Browsing articles from "May, 2012"

HIPAA-proofing Your Smart Phone or Mobile Device

In recent months OMIC has noted a surge in regulatory and HIPAA Privacy claims, especially involving malicious acts by disgruntled employees and unhappy patients.

In one case, a physician’s smart phone was compromised and more than 30 unauthorized breaches were recorded in one four hour period, requiring the practice to notify hundreds of patients of a potential release of their medical information. They also were required to report the incident to government authorities in order to comply with HIPAA requirements.

See here for HIPAA Security Rule.

While some of the costs associated with data breaches may be covered by your insurance (See here for information on OMIC’s BRP and eMD policy benefits) the damage to your reputation would be difficult to measure not to mention the time you and your staff must devote to addressing the issue.

Interestingly, a leading security firm recently “lost” 50 phones to track the behavior of those who found the phones. Of the 50% of the phones that were actually returned, 43% attempted to gain access to a banking app, often attempting to “guess” the login code based on other data accessable on the phone and 80% tried to access folders titled “HR Salaries” “HR Cases” and “saved passwords.”

Unauthorized access to sensitive information on your device would be considered a HIPAA Privacy violation. And while a data breach or HIPAA violation could be the result of a deliberate act of a person intentionally trying to harm you or your practice, it may also simply arise from the loss or theft of your mobile device.

Steps you can take to HIPAA-proof your smart phone:

1. Activate Phone Passcode. Choose a four-digit passcode that would be difficult to easily guess. Don’t use birthdates, street address numbers or anything else that would be obvious if a person was able to identify you and guess basic “expected” codes from an internet search. Your phone will often have a setting that, when turned on, will wipe all information from the phone if the wrong code is entered more than a set number of times. (I have my iPhone set to 10 wrong codes triggers phone data wipe-out). Turn this setting on.

2. Don’t Use Email. Regular email communications are rarely encrypted and should never be used for transfer of HIPAA protected information. Email accounts are easily breached and would almost never provide defensible protections for sensitive medical data or attachments if a HIPAA Privacy claim were filed against you or your practice. If you are sending sensitive information unencrypted, stop now, and use a cloud-based encryption service or VPN only.

3. Set “Required Login” for Apps. Some applications will save your information so that after you log in once on your smartphone you will no longer have to enter the login information for subsequent visits. Although convenient, this would make it easy for anyone gaining access to your phone to also potentially gain access to HIPAA protected information. Make sure that for any app that delivers sensitive data to your device, the settings require physical login credentials each time you enter the app.

4. Download an Encryption App. There are many cloud-based applications you can use to encrypt the data that is being transferred to and from your device but you also need to protect information that is downloaded or resides on your device itself. Therefore if you will download any sensitive information to the device itself, use this type of app. Encryption apps generally run from a buck or two to over $50. There is even a call encryption app for $1,600 that meets FBI standards! (You probably don’t need that one). These apps are available for both Apple and Android phones and they are of varying quality so research online and read app reviews for more information. Simply search for “encryption” in the app store. Your HIPAA-related texts, messages, and images that are downloaded to your device will be encrypted again, requiring another password. This is important since any previous encryption during transfer from a cloud server to your device would most likely not protect the data once it is downloaded to your phone. These apps can be configured to encrypt all data or only certain selectively identified folders, images, or documents.

CLOUD 101:

First, go here to learn about encryption.

“Off-the-Shelf” Cloud Apps: Cloud technology uses the same security as your bank to encrypt and protect data. Search for one that is HIPAA compliant or certified. OMIC does not endorse third-party products, however one popular app is Citrix Sharefile. There may be other HIPAA compliant (or certified) applications that are comparable or superior to Sharefile so do a thorough search before deciding on which service to use. Information sits behind a cloud-protected server. If you wish to share information with another physician, you can send them an invitation and they would receive an email with a link to the cloud-based confidential information.

Personal VPCs and VPNs: If you have installed electronic medical records (EMR) software, your vendor may already have a cloud-enabled HIPAA compliant encryption solution for you such as a VPN (Virtual Private Network) or a VPC (Virtual Private Cloud) and you may not need to search for separate software. They most likely will have discussed this with you during implementation of your EMR system. If not, ask them to describe in detail how sensitive information is protected. VPNs are basically protected private “intranet” networks within the internet that are set up to securely access your practice’s networked computer system. See this HHS article about EMR remote access liability.

Cloud vs. VPN?

There may be reasons you do not want to ever send HIPAA-protected data electronically, however that is becoming almost impossible in today’s web-based world. Many legal and health experts agree that if data is to be transferred, encryption within VPN or VPC would be preferable to completely unprotected email or text communications.

A VPN enables you to extend your own network across one that isn’t necessarily secure (i.e. the internet). You would use VPN for access to your practice’s internal network from your home or when traveling and you would use it to transfer information securely from one computer to another, maintaining confidentiality of data and identity.

Cloud computing (VPC) enables you to send data into the cloud, often using VPN encryption technology as a foundation. Clouds have enhanced capabilities that may not be available in a simple VPN environment however data security in a cloud context depends on who manages the cloud, how easily you can access data, whether the cloud is HIPAA compliant, and who else might have access to it.

ONE MORE TIP: Don’t let your judgment be clouded. You should not assume that “clouds” protect information sent to your device. While the transfer of information may be encrypted, information does “sit” on your phone temporarily. In addition to enacting the “required login” for cloud apps, you should also immediately exit these apps when you are not actively viewing them.

As outlined above, your efforts to limit access for your sensitive data including the passcode for the phone itself, encryption apps for sensitive documents, and protection during access to cloud-based apps or VPNs are all part of a “layered” approach that will help defend your practice against allegations of insufficient HIPAA-related data protocols.

Although a serious “hacker” may be able to penetrate many or all of the individual protections you employ, the more walls you build the more likely a person with a electronic forensic background would simply choose to move on to the next “unprotected” device. Similar to a steering wheel lock or house alarm, the technology is not the primary issue here, but rather a few simple steps that may make a potential criminal feel their time would be better spent moving on to next device.

Will OMIC insure my ancillary staff for fluorescein angiography?

Coverage Question // No Comments

Betsy Kelley, VP Products

Non-physician employees are covered for services they render within the scope of their employment, training, and licensure. Since laws vary from state to state, it is important to verify applicable scope of practice laws before permitting non-physician personnel to administer intravenous fluorescein dye. While all states allow unlicensed personnel to perform venipuncture, some impose specific training and certification requirements. Additional requirements may apply for the administration of fluorescein. For example, many states allow only licensed personnel, such as registered nurses, to administer intravenous dyes and medications due to their increased risk. Even if not mandated by state law, the practice should ensure that anyone responsible for administering IV fluorescein is properly trained and certified.

Regardless of who can lawfully administer the dye, a physician should be on site and immediately available when the injection is performed. In addition, two staff members should be present (either in the room with the patient or within shouting distance) during the procedure. These precautions are necessary since fluorescein angiography carries the rare but life-threatening risk of anaphylactic reaction. Should an emergency occur, one staff member can remain with the patient while the other calls for help; the physician can direct the resuscitation effort while awaiting the arrival of paramedics.

To assist insureds in the prevention of and improved response to the risks of fluorescein angiography, OMIC has developed risk management recommendations and a sample consent form for this procedure.

For more coverage questions, please refer to the Coverage Questions page.

OMIC Modifies Refractive Guidelines

Articles, Landing Page Main Post // No Comments

Ray Fontenot, VP Underwriting

OMIC adopted the following changes, effective immediately, to underwriting requirements for refractive lens exchange (RLE), phakic implants, and PRK.

1. OMIC modified the underwriting requirements regarding patient selection criteria for treatment of myopia with refractive lens exchange. Under the previous guidelines, patients had to be presbyopic, age 40 or older, and have at least 6 diopters and not more than 15 diopters of myopia. Recent articles from Europe present evidence that the risk of retinal detachment following RLE in high myopes may not be as high as originally thought. One study shows that when a PVD is present preoperatively, the risk of postoperative retinal detachment after RLE or cataract extraction in high myopes is not significantly higher than among a normal population. Another study demonstrated that intraocular lens surgery is not a risk factor for retinal detachment in highly myopic patients; the risk profiles for postoperative and idiopathic retinal detachment were identical. Although this data is not definitive, the company determined its maximum permissible degree of myopia could be increased. OMIC is not aware of any peer-reviewed studies that support a significant reduction in the minimum degree of myopia required for refractive lens exchange, but a slight reduction was approved. The new guidelines continue to require that patients be age 40 or older and presbyopic. However, RLE is now permitted for patients with 5 to 15 diopters of myopia, or above 15 diopters up to 20 diopters if a PVD is present.

2. OMIC reduced the minimum interval between primary RLE procedures and between primary phakic implant procedures from one week to five days. This shortened interval improves scheduling flexibility and patient convenience without significantly increasing risk. Most cases of postoperative endophthalmitis occur three to five days after intraocular surgery, and the five-day interval still allows sufficient healing time so that the surgeon can evaluate the vault of the lens, determine the accuracy of the IOL calculation, or evaluate the effectiveness of LRIs before proceeding with the second eye. Because they are elective intraocular procedures with increased risks and longer recovery periods than refractive surgery procedures, OMIC does not offer coverage for bilateral same-day RLE or phakic implants.

3. OMIC modified its underwriting requirements for coverage of bilateral simultaneous PRK to eliminate the requirement that patients meet all FDA guidelines with respect to age, astigmatism, and myopia, thereby permitting off-label procedures to be performed on both of a patient’s eyes on the same day.

Refractive procedures represent a heightened need for thorough underwriting analysis and loss prevention strategies. We’ve learned through years of defending these cases in both settlement negotiations and at trial, that a risk management-oriented approach to elective procedures is often essential to successful defense of potential claims. OMIC maintains prudent refractive surgery underwriting requirements, first and foremost, to help strengthen the defense of our insureds from future malpractice claims. We also feel that careful underwriting protects our company from increased exposure to losses and helps us to continue to offer coverage for these procedures without additional charge. For more than twenty years OMIC’s related claim experience has been significantly better than the multi-specialty insurance industry.

OMIC’s requirements, based on sensible medical practice and sound risk management principles, are developed by practicing refractive surgeons on OMIC’s Board and Committees and are reviewed on a regular basis as new data becomes available.

For more information on OMIC’s current refractive surgery resources, recommendations, and requirements go here.

Alleged Negligent Placement of Crystalens

Case Studies // No Comments

Ryan Bucsi, Senior Litigation Analyst

A 45-year-old female patient was diagnosed with cataracts OU and underwent an uncomplicated cataract surgery OD with placement of a Crystalens. The insured ophthalmologist recommended the Crystalens implant because it might allow the patient to be free of glasses and have fewer starbursts and halos. At the first postoperative examination, the patient’s uncorrected vision was 20/20 OD. At the second visit, the patient’s uncorrected visual acuity remained 20/20 OD, but she complained of blurry, tunnel vision, and poor distance vision.

At the third followup examination, uncorrected visual acuity decreased to 20/50, corrected to 20/25 OD, with complaints of halos and starbursts. The insured recommended a second opinion, which revealed an uncorrected visual acuity of 20/30 corrected to 20/20 OD near, with the Crystalens in good position. The patient self referred to another ophthalmologist whose examination revealed uncorrected 20/30, 20/20 corrected distance vision with J3 at near with the Crystalens in good position. The patient consulted an attorney and was referred to an ophthalmologist he utilized as an expert in medical malpractice cases.

This ophthalmologist’s exam revealed 20/50 uncorrected visual acuity and 20/20 OD corrected. The plaintiff expert ophthalmologist performed a lens exchange procedure and placed an AMO model ZA9003 posterior chamber intraocular lens OD. During trial, the plaintiff’s vision was 20/30 uncorrected, corrected to 20/20 at distance OD, with 20/25+1 corrected at close distance.

Analysis

The plaintiff expert testified that he did not recommend a lens exchange; rather, the patient requested it due to continuing complaints of blurry vision from “jiggly lines,” glare, halos, and tunnel vision. The patient reported that the lens exchange procedure improved her visual acuity but did not alleviate the halos and starbursts. The plaintiff expert testified that during the lens exchange the Crystalens was in the sulcus. He opined that the lens must have been incorrectly placed there by the OMIC insured although this expert admitted he did not use and had no experience with Crystalens implants. The OMIC insured and both subsequent treating ophthalmologists maintained that the Crystalens was in the capsular bag when they examined the patient. OMIC’s defense expert testified that it was possible for a lens to move from the capsular bag to the sulcus, and he noted that the plaintiff’s vision was correctable to 20/20 OD postoperatively. OMIC believed the insured’s care was defensible. First, there was support from an expert with significant experience using Crystalens implants and from two subsequent treating ophthalmologists that the lens was properly positioned, while the plaintiff expert was a “hired gun” with no experience using Crystalens. Second, the OMIC insured would relate well to a jury as “an expert” on behalf of his own defense, and the defense counsel had previously and successfully tried cases against this plaintiff attorney. The only hesitation in taking this case to trial was the venue, which had a reputation for plaintiff-oriented juries. Nevertheless, OMIC was confident that a jury would return a defense verdict, and the case proceeded to trial. After two days at trial and 90 minutes of deliberation, the jury returned with a unanimous defense verdict for the OMIC insured.

Risk Management Principles

In addition to a signed written consent form for cataract surgery with a Crystalens, the insured documented his conversations with the patient regarding the Crystalens. The informed consent specifically mentioned double vision or ghost images, shadows in the peripheral vision, floaters or flashes of light, and halos or reflections from lights. The insured’s records were complete and it was easy to follow his thought processes throughout his treatment of this patient. When he could find no objective reason for the patient’s postoperative complaints, he referred the patient for a second opinion, which confirmed a good result and proper positioning of the Crystalens.

During litigation, the insured set aside adequate time to meet with defense counsel in preparation for deposition and trial testimony. Although a well-qualified defense expert was hired by OMIC, it was defense counsel’s opinion that the insured’s trial testimony had the greatest impact on the jury. As this case demonstrates, active participation by the insured in defense of a medical malpractice case can significantly contribute to a favorable outcome.

OMIC Honored with Special Recognition Award

Eye on OMIC // No Comments

At the annual meeting of the American Academy of Ophthalmology in Orlando, OMIC was honored with the Special Recognition Award. This award is presented to an organization for “outstanding service in a specific effort or cause that has improved the quality of eye care.” OMIC is truly honored to receive this award because it recognizes that by improving patient safety and education, our unique program has reduced the risk of litigation against our policyholders and all ophthalmologists. OMIC’s vast library of patient education materials has become a major webbased resource for ophthalmologists worldwide.

Accolades bestowed upon our company in 2011 are a reflection of the hard work and dedication of our Board and staff and the loyalty of our insureds. In addition to the award from the Academy, OMIC ranked #1 among PIAA (Physician Insurers Association of America) companies in two long-term financial benchmarks, combined and operating ratios. As a result, AM Best upgraded our creditor rating to A+ (Outstanding). OMIC was also featured on the cover of Risk and Insurance Magazine as one of America’s most successful insurance captives and ranked #10 out of 255 medical malpractice insurers on SNL Financial’s list of the top 20 best performing mid-sized commercial insurance companies.

OMIC Declares 2011 Dividend

After another year of favorable claim experience and operating results, OMIC’s Board approved a 20% dividend for all active physician insureds as of December 31, 2011, to be applied as a credit to 2012 renewal premiums. OMIC has declared dividends 17 of the past 21 years, averaging nearly 10% per year since 2006. This represents thousands of dollars per insured in returned premium and is significantly higher than other carriers’ dividends during this time period. Since business commenced on September 30, 1987, OMIC has declared policyholder dividend credits totaling approximately $31 million.