FREQUENTLY ASKED QUESTIONS

What is TMLT?

• Texas Medical Liability Trust (TMLT) is a health care liability claim trust led by a Board of Governors who are elected by TMLT policyholders. TMLT is not an insurance company, but a self-insured trust created by the Texas legislature in 1979 to provide medical malpractice insurance to members of the Texas Medical Association.

What is an insurance trust?

• In reference to TMLT, it is a medical liability trust led by a Board of Governors who are elected by TMLT policyholders. TMLT was created by the Texas Legislature to provide medical liability insurance to members of the Texas Medical Association. In general, trusts are not regulated by state insurance departments, but TMLT complies voluntarily with the rules and regulations for commercial insurance companies.

What are your business hours?

• Our business hours are Monday through Friday, from 8 a.m. and 5 p.m. (central standard time)

Where are you located?

• TMLT headquarters is located at 901 S. Mopac Expressway, Building 5, Suite 500, Austin, Texas  78746

Why is TMLT no longer collecting surplus?

• When TMLT was formed, policyholders were required to make a "contribution to surplus." This amount provided capital for the company to operate and to be in compliance with financial guidelines of the Texas Department of Insurance.
• At this time, TMLT has accumulated sufficient surplus to meet all statutory requirements and to be assigned an "A" rating by AM Best. This rating stands for having "an excellent ability to meet our ongoing obligations to policyholders." Therefore, it is not necessary for TMLT to collect surplus.

What premium payment plans are available?

• We offer a monthly payment plan with 10 payments. The first installment is 20%, with the balance due in remaining nine payments.
• We also offer a quarterly plan with installments of 35%, 25%, 25%, and 15%.
• There are no finance charges or transaction fees associated with TMLT payment plans.

How do I pay my premium?

• Pay online at our members-only site, myPortal. You can set up recurring automatic payments or make a one-time payment.
• To pay online, you must log in with your myPortal username and password. If you do not have a myPortal login, please select "New User Registration — Individual" and follow the on-screen instructions.
• You can also mail payments to:
  • Bank of America Attn: 5th floor, Lockbox 847512 1401 Elm Street Dallas, TX 75201

Where can I find my account information?

• You can visit our members-only site, myPortal or call customer service at 800-580-8658 ext. 5050.

How many hours of CME do I need per year for my Texas medical license?

• According to TMB Rule 166.2, Texas physicians are required to complete 48 hours of credit every 24 months. At least 24 credits must be from formal courses designated as AMA/PRA Category 1. At least two of the 24 formal credits must involve the study of medical ethics. The remaining 24 credits may comprise informal self-study, attendance at hospital lectures, grand rounds, or case conferences not approved for formal CME.

How much is the CME discount and when will it apply?

• TMLT and TMIC policyholders who complete a 2-hour risk management CME activity may be eligible for a 3% premium discount. The discount will be applied to your next eligible policy period. Two 2-hour courses can be taken per policy period for a maximum 6% discount. Please note: multiple 1-hour courses cannot be combined for the discount.

What CME courses can I take to receive the CME discount?

• We offer online CME, Case Closed publications, and CME in Volume 4 of our publication, the Reporter. You can also attend one of our seminars or a seminar that we co-sponsor with the Texas Medical Association. View a complete listing of all TMLT CME courses.

How many TMLT CME courses can I take per policy period to be eligible for the CME discount?

• TMLT and TMIC policyholders can take two 2-hour courses per policy period for a maximum CME discount of 6%. The courses must be completed prior to your policy renewal date.

What if I take more than two TMLT CME courses? Can I carry them over to the next policy period for the risk management discount?

• Yes. You can carry over up to two courses per year.

What is my policy period?

• Your policy period is listed on your current policy declarations page.

I am trying to complete an online CME course and it is asking for a user name and password.

• If you have previously completed a TMLT online CME course and you do not have your user name and password, please go to our online CME login page.  Click "sign in" in the upper right corner and click "I forgot my password."
• If you have not completed a TMLT online CME course, please go to our online CME login page and click "New User Registration — Individual." You will need to enter your TMLT policy number and your medical license number.
• Instructions for TMLT online CME are available here to read, print, or download. 

I completed a TMLT CME course and cannot find my certificate.

• You can reprint a certificate from any online TMLT CME course by going to our online CME login page and clicking "My Courses" and selecting the course. Click the orange "Take Test/Get Certificate" button to print your certificate. If you attended a live seminar and need a copy of your certificate, please contact the risk management department and a copy of your certificate will be sent to you.
• Detailed instructions for printing TMLT CME certificates are also available to read, print, or download.
   

I think I have taken all the online CME courses available. Can you check and see if there is something I have not taken?

• Please contact the risk management department for a course transcript, or go to our online CME login page and click "My Courses" or log in to myTMLT and select "Risk Management/View CME History."

What happens during a practice review?

• During a practice review, a risk management professional will visit your practice to help determine your risk exposures. Before the scheduled review date, questionnaires will be emailed to you. The representative will then review approximately 10 medical records for each physician in the practice. He/she will also review your practice's policy and procedure manual, take a quick tour of the office, and conclude the review with a wrap-up discussion with the physician(s).

How long will the practice review take?

• The time for a review varies depending on the size of your practice. Plan on a representative being in the office for several hours. However, the majority of the representative's time will be spent reviewing medical records, and he/she will not require time from anyone in your office.

Does the physician have to be present during the practice review?

• Physicians are encouraged to continue their regular schedule during the review. Once the risk management representative has completed the review, he/she will need to spend approximately 45 to 60 minutes with the physician(s) to discuss general risk management concerns and any specific recommendations. This meeting will be arranged when the practice review is scheduled.

Do I need to de-identify patient information in the medical records that will be reviewed during a practice review?

• No. TMLT has a HIPAA business associate's agreement on file with all of our policyholders. This allows us to review the medical records under HIPAA guidelines. No patient information will be removed from the practice.

Can one physician in a group request a practice review if the other physicians do not wish to participate?

• When a practice review is requested for a group, it is recommended that all TMLT-insured physicians agree to be included before scheduling the review.

Can a physician who is not a TMLT policyholder request a practice review?

• Yes. Practice reviews are free to all TMLT policyholders. However, if a physician who is not insured by TMLT would like to request a practice review, that physician can contact the TMLT Risk Management Department for information regarding the fees for a review.

Can a hospital-based physician (hospitalist, radiologist, pathologist, anesthesiologist, emergency medicine physician) request a practice review?

• Yes. TMLT can conduct practice reviews for physicians in all specialties and practice types.

How long will the practice review premium discount remain in effect?

• Once the physician has adequately responded in writing to any recommendations made during the review, the 5% practice review discount is effective for the remainder of the current policy period plus an additional two full policy periods, as long as the physician is continuously insured with TMLT.

How long will it take before I hear from someone about scheduling the review?

• Typically, risk management representatives are out of the office conducting practice reviews 2 to 3 days per week. Therefore, it may take up to 2 weeks before a representative contacts you to schedule the review.

Are some physician practices exempt from complying with HIPAA?

• Under HIPAA, the definition of "covered entities" did exclude a few physicians; however, the Texas Medical Records Privacy Act is much more inclusive and anyone who creates or maintains medical records must comply with Texas rules. Physicians may want to seek the advice of an attorney who specializes in HIPAA to determine if they are exempt from the federal law.

In 2003, practices that had paper medical records and met the definition of a covered entity were required to meet HIPAA Privacy. Is that all I need to be concerned about?

• Covered entities were required to meet HIPAA Privacy in 2003; however, changes have been made that affect Texas physicians. The Texas Medical Records Privacy Act, HITECH in 2009, and the HIPAA Omnibus Rule in 2013 have changed the requirements. Additionally, if you bill electronically or have transitioned to electronic medical records you must meet the HIPAA Security Requirements. For more information, visit the HHS website.

Who is required to conduct a risk analysis and how often must it be repeated?

• All practices that are required to meet the HIPAA Security Rule are required to conduct a risk analysis. Generally speaking, if you bill electronically, have electronic records, or maintain records in an electronic format you are required to conduct a risk analysis. Additionally, you are required to re-assess your risk and vulnerabilities any time you make significant changes to your network or system.
• For practices participating in meaningful use, the requirement is to conduct a risk assessment annually or review the previous one. The inability to produce a thorough and complete risk assessment is the number one reason that medical practices are failing meaningful use audits.
• Additionally, if a breach or complaint is investigated by the OCR, investigators will ask to see the results of all risk assessments performed, as well as any plan developed to address the risks and vulnerabilities discovered.
• TMLT staff are available to conduct a risk analysis for your practice. Please contact  our Product Development and Consulting Services Department at consultingwebmail@tmlt.org

What are the requirements for training staff on privacy and security?

• Under HIPAA, covered entities were required to train staff and repeat training when changes were made in the practice. Texas has much more stringent requirements. All new employees must be trained by the 90th day of employment; employees must be retrained whenever there is a change in the law that affects their job as it relates to personal health information (training should be done as soon as possible, but is required by the first anniversary of the effective date of the law); and the employee must sign an acknowledgment of training.

Are business associate agreements required?

• Under HIPAA, HITECH, the HIPAA Omnibus Rule, business associate agreements or contracts are required to clearly outline the responsibilities of the business associate. Under the Omnibus Rule, there are more requirements for business associates and their subcontractors. Covered entities should review their business associate agreements for compliance.
• All business associate agreements should have been updated before September 22, 2014 to meet the requirements of the Omnibus rule.
• For more information, please see the HHS website.

How is sensitive personal information different from protected health information?

• In Texas, sensitive personal information (SPI) contains the following:
  • social security number;
  • driver's license number or other government-issued identification number;
  • account number, credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account; or
• Information that identified an individual and relates to:
  • the physical or mental health or condition of the individual;
  • the provision of health care to the individual; and
  • payment for the provision of health care to the individual.

What should I do if I have a breach of protected health information?

• The definition of a breach changed significantly in 2013. A breach is now usually defined by the U.S. Department of Health and Human Services as "an impermissible use or disclosure under the [HIPAA] Privacy Rule that compromises the security or privacy of protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment…"
• All TMLT policyholders have a cyber liability endorsed to their medical professional liability policies. Contact the TMLT claims department to report a breach and you will be provided assistance. It is important to report a breach as soon as possible, as timely reporting is a requirement for obtaining coverage. Depending on the number of records affected, you will have notification requirements. Generally, all breaches must be reported to the affected patient(s) within 60 days and must be reported to the U.S. Secretary of Health and Human Services.

What am I required to do under the ADA to accommodate patients who are hearing impaired?

• Appropriate auxiliary aids and services may include qualified interpreters, assistive listening devices, note takers, and written materials. The ADA does not require modifications that would fundamentally alter the nature of the services provided or result in an "undue burden" on the provider. What constitutes an "undue burden" is determined on a case-by-case basis. At least one court has found in favor of the plaintiff over the provision of an interpreter for a hearing-impaired patient in a primary care physician's office. See more from the ADA on their website.

What does the ADA require for mobility-impaired patients?

• A public accommodation is required to remove architectural barriers in existing facilities where such removal is "readily achievable," which is defined as "easily accomplished and able to be carried out without much difficulty or expense." Examples of steps to remove barriers include installing ramps, widening doors, installing grab bars in bathroom stalls, installing a raised toilet seat, removing deep pile carpeting, and creating designated, accessible parking spaces. Please refer to the ADA website and resource, "Access To Medical Care For Individuals with Mobility Disabilities," for more information.

What about those patients who do not speak English? Am I required to provide and absorb the cost of an interpreter?

• According to the Office for Civil Rights, an entity receiving federal reimbursement (such as Medicaid or Medicare) is responsible for ensuring that effective oral and written communication occurs with program beneficiaries who are limited English proficient (LEP). The entity can take several steps to meet its obligations to LEP patients. Providing interpreters, at no cost to the client, is one method. Please visit the Federal LEP website for more information.

Who has responsibility for ADA compliance in leased buildings, the landlord or the tenant?

• The ADA places legal responsibility to remove barriers or provide auxiliary aids on both the landlord and the tenant.

What is my responsibility as an employer under the ADA?

• Employers with 15 or more employees must comply with the ADA in their employment practices. The ADA protects individuals with disabilities from discrimination related to employment practices. Individuals with disabilities who meet "the skill, experience, education, and other job-related requirements of a position held or desired, and who, with or without reasonable accommodation, can perform the essential functions of a job" are protected. To be covered by the ADA, an individual must have a mental or physical impairment that (even with corrective or mitigating measures, such as corrective lenses) substantially limits one or more major life activities. In addition, the ADA prohibits discrimination against persons who are perceived to have a disability.
• Please refer to the ADA website for more information.

What is an advance directive?

• According to the Texas Advance Directives Act, the current definition of an advance directive is: "an instruction to administer, withhold or withdraw life-sustaining treatment in the event of a terminal or irreversible condition [A Directive to Physicians and Family or Surrogates]; or an out-of-hospital DNR order; or a medical power of attorney."
• Advance directive documents include:
  1. Directive to Physicians, instructing health care professionals to administer, withhold, or withdraw life-sustaining treatment in the event of a terminal or irreversible condition (previously called a "living will");
  2. out-of-hospital do-not-resuscitate orders; and
  3. medical power of attorneys.

What is a terminal condition?

• A terminal condition means an incurable condition caused by injury, disease, or illness that according to reasonable medical judgment will produce death within six months, even with available life-sustaining treatment provided in accordance with the prevailing standard of medical care. A person admitted to a licensed hospice program is presumed to have a terminal condition.

Do both witnesses to advance directives need to meet the statutory requirements?

• No. While both witnesses must be competent adults, only one must meet certain statutory requirements, such as:
  1. not designated by the declarant to make treatment decisions;
  2. not related to the patient by blood or marriage;
  3. not mentioned in the patient's will or having any claim to his/her estate; and
  4. not the attending physician, his/her employees, or certain employees of the health care facility in which the patient is being treated.

Are advance directives executed in another state valid?

• Yes, a directive executed in another state is enforceable provided that it complies with the laws of the State of Texas. For guidelines, please go to the Texas Medical Association's Death Act: Directive to Physicians.

Who can execute a directive on the behalf of a minor?

• A directive may be executed on behalf of a qualified minor by:
  1. the patient's spouse, if the spouse is an adult;
  2. the patient's parents; or
  3. the patient's legal guardian.

Do advance directives need to be notarized?

• No, in fact a physician or health care facility may not require that a directive be notarized or that a person use a form provided by the health care professionals.

What about advance directives for pregnant patients?

• A person may not withdraw or withhold life-sustaining treatment from a pregnant patient.

What is my liability in following or refusing to follow an advance directive?

• A physician, health care facility, or health care professional with no knowledge of a directive is not civilly or criminally liable for failing to act in accordance with the directive. However, if an attending physician refuses to comply with the directive, life-sustaining treatment must be provided to the patient only until a reasonable opportunity has been afforded for the transfer of the patient to another physician willing to comply with the directive or treatment decision. Failure to follow a qualified patient's directive will subject the physician or health care professional to review and disciplinary action by the appropriate licensing board.

What can I do when I disagree with the surrogate decision-maker?

• Whether the physician is recommending that treatment be continued or that it be stopped because it is medically futile, the new law codifies a process that includes a mandatory ethics consultation; a reasonable attempt to transfer the patient to another physician or institution willing to honor the directive; and, in the case of medical futility disputes, continuation of life-sustaining procedures for at least 10 days after the ethics committee explains its conclusion in writing to the patient's surrogate.

Should I perform background checks on employees?

• Under the legal doctrine of respondeat superior, physicians are responsible for the actions of their employees committed within the scope of employment. Like any employer, a physician is required to select, train, supervise, and discipline his or her employees in a manner consistent with providing quality patient care. Checking references and performing background checks reflects your efforts to employ qualified personnel. The information should be documented in the employee's personnel file.
• In Texas, criminal background checks can be performed through the Texas Department of Public Safety (DPS). A full set of fingerprints (which can be obtained at your local law enforcement department or at the DPS office), a signed written request, and a $15 fee are required. Please visit the Texas DPS website for more information.

What is my responsibility when supervising physician assistants (PAs) and advanced practice registered nurses (APRNs)?

• The Medical Practice Act (MPA) establishes minimum standards for supervision by physicians of PAs and APRNs for provision of services at various sites. In most situations, a physician is limited to supervising no more than seven full time equivalent PAs and APRNs, but there are exceptions. Prescriptive authority agreements, standing delegation orders, standing medical orders, physician's orders, or other orders or protocols may authorize diagnosis of the patient's condition and treatment. Neither the MPA nor the Texas Medical Board rules authorize the exercise of independent medical judgment by PAs or APRN. The supervising physician remains responsible to patients for acts performed under the physician's delegated authority.
• Physician supervision shall conform to what a reasonable, prudent physician would find consistent with sound medical judgment, and may vary with the education and experience of the PA or APRN. A physician shall provide continuous supervision, but the constant presence of the physician is not required. The physician must be easily contacted by radio, telephone, or other telecommunication device. Please see TMB rules Chapter 185 and Chapter 193 for more information.
• Additional information is also available from the Texas Board of Nursing.

What is my responsibility when delegating tasks to unlicensed employees?

• Provided that you are satisfied with the competence of your employee, with due regard to the safety of the patient, and in keeping with sound medical practice, standing delegation orders may be authorized for the performance of acts and duties that do not require the exercise of independent medical judgment. Please see TMB Standing Delegation Orders, Chapter 193 for more information.
• Unlicensed employees can be trained to perform some tasks associated with the delivery of patient care; however, some tasks are inappropriate to delegate and the accountability for the competent performance of that task remains with the physician. In determining the appropriate role for unlicensed personnel, you should consider the capabilities of the employee, the complexity of the task, and the amount of supervision required. Employers can be held liable for negligent delegation if they:
  • delegate a task they know or should know the person does not have the training or experience to complete;
  • do not provide the degree of supervision the employer knows or should know is needed;
  • delegate tasks contrary to the medical/nurse practice act;
  • delegate tasks that pose substantial risk of harm to a patient or are present and fail to take action when possible to avoid patient injury; and
  • do not properly allocate the time of available staff.

Can I test a patient for HIV after one of my employees has been accidentally exposed?

• In a case of accidental exposure to blood or other body fluids, the health care facility may test the person who may have exposed the health care worker to HIV without the person's specific consent to test. Any identifying information concerning the person should be destroyed as soon as the testing is complete and the person who may have been exposed is notified.

What type of consent is required for HIV testing?

• Except as otherwise provided by law, a person may not perform an HIV test without first obtaining the informed consent of the person to be tested. This consent does not need to be written. Documentation in the medical record that the test has been explained and consent has been obtained is sufficient. For more information on HIV consent, please review the Texas Health and Safety Code.

What is the law concerning spousal/partner notification of positive HIV test results?

• According to the Texas Department of State Health Services, private physicians or their designee, may notify spouses or partners of their possible exposure to HIV or may seek assistance from the local or regional HIV/STI program. Physicians asking HIV/STI programs to contact a spouse or partner will provide written confirmation that the client tested HIV-positive.

What is expedited partner therapy (EPT)?

• Physicians are allowed to prescribe treatment for the sexual partner(s) of their established patients who have been diagnosed with chlamydia or gonorrhea without establishing a professional relationship with the partner first. Please see the The Texas Department of State Health Services EPT resources for more information.

Can I test for HIV before a procedure?

• Texas law provides that a person (such as a physician) may require another person to have an HIV test if a medical procedure is to be performed that could expose health care personnel to AIDS or HIV infection, and there is sufficient time to receive the test result before the procedure is conducted. However, HIV-positive patients are considered "disabled" under the Americans with Disabilities Act (ADA), which supersedes state law. The ADA also prohibits discrimination against persons who are perceived to have a disability. Thus, refusing to perform a procedure based on HIV status or the patient's refusal to undergo an HIV test would likely violate the ADA.

Does the Americans with Disabilities Act (ADA) require me to treat individuals with HIV?

• While the ADA expressly provides that a public accommodation may exclude an individual if that individual poses a "direct threat" to the health or safety of others that cannot be mitigated by appropriate modifications in the accommodation policies or procedures, one cannot justify the refusal to treat HIV-positive or AIDS patients in the policies of organized medicine or public health. The Centers for Disease Control and Prevention and the American Medical Association recommend the use of "universal precautions" to prevent the transmission of blood-borne diseases in the health care setting.

What are the current STD treatment guidelines?

• Please see the U.S. Centers for Disease Control and Prevention (CDC) 2015 Sexually Transmitted Diseases Treatment Guidelines.

What are the risks of prescribing a medication for off-label use?

• Because a particular use of the drug may be beneficial but uncommon, many drug manufacturers choose not to seek FDA approval for an off-label use due to cost and time factors. Congress has not prohibited the prescription of medications for off-label use.
• However, prescribing a medication for off-label use is not without risk, particularly in pediatrics. Physicians are still responsible for practicing prudent medicine. The available literature and the practices of similarly situated physicians would be evidence of compliance to the standard of care. In addition, physicians are encouraged to obtain a signed, written consent indicating the rationale for the medication, its risks, benefits, and alternatives. Information is available at the FDA website.

Do I have to keep my sample medications and prescription pads locked away?

• Not necessarily. Health care professionals have a responsibility to guard against theft of sample medications and prescription pads. Sample medications should be stored in areas accessible only to physicians and clinical staff members. Prescription pads should not be readily accessible to patients, visitors, or some staff members. However, locking up prescription pads protects them, and is certainly prudent risk management.

What should I do if prescription pads or controlled substances are missing?

• Prescription pad or controlled substance theft should be reported to local law enforcement and the Drug Enforcement Agency. If prescription pads are missing, local pharmacies and the Board of Pharmacy should also be notified.

Do I need to keep receipts of sample medications?

• Yes. The Texas Administrative Code requires that all physicians maintain a copy of each signed request form for sample dangerous drugs for a period of two years from the date of acquisition. Dangerous drugs are defined as any medications that require a prescription.

Can Schedule II drugs be prescribed electronically in Texas?

• Effective September 1, 2011, Schedule II drugs may be prescribed using electronic prescriptions.
• During the 82nd Texas Legislative session, Senate Bill 594 was passed. It amends the Texas Health & Safety Code to allow Schedule II drugs to be prescribed with an electronic prescription, to match changes to the federal law. Read the full text of the bill.

Can physicians be fined for purchasing drugs or medical devices from a vendor unlicensed to sell in Texas?

• The Texas attorney general and the federal government are taking actions against physicians arising from the purchase and use of medical products and drugs that are allegedly not legal for use in the United States. Most of these cases arise when physicians attempt to save money for their patients by buying drugs and devices from Internet sites or distributors who offer product discounts.
• The typical scenarios that give rise to these actions include:
  • Physicians purchase medical products over the Internet believing the goods are approved for use in the U.S., but the products are not "FDA approved" or labeled for domestic distribution. This renders the products "misbranded."
  • Physicians may unknowingly purchase a medical product from a distributor unlicensed or unauthorized to do business in Texas or the U.S.
• Either of these actions may give rise to a charge of numerous "laundry list" acts that violate Texas law, most prominently the Texas Deceptive Trade Practices Act (DTPA). The DTPA has been interpreted as essentially a strict liability statute, so that fines may be pursued even if the doctor had no intent to violate the law.
• Under Texas law, each proven violation may result in a civil penalty of not more than $20,000 per violation, with additional penalties if the consumer was over the age of 65. Each individual use of the product may be deemed a distinct statutory violation by the attorney general, so the fines can be very large.

What does the Occupational Safety and Health Administration (OSHA) require for medical practices?

• OSHA standards require that medical practices develop and comply with safety policies and procedures related to blood-borne pathogens, regulated waste disposal, and chemical hazard communication. Employee training is required initially and annually thereafter. Records of all OSHA training should be maintained for three years. Employers are required to make Hepatitis B vaccination available at no cost to all employees whose job classifications indicate potential exposure. Employees who refuse vaccination must sign a declination form. All employee medical records must be kept confidential and retained for at least the duration of employment plus 30 years. More information is available at the OSHA website.

Since I perform only a few simple tests in my office, do Clinical Laboratory Improvement Amendments (CLIA) regulations apply to my practice?

• Yes, CLIA does apply. However, simple tests are waived from specific CLIA requirements. Some of these include:
  • dipstick or tablet reagent urinalysis;
  • fecal occult blood;
  • ovulation test using visual color comparison;
  • urine pregnancy test using visual color comparison;
  • erythrocyte sedimentation rate — non-automated;
  • hemoglobin by copper sulfate method — non-automated;
  • spun microhematocrit; and
  • blood glucose using certain devices cleared by the FDA specifically for home use.
• A complete list of CLIA-waived tests is available at the FDA's CLIA website. If you perform only these tests, a CLIA certificate of waiver is required.

What are the requirements for medical waste management?

• The Texas Administrative Code defines the requirements for medical waste management, disposal, transportation, collection, and storage. In general, generators of medical waste are required to maintain receipts of its disposal for a period of three years. More information is available from the Texas Commission on Environmental Quality.

What informational resources are physicians required to provide to the parents of newborns?

• This information is available from the Texas Department of State Health Services.

Where can I find information about umbilical cord blood banking?

• During the 2007 regular legislative session, legislators passed House Bill 709, which requires physicians to provide pregnant patients with a brochure on umbilical cord blood banking. The brochure and additional information is available from the Texas Department of State Health Services.

What does the law require for physicians to sign death certificates?

• Texas physicians who are asked to sign a death certificate must do so electronically or face fines of up to $500 per violation.
• A medical certifier on a death certificate must submit the medical certification and attest to its validity electronically. Physicians must register with the Texas Electronic Death Registrar (TEDR) before signing a death certificate. Any physician who signs a death certificate, and is not registered with TEDR, may be fined up to $500 by the TMB.
• Physicians who have not yet registered can do so at the TEDR website.
• If you need assistance, send an email or call the TER at 888-963-7111 ext. 3490.
• Fetal death certificates — if a fetus is born without vital signs, it is appropriate for the physician (medical certifier) to complete a paper death certificate. If a fetus is born with vital signs, the physician (medical certifier) must complete an electronic death certificate.

Where can I find the Authorization to Disclose Protected Health Information form developed by the Attorney General of Texas?

• An electronic copy of the form is located on the Texas Attorney General's website.

What is the proper procedure for the release of medical records?

• In order to be acceptable under the Health Insurance Portability and Accountability Act (HIPAA) and compliant with state law, an authorization for the release of protected health information (PHI) must:
  • be in writing;
  • identify who is authorized to make the disclosure;
  • identify who may receive the PHI;
  • identify who may make the authorization;
  • identify the specific information to be disclosed, particularly for sensitive information, such as HIV/AIDS testing and treatment, mental health and substance abuse treatment;
  • describe the purpose of the disclosure;
  • note when the authorization expires; and
  • contain a signature and date (of the patient or personal representative).
• A valid authorization must also have these statements:
  • the patient has the right to revoke the authorization, with instructions on how to revoke;
  • clarification that under most circumstances medical care may not be conditional on the signing of the authorization; and
  • a warning that the PHI may be re-disclosed by the receiving entity.
• The patient must receive a copy of the authorization and the provider must also maintain a copy.
• Pursuant to HIPAA regulations, if your medical record contains any notes forwarded to you by a mental health professional you cannot re-disclose that information, even under subpoena. HIPAA defines mental health professionals as psychiatrists, psychologists, and licensed professional counselors.

Who can authorize the release of medical records?

• The authorization to release medical records may be signed by:
  • a parent or legal guardian if the patient is a minor;
  • legal guardian if the patient has been adjudicated incompetent to manage his/her own personal affairs;
  • an agent of the patient authorized under a durable power of attorney for health care;
  • an attorney ad litem or guardian ad litem appointed for the patient;
  • a personal representative or statutory beneficiary if the patient is deceased; and
  • an attorney retained by the patient or by the patient's legally authorized representative.

Who "owns" the medical record?

• The physical pieces of paper are the tangible, personal property of the person or entity who created them. However, by law patients have the right to obtain copies of their medical records. The only clear exception is in the Medical Practice Act, "If the physician determines that access to the information would be harmful to the physical, mental or emotional health of the patient." The physician might be asked to produce a reasonable explanation as to why the records or information may be harmful to the patient.
• Never release the original record, except under subpoena and then retain a copy.

What constitutes a medical record?

• Medical records include any records pertaining to the history, diagnosis, treatment, or prognosis of the patient. The Texas Medical Board rules (Chapter 165) state that records received from another physician or health care provider involved in the care or treatment of the patient shall be maintained as part of the medical record.

Is there a time limit to respond to requests for medical records?

• The physician has 15 business days (from the date the request is received) to respond to the request. If a physician “denies the request for copies of medical and/or billing records or a summary or narrative of the records, either in whole or in part, the physician shall furnish the patient a written statement, signed and dated, within 15 business days of receipt of the request stating the reason for the denial and how the patient can file a complaint with the federal Department of Health and Human Services (if the physician is subject to HIPAA) and the Texas Medical Board. A copy of the statement denying the request shall be placed in the patient's medical and/or billing records as appropriate.” Taken from Texas Medical Board Rules, Chapter 165.2 Medical Record Release and Charges

May I charge for copying medical records?

• When determining allowable fees for copies of medical records, both federal and state regulations should be followed. Guidelines differ for release of records directly to the patient versus release of records to a third party.
• The Office of Civil Rights (OCR) has updated guidelines on patients'/individuals' rights to obtain their medical records and how much providers/covered entities can charge for copies. Chapter 45 of the Code of Federal Regulations Section 164.524 outlines individuals' rights to access their protected health information (PHI). Given the intricacies of the new rules, we recommend reviewing these FAQs and Chapter 45 of the Code of Federal Regulations Section 164.524.
• Below are highlights from the new rules:
• Fees to release directly to the patient/individual
• Flat-Rate of $6.50—The OCR has determined that a flat-fee of $6.50 is a reasonable cost for the release of medical records directly to a patient/individual. If the provider does not calculate a reasonable fee as outlined below, then the provider should charge the flat-rate of $6.50 to the individual for copies of their PHI.
• Charging an individual more than $6.50
• For any request from an individual, a covered entity (or business associate operating on its behalf) may calculate the allowable fees for providing individuals with copies of their PHI:
  1. By calculating actual allowable costs to fulfill each request; or
  2. By using a schedule of costs based on average allowable labor costs to fulfill standard requests.
  3. Alternatively, in the case of requests for an electronic copy of e-PHI, covered entities may charge a flat fee not to exceed $6.50 (inclusive of all labor, supplies, and postage)
• Charging a flat fee not to exceed $6.50 per request is an option for entities that do not want to go through the process of calculating actual or average allowable costs for requests for electronic copies of e-PHI.
• When an entity chooses generally to use the average cost method or flat fee for electronic copies of e-PHI, the entity may receive an uncommon request that it had not considered when setting up its fee structure. In these cases, the entity may wish to calculate actual costs, and it may do so as long as the costs are reasonable and only of the type permitted by the Privacy Rule.
• An entity that chooses to calculate actual costs in these circumstances must — as in other cases — inform the individual in advance of the approximate fee that may be charged for providing the copy requested.
• Health care providers are urged to err on the side of caution when determining fees for release of records directly to the patient. While the HHS has published the guidelines above, these rules are intended to increase patients' access to their own records. This is demonstrated by language found in the HHS FAQs:
• "…while the Privacy Rule permits the limited fee described above, covered entities should provide individuals who request access to their information with copies of their PHI free of charge. While covered entities should forgo fees for all individuals, not charging fees for access is particularly vital in cases where the financial situation of an individual requesting access would make it difficult or impossible for the individual to afford the fee. Providing individuals with access to their health information is a necessary component of delivering and paying for health care.”
• For more information, please see these FAQs along with Chapter 45 of the Code of Federal Regulations Section 164.524.
• Release for free or to patient with outstanding bill
• A covered entity may not withhold or deny an individual access to their PHI because the individual has not paid the bill for health care services provided. While the Privacy Rule permits the limited fee as described, covered entities should provide individuals who request access to their information with copies of their PHI free of charge to avoid creating a barrier to access.
• Fees to release to third-party
• The new OCR flat-rate fee guidance does not apply to release of records to a third-party unless that release is directed by the individual/patient to the third-party (see FAQs). For direct requests from a third-party, the covered entity/provider should follow the Texas Medical Board (TMB) rules for release of PHI.
• Please review the most recent version of the TMB rules Chapter 165.2 Medical Records Release and Charges. Below is an excerpt from the TMB rules:
• (e) Allowable Charges.
• (1) Paper Format.
• (A) The physician responding to a request for such information in paper format shall be entitled to receive a reasonable, cost-based fee for providing the requested information.
• (B) A reasonable fee for providing the requested records in paper format shall be a charge of no more than $25 for the first twenty pages and $.50 per page for every copy thereafter.
• (2) Electronic Format.
• (A) The physician responding to a request for such information to be provided in electronic format shall be entitled to receive a reasonable, cost-based fee for providing the requested information in electronic format.
• (B) A reasonable fee for providing the requested records in electronic format shall be a charge of no more than: $25 for 500 pages or less; $50 for more than 500 pages.
• (3) Hybrid Records Format.
• (A) The physician responding to a request for such information that is contained partially in electronic format and partially in paper format ("hybrid"), may provide the requested information in a hybrid format and shall be entitled to receive a reasonable, cost based fee for providing the requested information.
• (B) A reasonable fee for providing the requested records in a hybrid format may be a combination of the fees as set forth in paragraphs (1) and (2) of this subsection.
• (4) Other Charges.
• (A) If an affidavit is requested, certifying that the information is a true and correct copy of the records, whether in paper, electronic or hybrid format, a reasonable fee of up to $15 may be charged for executing the affidavit.
• (B) A physician may charge separate fees for medical and billing records requested.
• (C) Allowable charges for copies of diagnostic imaging studies are set forth in §165.3 of this title (relating to Patient Access to Diagnostic Imaging Studies in Physician's Office) and are separate from the charges set forth in this section.
• (5) A reasonable fee for records provided in a paper, electronic or hybrid format may not include costs associated with searching for and retrieving the requested information, and shall include only the cost of:
• (A) copying and labor, including, compiling, extracting, scanning, burning onto media, and distributing media;
• (B) cost of supplies for creating the paper copy or electronic media (if the individual requests portable media) that are not prohibited by federal law;
• (C) postage, when the individual has requested the copy or summary be mailed; and
• (D) preparing a summary of the records when appropriate.
• For more information, please review the most recent version of the TMB rules Chapter 165.2 Medical Records Release and Charges and TMB FAQs for Consumers. 

May I withhold copies of medical records until the copies are paid for?

• You are entitled to receive the fee for records preparation before releasing the records, except in these situations:
  • where the records are requested by a licensed Texas health care provider or any American or Canadian licensed physician for acute or emergency medical care; and
  • to support an application for disability or other benefits or assistance under: Aid to Families with Dependent Children, Medicaid, Medicare, Supplemental Social Security Income, and Federal Old-Age and Survivors Insurance, and Veteran's Benefits.

What about medical records for other physicians?

• The Texas Medical Practice Act states "A physician shall furnish copies of medical records requested, or a summary or narrative of the records, including records received from another physician or health care provider involved in the care or treatment of the patient, pursuant to a written authorization for release of the information." The exception is psychiatric records.

If a physician feels it would be harmful to release copies of medical records to a patient, what should be done?

• When a physician deems it necessary to deny a request to release medical records, that physician must provide the patient a written statement within 15 business days of receipt of the request, and file a copy of the statement in the medical record. The statement must specify the reason for the denial and how the patient can file a complaint with the federal Department of Health and Human Services and the Texas Medical Board.

Can information from medical records be released without the patient's consent?

• Some release of information is required by law, and may be released without the patient's consent. These situations include:
  • treatment of gunshot wounds to law enforcement officials;
  • suspected child and elder abuse to the Texas Department of Protective and Regulatory Services and law enforcement; and
  • positive HIV tests (without the patient's name) and AIDS diagnoses (with the patient's name) to the Texas Department of State Health Services and local health department.
  • Medicare records must be made available promptly to representatives of the Department of Health and Human Services.
  • Medicaid records must be made available promptly to Texas Department of State Health Services, the Texas Attorney General's Medicaid Fraud Control Unit, Texas Medicaid Health Partnership, and the Department of Protective and Regulatory Services.
• In none of these situations is the patient's authorization for release of information required. There are limited additional circumstances under which records may be released without patient authorization. For example, a physician may release information to medical or law enforcement personnel, if the physician determines that there is a probability of imminent physical injury to the patient, physician, or other person. Read more from the Texas Medical Association about these exceptions to confidentiality. (TMA log-in required).

May I release health information to an insurance company without the patient's consent?

• You may file an insurance claim without a written signed consent accompanying each claim.

How should I respond to a subpoena?

• Please contact TMLT's Claims Department to inquire about how to respond to a subpoena. In addition, if you are a Texas physician, the Texas Medical Association offers a resource Subpoenas for Medical Records. (TMA log-in required).

How long do I need to keep medical records?

• For adults — all records must be kept for at least seven years from the date of the last treatment. (Hospitals are required to keep records for 10 years, so some physicians may choose to keep office records for 10 years also.)
• For minors — records for minor patients must be kept for at least seven years from the date of last treatment or until the child turns 21, whichever is longer.
• For more information, please visit the see Chapter 165 of the Texas Medical Board rules.

Who is considered a minor?

• A minor is a person under age 18 who has never been married and never been declared an adult by a court.

When can minors consent to their own treatment?

• The Texas Family Code Section 32.003 lists instances where a minor child can consent to certain types of medical treatment on his or her own. These include:
  • a minor on active duty with the armed forces of the United States;
  • a minor who is 16 years of age or older, residing apart from his/her parents or guardian, and managing his/her own financial affairs;
  • a minor who is unmarried and pregnant can consent to treatment related to the pregnancy other than abortion;
  • a minor can consent to diagnosis and treatment of infectious, contagious, or communicable disease that are reportable to the Texas Department of State Health Services;
  • a minor who is unmarried, is the parent of a child, has actual custody of his or her child and consents to the medical, dental, psychological, or surgical care for the child may consent to his or her own treatment;
  • a minor who is serving a term of confinement in a facility operated by or under contract with the Texas Department of Criminal Justice; and
  • a minor can consent to counseling for suicide prevention, chemical or alcohol addiction or dependency, or sexual, physical or emotional abuse.
• A physician may rely on a written statement by the minor containing the grounds on which the minor has capacity to consent to treatment.

Who can consent for the treatment of the child of an unmarried minor?

• An unmarried minor who has "actual custody" of his/her own biological child can consent to medical, dental, psychological, and surgical treatment for the child.

What are my legal obligations when treating minors for contraception.

• In general, minors cannot give consent for their own medical treatment (see exceptions above). Contraception is not specifically addressed by law as an exception. In most situations, it is not a treatment for which a minor can give consent unless he or she is an "emancipated minor."

Do both divorced parents have a right to review the information in their minor child's medical records?

• Unless the court finds it would not be in the best interest of the child, "both parents shall be appointed as joint managing conservators of the child." (Texas Family Code Section 153.131) Joint managing conservator is the modern term for "joint custody."
• The court granting the divorce may allocate the rights and duties of the joint managing conservators. Thus, both may have the right to consent to invasive procedures, or only one may have that right. Ask to see a copy of the court order when in doubt. Both joint managing conservators have the right to access the child's medical records unless specifically limited by the court granting the divorce.
• Unless limited by a court order, both the possessory conservator (custodial parent) and the managing conservator (noncustodial parent), have the following rights:
  • right of access to medical, dental, psychological, and educational records;
  • the right to consult with a physician, dentist, or psychologist of the child; and
  • the right to be designated on the child's records as a person to be notified in case of an emergency.

When can a non-parent consent to treatment of a minor?

• When the person having the power to consent cannot be contacted and actual notice to the contrary has not been given, other persons and entities can give consent. These include:
  • grandparents;
  • adult siblings;
  • aunts and uncles;
  • an educational institution with written authorization;
  • any adult who has actual care, control, and possession of the minor with written authorization;
  • a court having jurisdiction over a suit affecting the parent-child relationship;
  • an adult responsible for the actual care, control, and possession of a child under the jurisdiction of a juvenile court or committed by a juvenile court to the care of an agency of the state or county;
  • a peace officer who has lawfully taken custody and has reasonable grounds to believe immediate medical treatment is needed; and
  • for immunizations only, a guardian or any person authorized under law or court order to consent for the child or, if these persons are not available, any one of the persons listed above.
• When documenting consent by a non-parent, consent must be in writing and include:
  • the name of the child;
  • the name of one or both parents, if known; and the name of any managing conservator or guardian of the child;
  • the name and relationship of the person giving consent and their relationship to the child;
  • a statement of the nature of the medical treatment to be given; and
  • the date the treatment is to begin. (Texas Family Code Title 2, Chapter 32)

Should I talk with an attorney "off the record" regarding a medical malpractice lawsuit in which I am not a party?

• Medical records or protected health information should never be released without consent of the patient or the patient's authorized representative. Instruct the attorney you are willing to cooperate within the confines of the law and the litigation process (e.g. giving deposition or testimony by subpoena). Do not "volunteer" information to the attorney even though you are not a party to the lawsuit. You need to protect yourself against any potential action that may result from an "off the record" conversation.
  
  Contact the TMLT Claims Department at 800-580-8658 with questions about how to respond to an attorney request.

How do I terminate the physician-patient relationship?

• Your relationship with a patient should be terminated in a manner that reduces liability for patient abandonment and facilitates patient care. The patient should be notified in writing by first class U.S. mail and certified mail, return receipt requested. Keep a copy of the letter and return receipt in the patient's chart.
• You are not required to state a reason for termination and in fact, it may not be advisable to state a reason such as incompatible personality, hostile behavior, etc. You may state "failure to follow medical advice" or "failure to keep appointments that are medically indicated." Agree to treat the patient for 30 days. Clearly state the date on which the termination will be effective. Provide resources to help the patient find a new physician, (e.g. health insurance plan, county medical society), but do not make a specific physician referral unless your state's medical board rules require otherwise (Texas does not). Offer to send a copy of the medical record to the new physician upon receipt of signed authorization, and include a blank authorization form.
• More information and sample termination letters can be found in the TMLT's CME activity,Terminating the patient-physician relationship, published in the 2012 Volume 5 issue of the Reporter.

What testing does the law require for pregnant patients?

• Clinicians in Texas — including physicians or any other person permitted to attend to a pregnant woman — must test every pregnant woman under their care for HIV, syphilis, and hepatitis B unless she objects. HIV and syphilis tests must take place during the pregnant woman's first prenatal visit and during her third trimester (as of September 1, 2015). An additional syphilis test must be performed at delivery. If there is no record of her HIV and syphilis test results from the third trimester, then the woman must be tested at delivery unless she objects. The law also provides for expedited testing of the mother and newborn at delivery. To learn more, please visit the Texas Department of State Health Services Diagnostic Testing and Pregnancy in Texas site.
• The woman must be informed of the HIV test before the testing and advised that the result of the test is confidential, but not anonymous. The woman has the right to refuse HIV testing and refusal should be documented in the record. Before testing for HIV, the health care professional must:
  1. Distribute printed materials about HIV, AIDS, Hepatitis B and syphilis to the patient. (Printed materials are available from the Texas Department of State Health Services.)
  2. Notify the patient of the law requiring the provider to test for Hepatitis B, syphilis, and HIV and inform the patient of her right to refuse testing. Explain the difference between confidential and anonymous testing.
  3. Provide the patient with a referral to an anonymous testing facility if the patient objects to testing.
  4. Document the HIV test was explained, printed materials were given, and consent was obtained.
• If tests indicate a woman is infected with HIV, the provider who submitted the sample for testing must provide the woman with:
  1. Information relating to HIV infection and AIDS in a manner understandable to that patient.
  2. Counseling in a manner that complies with the Health and Safety Code, which allows for referral to an entity that provides counseling/treatment for individuals infected with HIV. Please see the Texas Department of State Health Services web site for more information regarding counseling requirements.

Do I need cyber liability insurance if my practice is proactive about Internet security and safeguarding ePHI?

• There is no "fail safe" cyber security per se. The level of sophistication and persistence of hackers today is remarkable. They are constantly probing for any weakness in systems or people. Even well defended organizations can experience a data breach from employees who run malicious code or attempt to gain unauthorized access to a network. It’s all about likelihood, vulnerabilities, and impact. Data breaches can arise from many sources, including:
  • hackers gaining access through a malicious malware or phishing attack;
  • lost or stolen unencrypted mobile storage devices;
  • employee negligence or malfeasance; and
  • lack of internal policies and/or system failures.
• Health care records contain sensitive and valuable information for medical identity theft. A cyber criminal can get $50 or more for a complete medical record. Two common objections we hear from medical practices are "A data breach won’t happen to us. We’re too small" or "Our data is 100% secure." Yet, you can have the best cyber security and still have a data breach. For example, an employee inadvertently gave out his password, as described in The Current State of CyberCrime 2014.

What about the cost of cyber liability insurance?

• Cyber insurance plays a vital role in financing and managing cyber risks. Simply completing the insurance application can be a "mini risk assessment." Doing so can lead to a better understanding of your cyber security risks. Data breaches and their potential financial impact are often under-appreciated.
• Direct costs of a data breach can include legal expenses for breach notifications or to defend third-party lawsuits; IT forensics for data restoration; public relations; credit monitoring services; call center support; and potential regulatory fines and penalties. The indirect costs can include a loss of revenue; loss of patient good will and reputation (from adverse media reports); and the loss of employee and business productivity.
• For health care providers, most medical professional liability policies include some level of cyber liability coverage. The limits of liability are typically in the range of $25,000 to $100,000 per claim and in the aggregate. However, in certain data breach incidents, the costs of a breach can quickly exceed these underlying limits. Therefore, it’s very important for any organization who suspects a data breach to call their professional liability or cyber liability carrier immediately to report the incident. Each breach requires a specific response and there are required reporting timelines.
• Because the total cost of a data breach can be significant, we recommend organizations maintain high limits of liability ($1 million or above per claim and in the aggregate). This is important because if the organization's underlying cyber liability limits are exhausted to pay the costs of a data breach, all further investigation, defense, and remediation expenses will fall to the organization. Because an Office of Civil Rights (OCR) investigation can linger, the organization may not know for several years if any fines or penalties will be imposed.

Can you give an example of a cyber claim?

• TMLT policyholders have reported more than 430 breach incidents since we added cyber liability coverage to our policies in December 2011. One policyholder received an investigation letter from the OCR because the practice’s office computers, including an unencrypted laptop, had been stolen. Office staff were unable to access patient electronic records during appointments and (allegedly) failed to notify patients of the breach of their protected health information (PHI). The OCR also requested a matrix of other documentation, including a copy of the policyholder’s most recent security risk assessment. Their TMLT cyber liability coverage paid for their breach-related expenses.

What does a cyber risk insurance policy typically cover?

• There is no uniformity of cyber liability coverage forms. The majority of cyber liability insurance policies include coverage for both first-party and third-party losses, although some coverage forms may lack important protection, such as for cyber extortion/ransomware or regulatory fines and penalties.
  • First-party coverage typically includes coverage to restore or recover the policyholder’s lost or damaged computer programs and data; for breach response services for patient notifications and credit monitoring expenses; for crisis management and public/media relations; for cyber extortion and cyber terrorism; and for cyber crime/financial fraud. Some cyber liability policies also include first-party coverage for the loss of revenue and extra expenses due to a business interruption.
  • Third-party coverage typically includes coverage to defend and indemnify liability claims related to security and privacy breaches resulting in the disclosure of confidential information; for regulatory investigations and fines and penalties; and for claims related to media liability alleging personal injury or invasion of privacy. Some policies also include coverage for errors and omissions.

What is excluded from a cyber liability policy?

• Common exclusions include no coverage for unencrypted data on mobile devices; bodily injury; criminal acts (there’s usually an exception for innocent parties); or, in some policies, the insured’s failure to maintain the security of its network in accordance with industry standards, internal policies, and/or regulations.
• Some providers also provided fee-based technology services to other practices. Losses arising from this type of professional service are typically not covered by cyber liability policies. If the practice provides technology services to others such as hosting, managing or administering someone else’s computer systems and data or designing, programming, installing, servicing, and supporting others’ IT infrastructure—they need to also purchase technology errors and omissions coverage.

How is the cost of a cyber liability insurance policy typically calculated?

• In most cases, the rating factors are the number of personally identifiable records stored electronically and in paper files; the estimated annual gross revenue; or the number of physicians, as well as the limits of liability and any optional endorsements desired by the insured.
• Key to the acceptability and affordability of coverage is the "security posture" of the organization. If the organization answers "No" to essential underwriting questions such as: "Do you enforce a security policy that must be followed by all employees, contractors, or any other person with access to your network?" or "Does your security and privacy policy include mandatory training for all employees?" or "Is all data in transit or stored on mobile devices encrypted and remote access to your network authenticated?" then coverage may be declined or a higher premium charged.

What should we consider before buying cyber risk insurance?

• Cyber insurance is not a substitute for a good cyber security program, as not all losses can be covered by insurance. The benefits of an effective cyber risk management program and disaster recovery plan include prevention of cyber losses; preservation of electronic data; continuity of business with minimal loss of productivity; fulfillment of service commitments to patients; compliance with state and federal privacy and security laws; and protection of the practice’s reputation.
• Many smaller organizations who handle electronic protected health information (ePHI) mistakenly believe that HIPAA's required Security Risk Analysis is optional for them. They may also believe that installing an EHR fulfills the risk analysis requirement for meaningful use, or that the EHR vendor "took care of privacy and security." These assumptions are incorrect. All covered entities subject to the HIPAA Security Rule must conduct a risk assessment of their administrative, physical, and technical safeguards, as well as their compliance with HIPAA's privacy rule and Breach Notification Rule, including up-to-date policies and procedures. In most cases, this includes the following steps:
  • establish an enterprise-wide security culture;
  • encrypt data on mobile and storage devices;
  • back up data in real-time and store it offline;
  • use firewalls;
  • immediately install software updates/patches;
  • use strong passwords and change them regularly;
  • use two-factor authentication;
  • limit network and physical access to sensitive data;
  • obtain business associate agreements from all service providers who have access to the practice’s data; and
  • select your service providers carefully — and assess their data security to ensure they are HIPAA compliant.
• Lost or stolen laptops and mobile storage devices containing the ePHI of patients is a recurring problem. ePHI is being stored more frequently on portable devices, and there will be more breaches involving these devices. Mitigating that risk by encrypting the data would significantly reduce the likelihood of breach claims. Indeed, encryption must become a higher priority throughout the health care industry, and it will also help an organization maintain insurability and perhaps obtain a lower price for cyber insurance.
• Complacency is not a risk management strategy. An Incident Response Plan to address cyber risks is good for the business side of your organization. Clients expect their sensitive personal information to be secure; it protects the organization's reputation; and it avoids downtime and the potential loss of income and extra expenses. Guarding against cyber threats requires a multi-layered, proactive risk management strategy that is focused on identifying, assessing, and responding to potential risks. And that requires leadership to actively promote policies and procedures, best practices, risk controls, accountability, and privacy training.
• Today there are many external resources available to assist your organization with its IT systems, risk assessments, and privacy training. TMLT offers cyber security tools and resources to help policyholders and non-policyholders prepare for and to mitigate breach incidents. Organizations often need external assistance with their cyber risk management, as cyber attacks continue to grow in sophistication and frequency.

Why is contract due diligence so important?

• Contractual risk transfer is common today and is increasingly imposed upon health care entities that handle sensitive personal information. The need for careful contract review is vital—particularly in the area of liability assumed under contract, in the form of a written hold-harmless or indemnity agreement.
• Attempts to contractually transfer all or part of the financial consequences of a loss to another party (who is not an insurer) occurs in a myriad of contracts, including website privacy statements, company privacy policies, and third party services contracts (e.g., with cloud service providers), and Merchant Service Agreements.
• It is imperative that organizations also review these contracts for any insurance requirements. Signing contracts without due consideration of whether you have applicable cyber liability or professional liability coverage could put your organization at financial risk.
• Insurance is a form of risk financing and depending upon the coverage provisions, it may (or may not) provide the funding of some liabilities/indemnities assumed under contract. If there are any specified insurance requirements, you should try to obtain coverage that "dovetails" with the indemnity obligations, if possible.

What is considered a claim and what am I required to report?

• Your policy requires you to notify TMLT as soon as reasonably possible if you receive any of the following:
  • A demand for compensation — any written communication from or on behalf of a patient that seeks monetary payment or other compensation because of a perceived error in treatment or an unexpected outcome.
  • A notice of claim letter — a letter that refers to Civil Practice and Remedies Code Section 74.052 or refers to a notice of claim. Upon receipt of a 74.052 letter, a physician and his or her insurer have 60 days to investigate and evaluate the patient's claim.
  • A lawsuit — will contain a citation (which informs you of a lawsuit) and a petition (which lists the plaintiff versus the defendant). A lawsuit will also include the allegations made against you. Once you are served with a citation and petition, TMLT has a limited time to respond by retaining a defense attorney to file an answer on your behalf.
• In the event of a claim, it is essential that you contact the TMLT Claims Operations Department as soon as possible. In many cases, we will have limited time to investigate and evaluate the claim. Any delay in reporting could compromise your defense.
• If you are reporting a Medefense or Cyber Liability claim you must report it to TMLT no later than 60 days from the date you became aware of the claim.
• Although not considered "claims" that trigger coverage under your policy, you may want to report these situations and seek advice to possibly prevent the matter from evolving into a future claim:
  • Unexpected outcome — any complication or failure of treatment in which the patient or a patient’s family member may have expressed disappointment with the outcome or if you suspect that a claim may be asserted in the future.
  • Records request — a request for a patient’s medical records may come from the patient, the patient’s spouse, an attorney, a record service, or from a court reporting service in the form of a subpoena. Requests for records should include an authorization signed by the patient or by the patient’s legal representative. It is best to respond to a request as soon as possible. If you suspect that the records request is for potential or ongoing litigation, or if you question the validity of the records request, you should contact TMLT for advice.
  • Request for deposition — a deposition is testimony given under oath before a court reporter. You may be served a subpoena for oral deposition, or an attorney may contact you directly. If you are asked to give testimony regarding a patient, particularly if that patient is suing another health care professional, please contact the TMLT Claim Operations Department immediately. Depositions can potentially become claims and you should be properly represented at any such proceeding.

How do I report a claim?

• If you have received a notice of claim, a lawsuit, a medical records request, or a request for deposition, you should:
  1. Report the claim to TMLT by calling 800-580-8658. Please allow about 20 minutes for the report and have whatever notice you received available for reference. It may also be helpful to have the patient’s medical record available.
  2. Fax to 512-328-8067 or send by overnight mail a copy of the notice of claim letter or the lawsuit. Do not fax your medical records. Note that if you are served with a lawsuit, your TMLT policy requires as a condition of coverage that all such lawsuit papers be delivered to TMLT within 10 days of service or receipt of the lawsuit papers, and that you must obtain a delivery receipt from TMLT. “Delivery of lawsuit papers means sending by certified mail with return receipt requested, personal delivery, messenger, or electronic transmission. Proof of delivery of the lawsuit papers, however, may only be established by the obtaining a written receipt of such delivery from the Trust.”
  3. Gather a complete and unaltered copy of all pertinent medical records, including a copy of the hospital chart and any prior or subsequent treatment records. Mail a copy of these records to TMLT as soon as possible.

I have reported a claim. What happens next?

• Once a notice of claim is reported, the loss is assigned to a claim supervisor and coverage is entered and verified. Once the claim file is set up in our system, the following occurs:
  • A letter is sent to the policyholder requesting a copy of all medical records regarding the physician’s care of this patient.
  • A response letter is sent to the plaintiff’s attorney or pro-se plaintiff requesting specific allegations, damage information, and a medical authorization that when signed by the patient, allows us to request the pertinent medical records;
  • If the new loss is a lawsuit, the Texas Medical Board (TMB) is notified;
  • If a lawsuit has already been filed, then we dispense with the response letter to the plaintiff’s attorney. We assign a defense attorney to answer the lawsuit and defend the physician. The policyholder receives a letter from the claim supervisor advising of the attorney assignment.
• The average time to complete this from the day the loss is called in is about 5-10 working days.
• Do not discuss the case with anyone except a TMLT claims representative or the attorney assigned to defend you.
  1. Maintain your original medical records in a secure place for future reference. Do not make any additions, deletions, or any other type of alteration to the medical records. Secure any other pertinent information or items in your possession, such as billing records, x-rays, hospital charts, etc.
  2. All correspondence to and from TMLT and your assigned attorney should be kept in a separate and secure file. These items should not be co-mingled with the original medical chart on the patient. Do not release these materials to anyone unless cleared through your assigned attorney or the TMLT Claims Operations Department.
  3. The TMLT claims representative assigned to your case will keep you fully informed as the case proceeds, both directly and through your assigned attorney. If you have questions, do not hesitate to call your claim supervisor.

What is Lone Star Alliance, RRG?

• Lone Star Alliance is a risk retention group and an affiliated company of TMLT. It was established to provide medical liability and similar types of insurance to physicians, groups, health care facilities, and health care professionals in multiple states. Lone Star can meet the needs of TMLT's new and existing policyholders by writing insurance for those who have operations in states other than Texas.
• Lone Star is domiciled in Washington DC and began writing business in December 2013.

What is a risk retention group (RRG)?

• An RRG is an alternative insurance entity created by the federal Liability Risk Retention Act (LRRA). RRGs must form as liability insurance companies under the laws of at least one state — its charter state or domicile. The policyholders of the RRG are also its owners. Membership must be limited to organizations or persons engaged in similar businesses or activities, thus being exposed to the same types of liability.

Does TMLT own Lone Star Alliance?

• No. While LSA is affiliated with TMLT, as an RRG it is owned by its policyholders. TMLT — directly and through its subsidiaries — provides LSA with all essential operational support. Such support includes financial and accounting services, information technology, underwriting, sales, marketing, claims handling, and risk management functions. These services are provided according to a management services agreement.

Where is Lone Star Alliance located?

• Lone Star is domiciled in Washington DC, but our office is located in Austin, Texas.

What kind of policies does Lone Star offer?

• Lone Star offers a full range of medical liability coverage options for individual and physician groups, and allied health care professionals. We offer claims-made (including prior acts or “nose coverage”) and occurrence policies at a variety of limits. Per-patient rated policies and shared-limit policies are also available. Policies include cyber liability protection, regulatory actions protection, medical director coverage, and employment practices liability insurance. View policy options.

Who can apply for coverage?

• Any physician, group practice, allied health care professional, or health care entity located outside of Texas can apply for coverage with Lone Star.
• If a practice located in multiple states applies for coverage, the Texas-based physicians may be insured through TMLT and the physicians based outside of Texas will be insured through Lone Star.

How do I obtain a quote?

• Please contact your agent or a Lone Star representative at sales@lonestara.com or call 512-425-5890.

How do I apply for coverage?

• Please contact your agent or a Lone Star representative at sales@lonestara.com or call 512-425-5890.

Do I have to become a member of the Texas Medical Association to purchase coverage with Lone Star?

• No. TMA membership does not apply to Lone Star Alliance. TMA membership remains a requirement for coverage with TMLT.

How do I continue coverage if I decide to leave Texas? Do I have to re-apply for coverage in Lone Star?

• Because we will need information about your new practice, we will ask you to complete a short application. Please contact your underwriter at 800-580-8658.

What is the difference between Lone Star coverage and TMLT coverage?

• The Lone Star policy mirrors the TMLT policy with the exception of state-specific requirements. Lone Star policies are flexible and specific policy needs can be modified or endorsed.

Do I qualify for Trust Rewards in Lone Star?

• TMLT Trust Rewards cannot be extended to Lone Star Alliance policyholders.

What happens to my Trust Rewards balance if I move to Lone Star?

• Because Lone Star policyholders are not eligible for the TMLT Trust Rewards program, you will not receive additional Trust Rewards allocations while you are insured with Lone Star. However, your existing Trust Rewards balance will remain intact while you are with Lone Star and you will be eligible for payout distributions pursuant to qualifying events.

Will I receive a dividend through Lone Star?

• Lone Star does not have a dividend program at this time.

What discounts are available through Lone Star?

• Lone Star rewards physicians for their patient safety efforts. The following premium discount opportunities are available in most states.
  • Discounts for favorable claim experience
  • Group purchasing credits
  • Discounts for risk management participation
  • Discounts for new-to-practice physicians
  • Part-time discounts
  • Discounts for completing a Lone Star CME course (up to 5 percent for two courses)

Does Lone Star offer CME?

• Through our Risk Management Department, Lone Star offers home-study programs and online courses to help reduce liability risk. Courses are available at the Lone Star CME site.

Can I take a TMLT CME course and receive a discount for Lone Star?

• No. You must take a Lone Star CME course to earn the discount. Courses are available at the Lone Star CME site.

Can I apply my TMLT practice review discount to my Lone Star policy?

• No. Your TMLT practice review discount will not apply to your Lone Star policy.

Does Lone Star claims philosophy align with TMLT's claim philosophy?

• Yes. Each claim is aggressively defended and we do not settle non-meritorious lawsuits. If a case requires a compromise settlement, our experienced claims staff negotiates to obtain the best possible result. Additionally, TMLT/Lone Star only hires experienced, specialized, medical malpractice defense attorneys to represent our policyholders.

How do I obtain a quote?

• You can request a quote from the TMLT web site or you can contact a sales representative by calling 800-580-8658. You can also email sales.

How do I apply for coverage?

• You can apply for coverage using our online application.  A representative from TMLT will contact you once your application has been received.

Why do I have to be a member of Texas Medical Association to purchase TMLT coverage?

• TMLT was created by the Texas legislature in 1979 to provide medical liability coverage for physician members of the Texas Medical Association. The legislation that created TMLT included the provision that policyholders must be members of the TMA. Therefore, by law, policyholders must also be members of the TMA.

How long does it take to process an application?

• The average time to process an application is approximately 10 business days. Please make sure that your application is filled out completely, as incomplete information may delay the underwriting process.

When is coverage effective?

• For coverage to begin, we must have confirmation of pending TMA membership and your completed application underwritten and approved. You must also provide a current CV and proof of any previous or current medical liability coverage.

Are my ancillary staff (nurses, medical assistants, technicians) covered under my TMLT medical liability policy?

• TMLT policies do not cover ancillary staff. However, if the physician is named in a claim or a lawsuit due to the actions of a staff member for whom the physician may be considered "legally responsible," coverage may be provided for the physician. Please be aware that coverage for a claim is ultimately determined after a thorough investigation by the TMLT Claims Operations Department.
• Ancillary staff working with TMLT policyholders can obtain medical liability coverage through Texas Medical Insurance Company, our subsidiary.

Does my TMLT policy cover me for my activities as a medical director?

• Yes, all TMLT policies include coverage for your administrative activities as a medical director. This coverage is at a sublimit of $100,000 of your existing policy limit. You may contact TMLT at 800-580-8658 to decline this coverage.

How is my premium determined?

• Premium is based on geographic location, specialty, procedures performed, limits of liability, number of years of exposure covered, and claims experience.

What are limits of coverage?

• Limits of coverage spell out the maximum amounts your policy will pay. In professional liability policies, there are typically two limits. One limit states the maximum per claim, while the second limit spells out the maximum amount that will be paid during the policy period. The first limit is called an "each claim" limit and the second one is called an "all claims" limit.

How much coverage is right for me? What limits of liability do you recommend?

• We cannot advise you about what limits to carry, but we recommend that you speak with colleagues who practice in your specialty and location to see what limits of liability they carry. You may also contact your local county medical society; often their legal counsel is available to advise you. Your personal financial advisor may also have recommendations in consideration of your personal assets.

What is a declarations page?

• The declarations page is the first page of the insurance policy that contains information specific to the policyholder. The declarations page contains the policyholder's name, address, specialty, limits of liability, premium amount, policy effective date, endorsements, etc.

What is an endorsement?

• An endorsement is a document that changes the terms of the insurance policy.

What is vicarious liability?

• Vicarious liability is when a policyholder can be held legally responsible for the actions of another person. Typically in medical liability claims, physicians can be found vicariously liable for the actions of nurses, medical assistants, employed physicians, or other people for whom they are legally responsible.

What does claims frequency mean?

• Claim frequency refers to the number of claims filed. Claim frequency is one factor used to determine insurance premiums.

What is claim severity?

• Claim severity refers to the dollar value of a claim as determined by a jury verdict or settlement agreement. Claim severity is another factor used to determine insurance premiums.

What is reinsurance?

• Reinsurance is a transfer of risk by one insurance company (the insurer) to another (the reinsurer).

What are reserves?

• Reserves are funds set aside by insurance companies to pay estimated future losses. A company's claim department typically specifies a reserve amount for every claim filed, which can be modified as the claim proceeds to resolution.

What does claims-made mean?

• A claims-made policy is designed to protect you during the active policy period, usually one year. If you do not renew your claims-made policy when it expires, you no longer have coverage for any claims that may arise in the future that are alleged to have occurred during the time your policy was in force.
• Physicians who wish to continue coverage under a claims-made policy must purchase supplemental coverage, such as tail coverage or prior acts coverage. If neither tail coverage nor prior acts coverage are purchased when a claims-made policy expires, any future claims that might arise from services performed during the policy period will not be covered.

What is an occurrence policy?

• An occurrence policy provides ongoing insurance protection for events that occur during the policy period, even if they are reported after the policy is cancelled.
• Occurrence policies are generally more expensive, but it is not necessary to buy supplemental coverage like tail or prior acts coverage after an occurrence policy expires.

What is prior acts coverage?

• A supplement to a claims-made policy, prior acts coverage is purchased from a new carrier when you change insurance companies. This coverage, also known as nose coverage, covers claims from unknown incidents that occurred before the beginning of your new policy. Prior acts coverage is an alternative to tail coverage, which is purchased from the original carrier when a change in insurance companies is made.
• Companies typically require new policyholders to purchase either prior acts from them, or tail coverage from their prior carrier, to protect against claims arising from prior acts.

What is tail coverage?

• Tail coverage, also called a reporting endorsement, is available for purchase when your claims-made policy is cancelled or non-renewed. Tail coverage continues insurance protection under your claims-made policy for claims reported in the future but arising from incidents that occurred while your policy was in force. Tail coverage payment is due within 60 days of policy cancellation.
• TMLT offers free tail coverage to physicians who:
  • are 50 years of age or older;
  • have been continuously insured with TMLT for 5 years or more on a claims-made policy; and
  • the cancellation of the policy is due to retirement from the practice of medicine.
• In addition, TMLT waives the tail premium at any time if the physician should stop practicing due to medical disability or death.

What is per-patient based coverage?

• Per-patient based coverage is designed for emergency physicians and urgent care groups, as well as other groups that are structured on a per-encounter basis.
• This type of coverage is more cost effective because pricing is based on the number of visits rather than rated on the number of physicians in the group.

What is cyber liability coverage?

• Cyber liability coverage provides coverage for privacy-related claims that occur as a result of lost laptops, theft of hardware or data, improper disposal of medical records, hacking or virus attacks, and disgruntled employees.
• Cyber liability coverage is included with all TMLT policies.

What is Medefense coverage?

• Medefense covers legal expenses, fines, and penalties arising out of medical board and other disciplinary proceedings.
• Medefense coverage is included with all TMLT policies.

What is employment practices liability EPLI coverage?

• EPLI covers claims that arise from alleged wrongful employment practices, such as discrimination, harassment, and retaliation.
• EPLI coverage is included with all TMLT policies.

What coverage is available for my entity?

• Entities, which are defined as an incorporated formation of two or more shareholder physicians practicing under the group's "DBA" name, are eligible for a separate entity policy. The policy provides defense and indemnity coverage when the entity is held legally responsible for the actions of the member physicians. Physicians that are incorporated as a Solo Professional Association or Solo PLLC are provided coverage under their Individual policy on a shared-limit basis.

What does assessable mean?

• Some policies will ask that you pay an assessment in addition to the yearly premiums. Assessments can occur if a company experiences higher claims costs than anticipated. In some cases, assessments can be as much as the full premium. All TMLT medical liability policies are non-assessable.

What is general liability insurance?

• General liability insurance refers to a type of business liability insurance other than automobile, workers' compensation, or employer's liability that covers property damage or bodily injury. In a health care setting, general liability insurance would cover such incidents as a visitor slipping on a wet floor of a hospital or office.