What every physician needs to know: Things to consider before buying cyber liability insurance

Cyber liability insurance is an increasingly vital tool in protecting health care providers and their patients against evolving cyber risks. This presentation is your introductory guide to actionable steps to help you prepare for and mitigate cyber threats.

TMB steps up office-based anesthesia inspections

by Dan Ballard, JD

In accordance with Texas Medical Board’s office-based anesthesia rule (Chapter 192), the TMB has recently begun inspections of registered office-based anesthesia (OBA) providers. Registered OBA providers should be aware that once an inspection is scheduled by the TMB, it will likely not be re-scheduled even if the surgeons or anesthesiologists are not available for the inspection at the assigned time. Being unavailable for the inspection can result in the provider being found non-compliant with the TMB’s rules pertaining to office-based anesthesia.

If essential persons or equipment are unavailable during the time assigned for the inspection, the TMB may not return for a second inspection visit. This means the provider will be unable to prove compliance with TMB requirements.

In particular, this issue may affect providers who are using the services of a mobile anesthesiologist (as the presence of the anesthesiologist and his or her equipment is essential for the inspection of the surgeon’s office). If scheduled for a TMB OBA inspection, it is imperative that the mobile anesthesiologist and all equipment be present on the assigned date and time chosen by the TMB inspector.

Limited English proficiency — HHS to enforce new requirements

Beginning October 17, most physician offices will be required to post notices alerting individuals with limited English proficiency (LEP) of the availability of language assistance services in the practice. In addition to the notice, covered entities must post taglines in the top 15 languages spoken by LEP individuals in the state.

The notification requirement comes from the nondiscrimination provision in the Affordable Care Act (Section 1557 of the ACA) that states individuals cannot be subject to discrimination based on their race, color, national origin, sex, age, or disability. The final rule requires that reasonable steps be taken to provide meaningful access to each individual with LEP.

The rule covers anyone participating in:

  • Any health program or activity, any part of which receives funding from HHS (such as hospitals that accept Medicare or physicians who accept Medicaid);
  • Any health program that HHS itself administers;
  • Health Insurance Marketplaces and issuers that participate in those Marketplaces. (1)

As stated by the Texas Medical Association, “With respect to physicians specifically, HHS estimates that the rules “would likely cover almost all licensed physicians.” (2)

HHS Office of Civil Rights (OCR) — the entity enforcing the new requirements — has provided the following resources to assist practices.

Other resources include:

 To learn more about non-discrimination and health information privacy laws see the HHS OCR website.


  1. U.S. Department of Health and Human Services. Section 1557 of the Patient Protection and Affordable Care Act. Available at http://www.hhs.gov/civil-rights/for-individuals/section-1557 . Accessed on September 19, 2016.
  2. Texas Medical Association Office of General Counsel. Accommodation of Persons with Limited English Proficiency. Available at https://www.texmed.org/Template.aspx?id=42204&terms=lep . Accessed on September 19, 2016. TMA log-in required.

Federal government expands HIPAA investigations

By Cathy Bryant

Beginning August 2016, the government agency in charge of investigating HIPAA violations will expand their investigations to include smaller breaches. Smaller breaches — those affecting fewer than 500 individuals — were once only investigated “as resources permitted.” This is no longer the case, according to an announcement from the Office of Civil Rights (OCR).

What is considered a breach?
The OCR defines a breach as an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information (PHI). An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

  • the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
  • the unauthorized person who used the PHI or to whom the disclosure was made;
  • whether the PHI was actually acquired or viewed; and
  • the extent to which the risk to the PHI has been mitigated.

Covered entities and business associates have discretion to provide the required breach notifications following an impermissible use or disclosure without performing a risk assessment to determine the probability that the PHI has been compromised.

There are three exceptions to the definition of “breach.”

  • The first exception applies to the unintentional acquisition, access, or use of PHI by a staff member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority.
  • The second exception applies to the inadvertent disclosure of PHI by a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the covered entity or business associate, or organized health care arrangement in which the covered entity participates. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule.
  • The final exception applies if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made would not have been able to retain the information.

Do all breaches have to be reported to the federal government?
Yes. If a covered entity or business associate determines that a breach has occurred, it must be reported to the Secretary of Health and Human Services.  For breaches involving more than 500 individuals it must be reported, as soon as possible, but no later than 60 days following the determination that a breach has occurred.  For breaches involving less than 500 individuals you may report at the time of the breach discovery or within 60 days of the end of the calendar year in which it occurred.

It is important to note that if you experience a privacy or security incident, you should not call it a breach until you have made that determination using the assessment described above. When you call it a breach, it is reportable.

What does this mean to my practice?
You must have a plan to respond to privacy and security incidents. You should make a report to your cyber liability insurance carrier as soon as possible because the incident may be covered under your policy. If covered, your carrier will assist in the investigation and breach notification if required.

With the OCR’s new initiative, smaller breaches could result in an investigation, which generally takes 2-3 years to reach a conclusion with the OCR. The costs associated with an investigation by the OCR will result in significantly higher costs. Now is a good time to check your cyber liability insurance coverage and associated policy limits.

The best defense is always a good offense. Is your HIPAA compliance up to date? Need help in complying with HIPAA? Contact TMLT’s Product Development Services Department or visit the TMLT website.


New Mexico case update: Court hears oral argument

The New Mexico Supreme Court heard oral argument in the Montano v. Frezza cross-border care case on Monday, August 15.

Texas Deputy Solicitor General Campbell Barker argued on behalf of the state and Dr. Frezza. New Mexico co-counsel Alice Lorenz helped Barker prepare for the argument.

A total of 31 parties — including the New Mexico Medical Society, the New Mexico Hospital Association, the University of New Mexico Health Science Center, and the American Medical Association — joined on the TAPA brief.

TMLT and the University of Texas System filed complimentary briefs. View the TMLT brief.

Several years ago, New Mexico resident Kimberly Montano traveled to Lubbock, Texas to undergo bariatric surgery.

Eldo Frezza, MD — an employee of the Texas Tech University Health Sciences Center —  performed the surgery. Over the next six years, Dr. Frezza performed follow-up care for complications related to Mrs. Montano’s surgery. All of the care given by Dr. Frezza occurred in Texas. Dr. Frezza’s only direct connection to New Mexico was that he was listed on the Lovelace New Mexico health plan. Reportedly he was the only bariatric surgeon listed on their plan.

Eventually, Mrs. Montano sought evaluation from another physician. She also retained legal counsel. Counsel for Mrs. Montano reports that tests revealed she had gastrointestinal bleeding caused by an “eroding permanent suture.” The second physician performed corrective surgery.

Subsequently, Mrs. Montano sued Dr. Frezza and Lovelace in a New Mexico court. Mrs. Montano argued that her case should be tried under New Mexico law because her injuries “manifested” themselves in New Mexico.

This was contested in a New Mexico Appellate Court, which agreed with Mrs. Montano. The court concluding that the “place of the wrong” is the place where Mrs. Montano allegedly first discovered the alleged injury and not where the alleged injury occurred.

Also, the court determined that the “choice of law” favored New Mexico since applying Texas’ more restrictive tort claims act violated New Mexico public policy that provides the greatest remedy for the plaintiff.

Though Dr. Frezza was not an employee of the State of New Mexico, the court elected to treat him as if he were. The court’s ruling is not necessarily limited to state employees. Interpreted broadly, the Montano appellate court decision would be a precedent for expanded New Mexico-based liability for Texas physicians in private practice because the Texas cap on non-economic damages would not apply.

The New Mexico courts have not adjudicated the merits of the case. That will occur after the court’s final determination of choice of law.

The appellate court has determined that New Mexico public policy favors one remedy for one claimant over access to care for more than half a million residents of eastern New Mexico. In arriving at this decision, the appellate court never considered New Mexico’s long-standing public policy favoring access to care or the likely public health consequences of their decision.

New Mexico physicians and hospitals have long relied on their ability to refer or transfer sick and injured patients to Texas for specialized care. The willingness of Texas providers to receive those patients may be shaken if the Montano ruling stands. Access to health care is already challenging for New Mexico patients seeking care.

Read the TAPA brief
Read the TMLT brief