by Robert Johnson
Various types of insurance are vital to the healthcare industry to protect institutions, physicians, and patients. But what is the appropriate type of insurance to indemnify data destruction providers? This article will explain a misconception about insurance that may be putting both HIM professionals and their clients at risk.
For decades there have been questions about the proper type of insurance to cover record destruction services. If material surfaces (like protected health information) after it was entrusted to the shredding contractor, how will the contractor cover the possible resulting financial loss to the client? It wasn’t until recently that the industry’s 10-year-old trade organization, the National Association for Information Destruction (NAID), began to investigate the issue.
Why is now the time for action? What motivated these changes? Simply put, privacy legislation like HIPAA and the Gramm-Leach-Bliley Act of 1999 (GLB) were enacted.
GLB is the equivalent of HIPAA in the financial sector and requires notification of privacy policies and the ability to opt out. In addition, mounting consumer concerns over identity theft and privacy contributed to the call for action. Risk managers and compliance officers at medical and financial institutions began specifying in business associate agreements that shredding contractors accept the liability for potential damages resulting from their nonperformance (i.e., unauthorized release of protected health information) whether by accident or negligence. Such indemnification became much more important as information disposal became recognized as a significant source of exposure.
Historically, bonding—or more specifically, employee dishonesty bonding—was obtained by shredding companies in an effort to show some type of coverage. Bonding was often obtained more by default, since service providers were unsure how to indemnify themselves and their clients. Unfortunately, “employee bonding” has no real value as any form of liability indemnification for financial damages suffered by the client from the negligence or accident on the part of the document destruction company. It covers a client if a contractor’s employee stole money, a computer, or some furniture, but it is not meant to cover damages resulting from the unauthorized release of information.
Clients and shredding contractors also commonly assume that general liability coverage covers such claims. That, too, is a misconception.
In fact, only specifically scripted professional liability insurance (often called errors and omissions, or malpractice) indemnifies the contractor (and therefore the client) for this type of liability.
The ABCs of Liability Insurance
Covered entities should consider several important points when deciding whether to require a document destruction contractor to carry professional liability insurance:
- Even without specific language in a business associate agreement, the shredding contractor could be held liable for financial damages resulting from its negligence or accident. Unless, of course, the contractor limits that liability up front.
- When contracting to perform services for which it will receive several hundred dollars, a shredding contractor may determine it is unreasonable to accept unlimited, unspecified liability. The shredding industry standard contract limits such liability to six months of revenue from any one location.
- Contractors are under no legal requirement to insure themselves against liability that is accepted in a contract. Knowing that a contractor doesn’t have coverage to indemnify the liability may leave the client a bit uncomfortable, but there is nothing illegal about it unless the contractor knowingly misled the client by indicating it was covered.
- Many, if not most, covered entities themselves are not insured for unauthorized release of information.
It is still understandable that many covered entities will continue to transfer liability to shredding contractors for financial damages resulting from the contractor’s negligence or accident. Such protection is considered a primary benefit of using a properly insured shredding company. In that event, as stated, properly and specifically scripted professional liability insurance is the only insurance aimed at this liability.
It is important to specify that errors and omissions coverage be specifically scripted for the shredding contractor because most—if not all—off-the-shelf policies exclude coverage for incidents stemming from consequence of the most likely scenarios that would cause a claim.
From the insurance company’s perspective, such incidents are often viewed as incentives for the contractor to be negligent or accident prone. Insurance underwriters do not want to issue a “get out of jail free” card to shoddy operators, and they therefore exclude certain types of claims.
To be effective, professional liability insurance should not exclude claims resulting from:
- Intentional acts by employees
- Breaches of privacy
- Transfer of intellectual property
- Illegal acts by employees
These exclusions, as they relate to contracted security shredding, eliminate the most likely scenarios from which a claim would result. It is important that covered entities that insist their vendors have professional liability insurance make sure that the insurance they obtain covers such occurrences. Again, it is important to note that virtually every off-the-shelf errors and omissions policy excludes them.
Covering Your Bases
Specifically scripted professional liability insurance will not be available to all destruction service providers. Underwriters are very cautious about changing their policies, and they will not modify their terms and exclusions for a shredding contractor unless they are comfortable that the contractor has security measures in place to minimize the risks.
Also keep in mind that this type of insurance is relatively expensive, especially if the shredding company has been functioning without it. Covered entities requiring shredding contractors to obtain specifically scripted professional liability insurance should be prepared to pay a bit more for the service.
The level of attention now being focused on insurance is new for this industry. Most shredding contractors are still trying to come to terms with the concept. Some may even be skeptical. Clients of records destruction contractors would be ill advised to make knee-jerk decisions about eliminating long-term service providers based solely upon this new information. Most contractors are doing everything that was originally asked of them. As always in contractor relationships, the best approach is one of partnership. Discuss the issue openly and come to terms on the matter of indemnification in a way that satisfies all parties.
Robert Johnson (firstname.lastname@example.org) is the founder and executive director of the National Association for Information Destruction (NAID).
Johnson, Robert. "Forgiveness Means Never Having to Say You’re Not Insured ." Journal of AHIMA 75, no.5 (May 2004): 48-49,53.