June 2, 2023

Are You Aware of the New Risks of Cyber Liability and Breach of Patient Data Privacy?

The social work profession is noble and founded on service, integrity, and clinical expertise. At times it can be a stressful and hazardous occupation. The nation is grateful for what you do. AND SO ARE WE! Thank You!

A data breach releases secure information into an unsecured environment and happens intentionally or unintentionally. A data breach or security incident occurs when confidential data such as patient records or personal financial data is copied, transmitted, viewed, stolen, or used by someone unauthorized to handle such information. A data breach may involve client records and documentation, financial records, credit card, debit card, bank details, personal health information (PHI), personally identifiable information (PII), trade secrets, and intellectual property. Such incidents pose the risk of identity theft or other serious consequences.

Data breach is a growing concern worldwide with the sophistication of criminal technological access and the increasing technological and legal access to records storage and transmission by honest people at work for professional use and at home for personal use. The nonprofit consumer organization, Privacy Rights Clearinghouse, identified over 227 million individual records containing sensitive personal information involved in security breaches in the U.S. in a recent three-year period.

Today’s technology-driven world has increased risks associated with doing business online and storing sensitive data, including client names, phone numbers, and texts, electronically in digital warehouses or even on your cell phone. It is spawning the need for social workers and other healthcare professionals to shift the risk to insurance carriers. For example, in 2005, fewer than 30% of businesses surveyed by the FBI had cyber liability insurance coverage. Today over 90% of companies have cyber liability insurance coverage.

The risks associated with doing business online and by phone and storing sensitive information electronically and on paper are increasing. In response, the Federal government and many states have enacted laws with safeguards, notification requirements, and penalties to protect the security and confidentiality of information, precisely medical information, as it is stored conventionally, electronically, and shared electronically. The most important example of this aimed directly at healthcare professionals began in March 2013, when Congress passed the 45 CFR Part 160 HIPAA HITECH Act, which became enforceable in many occupations, including social workers and the behavioral health industry, effective September 2013.

This Federal Law holds social workers liable for data privacy breaches by third-party data management vendors used by social workers. Under HIPAA, and in many states under state law, the social worker is now ultimately responsible for protecting the client’s data no matter where the data is. The social worker has this duty and is liable if the client’s data is compromised, including third parties that handle paper records storage and movement, digital warehouses, internet service providers, and cell phone network providers that the social worker uses to manage client records that become breached – creating many liabilities for the social worker in today’s technology-driven world. The HIPAA HIGHTECH law includes criminal penalties and prison time, so this is a severe matter with sharp legislative teeth.

Data breaches now affect hundreds of millions of records each year. In 2013, the Computer Security Institute survey of 351 security professionals found that half of the respondents experienced at least one data security incident in 2012, and about 55% were accidental untargeted breaches. Simply losing a laptop, a mover losing a records file box or an envelope with a patient file in it, a burglar merely opening up a file drawer in the social worker’s office, a lost flash drive, or the social worker’s data management vendor accidentally faxing or emailing a patient record or form to the wrong phone number or email address, as well as a deliberate cyber attack on the social worker’s data management vendor are all examples of data breaches which become the social worker’s responsibility.

As A Social Worker, How Can I Get Protected?

Cyber Liability insurance coverage for small practices and social work agencies is still relatively new to the insurance world. Preferra was ahead of the curve in 2014 compared to its competitors and released a suite of comprehensive low-cost, premium, easy-to-buy cyber liability policies covering the main perils listed in 45 CFR Part 160 HIPAA HITECH. Many social workers and behavioral health practitioners have recognized the protection and value and have purchased a Preferra cyber liability policy.

Some Professional Liability insurance policies provide data breach coverage if the breach occurs within the practitioner’s control only. The Preferra Professional Liability insurance policy covers data breaches within the practitioner’s power, such as a misdirected email or fax or a burglary of office files.

Now, Preferra Insurance Company RRG provides Cyber Liability and Breach of Patient Data Privacy insurance policies that protect the practitioner from many other breach occurrences committed by third parties, including Security Breaches, Damages, Civil Monetary Penalties, Notification Expenses, and Defense Expenses. This policy covers sole practitioners or individuals at the state and federal levels for third-party liability, including damages and civil monetary penalties. The insured is legally obligated to pay any defense costs arising from security breaches involving the personal information of the insured’s patients if a breach occurs while the information is in the care, custody, or control of a third party to whom the insured has entrusted the info. Such third-party include a cloud vendor, a university whose computer system the insured uses to store records, an internet service provider, a telephone/cell phone network provider, a moving company hired by the insured to move the insured’s office contents, including records and equipment, or a records disposal company hired to destroy old records. Coverage applies to electronic and paper documents. It is an excellent cover for HIPAA HITECH protection arising from 45 CFR Part 160, which holds the social worker liable for data security breaches caused by third parties that the social worker uses.

This Preferra cyber liability policy covers the following:

  • reasonable costs to notify affected individuals and provides a one-year subscription reimbursement benefit for identity theft protection,
  • legal defense costs if a claim is made against the insured by affected individuals or if a state or federal regulator brings a civil action against the insured,
  • damages that the insured is legally obligated to pay under a court judgment or out-of-pocket court settlement, any civil fines or penalties that the insured must pay because of the breach, and
  • the costs incurred for the insured to notify the insured’s patients of a data breach.

The Preferra Cyber Liability policy is an excellent value for social workers. It provides a broad array of coverage, responds to recent data privacy legislation enacted by the Federal government and adopted by some states, and offers excellent coverage at extremely affordable premium prices.

Social Workers now, more than ever, need insurance coverage for third-party data breaches. Federal and State governments demand higher expectations from Social Workers and with the advent of the HIPAA HITECH Law, Social Workers are held liable and even more accountable than ever.

One severe final update. The floodgates will open from cyber liability claims. Here’s why. In November 2022, HHS’ Office for Civil Rights (OCR) and SAMHSA (Substance Abuse and Mental Health Services Administration) issued a Notice of Proposed Rulemaking (NPRM), which addressed part 2 and HIPAA changes. Part 2 protects patient privacy and related records.

Although still in the proposal stage, with a final ruling expected in 2023, it allows HHS to impose civil monetary penalties for violations of the HIPAA HITECH Law. Embedded in section 13410( c ) (1) of HIPAA HITECH requires OCR to share a portion of funds it receives from HIPAA enforcement activities with the victims of HIPAA and HIPAA HITECH violations. This critical ruling disallows private individual causes of action and lawsuits under HIPAA-regulated entities for HIPAA violations. This proposed new rule opens the door for OCR to capture civil monetary penalties for the victims, your clients. Increased litigation will arise from information breaches against social workers and healthcare practitioners.

Preferra Insurance Company RRG, will continue to ensure its policyholders for Professional Liability, General Liability, and Cyber Liability insurance risks and perils. You can count on us to protect you!