Data Breaches and Compliance
While data breach coverage is no substitute for appropriate preventative privacy and security measures, you should still understand the extent of your insurance coverage. No one wants a lawsuit, but in the event that one occurs, it’s important to be prepared and knowledgeable.
But first, let’s take a look at some privacy and security compliance measures you can take to protect your hospital and your patients:
Perform regular information security risk assessments/analyses.
Examine your current security measures and assess any possible vulnerabilities. Also, consider attorney-directed risk assessments and investigations to preserve privilege.
Document what is and isn't encrypted.
When something is not encrypted, take the time to explain the business case for why this is so. This is especially important for HIPAA compliance which, for example, requires documentation explaining why PHI doesn't need to be encrypted.
Have a clear plan for breach response and train staff on the plan.
It’s important to have a plan, but that plan is useless until your staff is familiar with it. Make sure everyone knows his or her role in the case of a breach.
Maintain an incident log and results of investigations.
Those who don’t learn from the past are doomed to repeat it. Keep a record of all incidences and your responses so you know how to best react in the future. This will also make your interactions with regulators go more smoothly.
Finally… Be certain that you have the right breach insurance.
Even when you have taken the appropriate steps to protect your information, a breach can still occur. You know the saying: “‘Things’ happen.” After a proper investigation and corrective action, you can put the incident behind you… hopefully.
But what happens when a breach results in an invasion of privacy lawsuit? Even the smallest breaches can be costly. According to Ponemon Institute’s 2014 report, the average cost of a data breach to a company was $3.5 million.
There are insurance policies designed to cover data breach that are separate from your Comprehensive General Liability coverage. Data breach policies are a relatively recent development in the insurance market, and many insurance companies are beginning to exclude electronic data loss from general liability policies. Therefore, you need to review your coverage and know where you stand—you don’t want to find out you’re not covered after a breach occurs!
About Kesha Boykin-McLean
As Chief Compliance Officer, Kesha Boykin-Mclean brings over 20 years of experience in healthcare. Prior to joining VCS, Boykin-Mclean held a number of senior-level compliance roles, including managing and developing the compliance program for St. Francis Hospital in Connecticut. She was also the Division Ethics and Compliance Officer for the Hospital Corporation of America’s Gulf Coast Division where she was responsible for oversight of compliance programs for all hospitals within the division. Most recently, she served as an independent healthcare consultant, assisting hospitals with the planning and implementation of compliance programs.