. The standard Insurance Services Offices Commercial General Liability policy’s liability coverage is triggered by a claim of “bodily injury” or “property damage.” Neither invasions of privacy nor violation of federal privacy statutes likely result in “bodily injury” or “property damage.” It may not even be an “occurrence” because a data breach may not be as a result of an accident. Even if these definitional hurdles were overcome, Exclusion (p), added to the standard CGL form in 2004, carves out: “Damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.”

Well, then, with what appear to be waves of bad news for the health care professional, what can be done to manage the privacy risk? A pair of helpful options are present – one pure insurance and one pure risk management.

From a risk management point of view, the key to minimizing the data breach risk is to take several commonsense practical steps to prevent the loss in the first place. A few years back, Aon suggested several tips for health care quality improvement. Among the suggestions are some that are equally applicable to health information risks:

• Be proactive. Develop policies and procedures before the regulators appear at your doorstep, not after.
• Everyone from management through the practitioners to the staff and administrative personnel must understand and must support the policy.
• Encourage input and encourage whistleblowing.
• Standardize communication form and content whenever possible.
• Coach patients to be involved in the process – have them bring complaints to you first, rather than to the regulators.

Of course, part of the risk management is to have in place plans to deal with a catastrophe, such as a lost laptop or a concerted attack.

The second aspect of the solution is of an insurance nature. Companies are developing forms and policies to cover insureds for data breach and privacy liabilities. (It is part of the reason those risks are being carved out of general and professional liability policies.)

The marketplace is encouraging, not only as to price or rate, but also as to form. Many carriers have drafted their own policy forms. Even if “standard” or conventional forms are used, there still is a good deal of variation in the available coverages, and a risk management professional’s assistance here is invaluable. Some of the coverages available include: Web Site Publishing Liability, Network Protection Policy, Network Security, and even business income from an insured event.