PTG Podcast 12-15-20 with Craig Petronella of Petronella Cybersecurity and Digital Forensics and Personal Injury Attorney Sean Park on HIPAA Compliance, Blockchain and Health Passport applications for securing PHI Cybersecurity and Compliance Risks and Challenges
Support the show - Call 877-468-2721 or visit https://petronellatech.com
Please visit YouTube and LinkedIn and be sure to like and subscribe!
NO INVESTMENT ADVICE - The Content is for informational purposes only, you should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained on our Site or podcast constitutes a solicitation, recommendation, endorsement, or offer by PTG.
Support the Show
Please visit https://compliancearmor.com and https://petronellatech.com for the latest in Cybersecurity and Training and be sure to like, subscribe and visit all of our properties at:
PTG Podcast 12-15-20 with Craig Petronella of Petronella Cybersecurity and Digital Forensics and Personal Injury Attorney Sean Park on HIPAA Compliance, Blockchain and Health Passport applications for securing PHI Cybersecurity and Compliance Risks and Challenges
Support the show - Call 877-468-2721 or visit https://petronellatech.com
Please visit YouTube and LinkedIn and be sure to like and subscribe!
NO INVESTMENT ADVICE - The Content is for informational purposes only, you should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained on our Site or podcast constitutes a solicitation, recommendation, endorsement, or offer by PTG.
Support the Show
Please visit https://compliancearmor.com and https://petronellatech.com for the latest in Cybersecurity and Training and be sure to like, subscribe and visit all of our properties at:
You're listening to cybersecurity and compliance with Craig Petronella, visit us online at Petronellatech.com.
Sean Park:In response to curren litigation regarding acce s to medical records and priva e information portability, was recently a Health and Hum n Services. I can give you some high points of that as well.
Craig Petronella:Yeah, please.
Sean Park:In my practice, a lot of times, the challenge is getting medical records because when an attorney's office requests medical records, the first thing a hospital and medical provider does is pushes the priority of those down to the bottom. They want to make sure it goes through compliance, are they possibly a risk for being sued, and other issues. Once they are okay to get them out to release the medical records, then as a third-party requesting those records, even with patient authorization, we're charged in huge fees per-page costs, copying costs, and there's been some litigation. There are some great regulations put in place. But it's still something that we have to push back at quite frequently. And a lot of times, the urgency of getting those records, we end up just paying to get those records because we've got to have that evidence push the case forward. But recently, there was a chart squad, is a group I've been using that functions as a patient advocate. And the patient authorizes them to pursue requests. And if they get it charged, what gets a response, saying you need to pay us a prepayment of this amount. The charts blog will then function as their advocate to file a complaint with the Office of Civil Rights and pursue their rights to get the medical records in this cheap performance and as cheaper manner as possible. The recent decision that came down last week is that response times on those requests by private by patient advocate groups. They have to respond within 15 days, as opposed to 30. And there are no fees associated with complying with those requests because it's essentially a third-party functioning as a patient advocate to request those records directly on behalf of the patient.
Craig Petronella:Have you ever heard of health ID passport technology built on blockchain?
Sean Park:I have not.
Craig Petronella:So this is going to make your world so much better.
Sean Park:Let's hear it.
Craig Petronella:Health ID passport technology is an initiative, a project that multiple companies are trying to create. It stores our patient health information and personal identifiable information on a blockchain that the user or consumer controls. I've talked about these years ago; I think it was three or four years ago now. I haven't followed the path of how it's progressed. But the vision of it is one day, you and I will be able to have access at our fingertips to all of our information and get to choose who and when we share that information. So it no longer is in the hands of the doctor or the hospital or the different place the medical practices you go to. It's in your hands, in my hands. I get to choose from. I'm working with Sean today. He needs to see some of my PHI. I'm going to give him access to this, this, and that. I get to pick and choose what he has access to, when, how often, and if it expires. But I am the human controller of it. I need no third-party involvement, and it's all secure and built on blockchain technology.
Sean Park:That that would make my life a lot easier. It would make a patient's loan a lot easier.
Craig Petronella:Yeah.
Sean Park:The challenge a lot o times, especially with cases t at I work on, I had a call with someone just last Friday, wher he had what he believed to be negligent medical treatment with foot surgery. In his r covery, he developed a lood clot, and he's still h ving continuous issues in m king a full recovery. And he' concerned, not so much as far as litigation goes. But h's concerned about gettin a second opinion and trying to igure out what it's going to tak to make him better. At least, e will be able to make a full i provement. He's having tremendous difficulty to req est his records from the prior are provider to get a second opinion because of the push ack he's getting.
Craig Petronella:Isn't that crazy? That's so inefficient And as you had mentioned, th chart company and these other t ird-parties, all that goes awa with a blockchain solution. It' me, my data, I get to pick a d choose, and I don't have to orry about if the hospital secu ity is lacking. All these c mpanies are getting breached lef and right. There's another on just last week with Fire ye. And now they're saying th s morning, in the paper in the news, that the Russians hav stolen more intellectual proper y around and more CUI or cont olled unclassified informa ion in the defense sup ly chain. And it never nds. My point is that, in his context, if you and I get t control our PHI and our data, we get to choose who and when we share that information. And it's all secured. All blocks of it ar on the blockchain. That's the w y the future, for sure.
Sean Park:That's valid and tr e. But that also opens the co
Craig Petronella:That's abso utely valid and true. But t petitive landscape fo companies to come out with mor user-friendly services that access and control that data, ight? So the first step is le's store our data in blocks at also opens the competitive landscape for companies t hat are protected by blockcha n technology. The next step is or new application developer to develop front ends to access come out with more user-friend y services that access and that data with your permission, nd then you can go on training around that. Maybe, big co panies will create some front en s that are easy to use at that time. With any technology, t ontrol that data, right? So t e first step is let's store ere's always the learning urve and the human as our data in blocks that are pr tected by blockchain technology. The next step is for new applic tion developers to develop f ont ends to access that data ith your permission, and then you can go on training around t at. Maybe, big companies wil create some front ends that ar easy to use at that time. With any technology, there's always he learning curve and the huma aspect, of course. However, most folks are probably used to sing a portable electronic medi al record system with a hospit l anyway. So, a lot of that is g ing to be a huge disrupter. Many industries and with the elim nation of a lot of third-p rty, hands in the pie.
Sean Park:It's something that has to happen, I think. Especially when I can't rely on medical records to build my client's case. And the pushback I get and being able to access is information. That is my client's information. It takes up a lot of time takes up a lot of resources.
Craig Petronella:Yeah, that's just so woefully inefficient from time and cost. So I mean, when you were saying about copy costs and arcane methodology around. You processing information, all that goes away. You'd be able to scale more. You'd be able to help the clients that you're serving faster, cheaper, ultimately. There's going to be a big disruption. There are going to be many middle players who go out of business if they don't retool. But it's how Walmart has used blockchain. I don't know if you're familiar with that, but Walmart was one of the first commercially recognized use cases around blockchain technology and used it to track the supply chain around the produce. So if there's an E Coli outbreak, for example, Walmart's technology with the blockchain solution can find if it was E Coli or something else. Where was the origin of that? Who was the forum? Where did it come from? They get it in seconds. They can pull all that factual information off the blockchain. It's efficient and saves a lot of; there's no third-party needed. The same things are happening and transformation around real estate and deeds and storing records like that on a blockchain. Years ago, when I bought a house, you had to pay for title insurance. So you're paying a third-party to validate a certain aspect of the transaction. So all that would go away with blockchain technology. So I think the blockchain will be a big player in securing personally identifiable information and making things much more efficient for folks like you that need to access this information.
Sean Park:Oh, it'd be great.
Craig Petronella:Yeah. So, I'll do some more research there and see progressions have been made there. I'm looking forward to that day. I'm tired of my information being that available. If you go to five different doctors, my PHI is in five different systems. And I have to trust that five different systems are and entities are going to keep my information secure. And I know, because this is my specialty, nine out of ten of them are not going to do a good job with that.
Sean Park:Right.
Craig Petronella:Who's paying the price ultimately? It's me. My information is going to be out there numerous times.
Sean Park:Yeah. You constantly have to evaluate and process the potential for risks of breaches and those types of things. And it couldn't be scarier than what happened with the Russian hack over the Treasury Department's weekend. What are we doing? Parts of government are supposed to be secure and protected, but we're still getting hacked by people that we know and had this before. So what are we doing?
Craig Petronella:Yeah, it's craziness. And it goes around the new Cybersecurity Maturity Model Certification, the CMMC process that I've been specializing in ever since its inception. It goes around that the Department of Defense has seen that we've had these problems for years now. They made great strides in releasing the CMMC. I'm a big fan of it. I think it's fantastic. However, our government sectors and departments are not even taking this seriously enough, or they're doing the third-party audits of themselves. And the cross-checking and cross balancing is not happening. If it were, then this wouldn't be the daily news headline.
Sean Park:Right.
Craig Petronella:It's just crazy times, but more need for policies, procedures, security controls, third-party audits, and, you know, help for these folks, not just for the government areas, but for the players in the supply chain. It's in our country's best interest for everyone to take cyber compliance more seriously and buckled down. But moving along to your specialty, how about you introduce yourself to my audience? And we can talk about some things at a deeper level of what you're working on.
Sean Park:Yeah, sure, Craig. Thank you again for having me. I appreciate it. My name again. I'm Sean Park. I'm with the Park Law Firm. I'm a small personal injury firm based in Chicago and has an office in Atlanta. I'm also licensed to practice in the state of Tennessee and Florida. But my practice focus areas are primarily in personal injury, catastrophic injury, wrongful death, and some medical malpractice in the Chicago and Atlanta markets.
Craig Petronella:Awesome. Welcome. And thank you, Sean. I appreciate that. Earlier on the show, you have talked about the challenges of patient health information and working with hospitals and various medical practices. Obviously, with blockchain, that should get smoother. And we hope that could be a viable solution. And I'll look into that further for you. But in the current landscape, what's the average timespan? If you're working with a client and need to get medical records from a hospital, is it a week? Is it two weeks? Is it a month? What is it? What does that look like?
Sean Park:I would say on an expedited process. And there's always a fee for everything when a third-party is requesting records. Depending upon the client's needs and the need to have that information to push the case forward, I sometimes have to pay a premium to expedite a records request. And if I do that, I can get records within two to three weeks. But in normal times, if I'm making a basic request, the records will probably be sent to me within 30 to 45 days. If the request goes through and meets all of the screening standards, the health records maintainer or the business office. Make sure that it's okay. And they authorized the records to be released. But there's a lot of inefficiencies both from a personal standpoint and from the support staff standpoint of having to follow up on records requests and figure out where they are. Ultimately, those records requested are being received and process by humans. And they're going through their chain of command. And a lot of times, unless you don't have every I dotted or T crossed, they're going to kick it back. And you've got to start from scratch, or the record requests to be received. And somehow, it gets to the bottom of the stack, and someone misses it. And as a law firm dealing with a select number of cases and the need for the information to be brought inefficiently, I don't have the time to continue staying on top of getting records. It's something that I kind of will process and check off like on a weekly to-do list or every couple of weeks follow up on those things. So the follow-up in the man-hours associated with following up on those records is quite tedious. And it's a loss of productivity. And so what I used recently, in probably the last five or 10 cases that I've got, is a company called Charts Flaws. And they are a third-party private health information application that functions as a patient advocate to request those records. And I pay a fee per request to medical providers. They will make that request to the medical facility. They will also do additional searches for billing. Often, when you have a hospital bill, most people don't realize that the physicians are separately employed from the hospital for liability purposes. So they won't only get you a hospital bill for the hospital services, Emergency Room Services, room and board type services, and fees. You're also going to get charged a bill for the physician's professional services that took place within that hospital. You'll sometimes have even separate bills for radiology that will come in. Often, it's all patients can do to deal with making that physical recovery. They can't keep track of all the records that come in, or all the bills come in. They think I went to the hospital; I should only have one bill. But that's not how it works because multiple departments will give separate bills. So basically, I just told a client to send me whatever bills they've got. And I'll target my requests in that fashion. And charts were a big help because I'll just plug into patient information. We'll reach out to the patient to get their authorization to function as a patient advocate. And they will push the requests, and they'll continue to follow on the requests. What's been happening lately with medical records departments is they'll say, Oh, well, this is a request you need to pay a prepayment of this amount of money. And that's outside. The current litigation outside of the law regarding the current litigation is going on the current regulations regulating how this information should be disclosed and what fees, if any, should be charged. And so, in those cases, charged squabble, reach back out to me and say, This facility is charging or seeking to charge a fee. If you want to pursue these records on an expedited basis, we recommend you go ahead and pay this fee, and records will be released immediately. I'll cut it short. In most circumstances, there's not a huge rush for me to have those records. And I would much rather save my client the money on the back end because any money that I pay, and I get when I get a recovery, will be an expense on their settlement statement that they're going to have to pay back to me. So I want to be as efficient as possible. And so I'll just pursue a civil rights violation claim that charged white advocates for the patient through that vehicle. And I've had great success in having those fees or those prepayments set aside and charged. Why didn't you get some records for me?
Craig Petronella:That sounds like good service and help you at this time. But the question that comes to mind is why wouldn't the patient just go direct to help you get the records?
Sean Park:Because I deal with catastrophic or serious injury type claims. A lot of the legwork to the patient would have to do to get those records. I try to make it as I try to make my service for my clients as turnkey as possible. So, when they hire me, I want to take the legal side of their burden off their shoulders. I want them to focus on physical recovery, mental and emotional recovery. Being able to get back to work, get out of bed without being in pain, make other physical therapy appointments, and make other follow up medical appointments. I don't want them going on a goose chase to go and get the records. It would be easy if they could do that. But the complications for patients to have to deal with that a lot of times it's very difficult.
Craig Petronella:Got it.
Sean Park:Often, medical records providers, even when a patient will call and say, Please release these records to my lawyer, they'll view it as Oh, it's a third-party request. So we can charge all these fees and send the records directly to the attorney. So what's happened in my experience, at least.
Craig Petronella:Is that similar to like a power of attorney type paperwork that attache
Sean Park:Yeah, when in befor recently, patients would sign o
Craig Petronella:Yeah, I can only imagine. It just seems like my firm's letterhead, a HIPAA a thorization that would allow an plug in the blanks for all th request information. I wa set updates of the informati n I'm seeking. I would want al records, radiology, an type of images, all reports, ll nurse's notes, basically, a ything about this patient wi h this social security nu ber, this date of birth, for these dates of treatment. I want you to send that t me, and the patient signs it And those HIPAA authorizat ons, once they're dated, re only good for a certain n mber of times. So what I do is I tell my patients to sign them ut don't date them so that I an date them on the date of equest. When invariably, I have to request follow up records, ecause the patient's con inuing to treat, I can then c ntact that office again and sa, Please provide me with these u dated records patient was se n on the subsequent dates prior fter my last request. And hey'll usually do that. But then there are many follow p with that and many man- ours associated with foll wing up on those requests for s pplemental records. a just a convoluted process.
Sean Park:That's just the nature of my practice. It takes a lot of time to get that information and evidence. And it's difficult because you get so much pushback, and you get so many fees associated with just providing the patient's information to me. And the thing that's also kind of difficult that I've just recently thought about is, ultimately, all of my clients are people that have been hurt through no fault of their own. There might be some arguable issues of potential liability assumption of risk or those types of things. Most of these people are injured in situations where they didn't cause their harm. Someone else did. And ultimately, their pursuit of recovery justice for their injuries is being reduced by the people who are providing their medical care because they're going to have to pay back the money to me to obtain their medical information. So it further injures them because they're not getting full maximum value for their case because of the other monies that had to be paid out in the processes of pursuing their claim.
Craig Petronella:Yeah, that's crazy.
Sean Park:It is. I think there are ways it can get better. And I think the use of technology is surely going to get better. And it's a matter of a lot of times just making sure that the patient knows their rights. And the patient knows that it's their personal health information that they should be able to take wherever they go, and it shouldn't be difficult to access. And it should be as easy as sending an electronic request with authorization showing certain identifying information that you are a person authorized to make that request so you can get your records. And use an electronic request for whatever purpose you
Craig Petronella:Yeah. need to use them for. Yeah, that's why I'm a big fan of the health ID passport technology on a blockchain. I think that's going to be huge and just revolutionize this whole concept around all these third-parties involved. And the expenses, I think it's going to make it more efficient and time and cons.
Sean Park:I would love to be at the front of the news. As soon as you learn anything more about that, I would love to incorporate that into my practice and provide that service to my clients to get that information is I think it would make their lives a lot easier and make my life a lot easier.
Craig Petronella:I think it'll be revolutionary. I'll keep you posted on that. What's your opinion on the current landscape around HIPAA? Right now, I'm sure that the law was enacted in 1996. It's old and antiquated. I think the new CMMC will overtake HIPAA and spread into other industries and specially regulated areas because it's just the most modern approach. I like the methodology around the checks and balances to prove and show supporting evidence that you're doing all this stuff. And then you have to have a certified third-party come in and audit you on-premise, look over your shoulder and look through your stuff. I think it's going to be huge in that respect. But what's your opinion about it?
Sean Park:I think anything you can improve upon with HIPAA will be welcomed, just because of what we've always seen how HIPAA was enacted, and how it's played out in practice in the challenge. I think getting someone up to speed with the new legislation is that we've been playing in this space for 25 years at this point, with HIPAA. And it's hard to change any areas of the law. Even once you enact new legislation, it's hard to get people accustomed to playing in a new prior format. Even if they were doing it incorrectly, it's hard to get them to evolve and do it. But that's everything that we've kind of seen. It's basic human nature to be like, Oh, well, this is what we're accustomed to this is how it's always been doneand then figuring out how to change it, how to improve it to make sure that that we are allowing patients to free access of their information. And we're allowing them to take it wherever it needs to be taken. Or use it in whatever means that needs to be utilized, for whatever purposes and for my specific purpose of being able to access information a lot easier. It would reduce their expenses on my side of things from a patient standpoint because they could easily just say, Here's the information; you've got to input into my portal to access information. And then, I could present their case a lot quicker and more efficiently. It's just going to be something that is going to be challenging for people just because it's something new. You're relying on the government to roll things out responsibly and inform people properly, and I don't think that happens very frequently.
Craig Petronella:The most powerful process that could change in the future is medical practices' requirement to go through that audit process. Because right now, it's pretty much self-attestation until something goes wrong. And then you have the forensics, and then you have to show all your supplying evidence that you're HIPAA compliant. But most of the folks that I talked to, especially new startup medical practices, or doctors, tell me all the time, I've gone years and years of schooling, and you've told me all this information that's completely foreign to me. I've never heard of any of this information. They often have a binder for their HIPAA compliance, but the binder is no substitute for all the policies and procedures that they're supposed to have. They don't understand how those policies and procedures have to map to security controls and the layers and how all this work has to be done regularly. So right now, as I said, it's a very honor system. Hackers know this. That's why hospitals and medical practices are still low hanging fruit for most of these. They're running these programs, scanning your networks, checking on things, jiggling the door handles, and most medical practice don't even have the technology to detect those activities, much less mitigate the risks. Often, I've seen it. There's a breach that occurs, and hackers are in their system. The latest that's a pretty common way is they get into their mail system, their Office 365 system, and they sit there, and they lurk and just kind of wait, and there's just covering their tracks. And it's a crazy landscape that we live in. But the fact of the matter is that most hackers are smart and lazy. They're constantly running these scans and checks to basically for those applications to come back to them. And show them a list of here's your prime targets. And hospitals and medical practices are notoriously running older operating systems and older IT equipment because they have to support legacy, digital X-ray systems or something. They don't want to buy the latest and greatest. It needs to use an older operating system. So then they have more challenges on how to secure those devices properly.
Sean Park:Yeah, and the thing with hackers is they're incredibly smart, and they only need one breach. So they can write code that can send out 1000s if not hundreds of 1000s of pains to a system, and they only need one to come back to give them that that access point. And every professional industry has that same kind of complaint about well. I went to med school for this reason. I went to law school for this reason. I didn't anticipate having to figure out how secure my medical records network needs to be for a small solo practice. But it's something that when you're trading, or you're working in protected private health information, of your patience, it's something you have to be at the forefront on to make sure that that information is correct. Similarly, a lot of stuff is going on on things' legal side, especially filing e-filing of documents. Every time I file a pleading in court, I have to attest that I have done proper redactions to ensure there's no private information in this document. So courts are in tune with I don't know if they're completely up to speed on all of it. At least they're putting the burden on anyone that's submitting a pleading to that large court system portal to make sure proper redactions are done. There is no personal identifying compromising private information that could allow a hacker to infiltrate and use that information to commit further fraud.
Craig Petronella:Yeah. Hackers also know how most mid to larger size medical practices, there are so many human element targets around social engineering and phishing and business email compromise. It just takes, like you said, one to give up the credentials to vendor impersonations. It doesn't take a lot of effort for a hacker to do some basic recon to figure out who their vendors are for a particular hospital and, you know, create a very targeted phishing email called whaling to the sea levels. It's a crazy world that we live in. I was just curious. Do you agree that there will be more pressure around audits regarding ensuring that the medical practices are compliant? Do you feel like there might be an increase in any of those activities?
Sean Park:Yeah, I think so. The risk of hacking and the risk of breaches grows greater. There's so much of a human element to it. Part of it is a two-pronged approach if you have to have proper staff training that deals with private health information. And you need to have systems in place to ensure that your system, your network, is as secure as possible, but then you have to come in. And that's where a company such as yourself would come in with training processes to ensure that your employees are not hacking or not falling for those phishing scams. You're checking the email addresses and making sure they're valid with the purporting person to send you that message. And everyone can fall victim to phishing scams network. It's just a matter of sometimes just inadvertently clicking on a link. And everything right now is so automated. It used to be just robocalls. And now it was these text messages. And you get text messages from anywhere. And it will say, Click here to show your support. I don't want to click on anything because I don't know where this is coming from.
Craig Petronella:Yeah.
Sean Park:And it's gotten so far. The biggest scams that have been going on are just people. You always hear of the ones that like people get the phone call and say you're a warrant out for your arrest; please call this number immediately. So and then you call that number, and many people fall for it because the fear of the authorities coming to get them is something that's kind of like, I'm going to go ahead and pay this, but it's essentially extortion. And people need to have especially now need to have their radar up with any electronic messages they receive or anything they received via telephone or text message.
Craig Petronella:Yeah, all good points. And the human element is always the weakest in anything. So, now security awareness training is more important than ever. Not just the training but the completion of the training and the testing, the quizzing, the constant auditing of that process, and showing the chain of evidence trail for employees. Ensure that Susie Brown in the corner is not paying attention enough to the latest email security threats and needs to go back to look over some training and get retested because she's currently posing some risks to your organization.
Sean Park:Right.
Craig Petronella:I think that training and going through the drills for all of this is super important. So not just saying that you're going to do certain things or getting the policies and procedures in order, but having a professional set of eyes to look over them and make sure that everything's mapped properly. And going through that battleship scenario, you know.
Sean Park:You got to have the audience.
Craig Petronella:Yeah. But many people are not doing security risk assessments. They're not doing the pen-testing. And you don't know what you don't know, right? So if you don't do this stuff, you don't know where your gaps are, and you don't know where to start and where to fix things. It's particularly challenging for the smaller organizations that don't have a compliance person and don't even know where to start. I keep going back to CMMC. But I think that CMMC is going to be a good thing because I hope that one day, the CMMC overtakes HIPAA and requires medical practices to show the supporting evidence for all this. Otherwise, they shouldn't be able to practice. I feel like that might sound harsh. And people might get upset at me for saying that. But here's the reality of the situation. If you put a cap on that and make it so that practices can't be using our information, and maybe sharing it inappropriately, and risking all of us, what's the harm in having a certified third-party auditor? Assess your practice to ensure that you're doing everything right, not to get you in trouble, but to proactively at a much fractional level, as far as cheaper get this stuff in order now rather than later. It's just a matter of time because if you suffer a breach, you're going to go out of business. So why not do this ahead of time anyway. And the number one complaint I hear about it is it's too complicated. They don't know where to start, and it's too expensive.
Sean Park:Well, I mean, the physician's Hippocratic Oath is to first not harm. And that, by extension, should apply to their practices as well. Because while they may be providing top-notch care and physically healing or treating a patient, they're mismanaging that patient's data or information could cause that patient harm.
Craig Petronella:Yeah.
Sean Park:It's one of those th ngs that in places are plain iff's attorney circles. There' always talk about litigation re orm and tort reform. And a big p rt of that is regulation or re trictions upon the ab lity to bring medical malpractic cases. And the biggest thing th t you hear quite frequently fr m the hospitals and physician' side of things is malpractice i surance is too expensive. Th re's a healthcare crisis. You're going to drive good doctors o t of the state because it's oing to be too expensive f r them to practice or too expens ve for them to have medical ma practice coverage or insuran e coverage. But we're all uman. Doctors are humans. We al make mistakes. But if you are i a practice where you're pro iding medicine and treatment o somebody, part of that whole ractice also has to be to treat the person and their info mation as confidentially as ou would if you were just treati g that person individually. You're not going to have a whole gallery of people watching how you're treating that person. T e private information is exchan ed between the patient and their doctor. But at the same ti e, you need to make sure t at information you gathered d ring the time you're treating hem. And you're storing tha information for future purposes for record-keeping purposes or future visits for contin ity of care for transfer hat information to the subse uent treating provid r for that particular patie t. You've got to make sure that stuff secure.
Craig Petronella:Absolutely. Now, are there any tips or anything that you could think of that would help folks? As you know, most people should have a will, right, and document that process. But maybe there are some things that they do proactively prepare that something happens, and they get into an accident? Maybe, it would make it easier, more efficient for you or somebody like you to help them. Are there any tips or suggestions that you have around that?
Sean Park:Absolutely. I see quite frequently when someone gets into a car accident because that's usually where most personal injuries occur. There are more isolated incidents where people are seeking rebuilt, compensation for an injury or loss. But for the most part, the cases I run across are people that are hit by a car, hit by a truck, those types of wrecks. And the sooner you can talk with an attorney, the better off you are. Because when those types of things happen, and you're in the ambulance going to the hospital, the underside, the seedy underbelly of the personal injury world is a practice called runners. And runners are people that kind of stakeout hospital emergency rooms and sign clients up as they come into the emergency room. They say, Hey, look, you were injured in a car accident, sign here, sign here, we'll work out the details later, but we represent you and will pursue your liability claim. And it's something that happens. It's unfortunate. It's highly unethical. It should be illegal, there should be criminal consequences for it, but it still happens. And people fall prey to it because they are in a difficult, stressful situation. They need to have that issue fixed so they can focus on physical recovery. It's always critical to talk to an attorney to know your rights first. But make sure you get a good referral, or you can verify who it is you're speaking with before you sign any paperwork. Similarly, on the insurance side of things, what also happens, shortly after that, as an insurance company will call that person and seek to make a statement and seek to record that statement. When they're doing that, even if they're saying they're going to do the right thing, the insurance companies are going to accept that liability was on the part of their insured. They're going to do everything they can and use whatever information they can gather, often directly from the injured patient, to undermine the value of that claim. It's important to talk with an attorney before you talk with any insurance company. The attorney can advise you as to what your rights are and what you should pursue what you should do. From a planning standpoint, because no one ever plans to get into a car accident, many people don't realize that there's a certain thing that you can do to protect yourself. Most people on the roadways are probably getting a baseline level of insurance to get their car registered. So if you need to get your car street legal, you're going to pay for a$25,000 liability policy. Craig, if you get hit by a car in a car accident, and you're taken to the hospital, you had to have emergency surgery on your tibia. You spend three or four days in the hospital. You've got$150,000 in medical bills from annual treatment and other hospitalization expenses. The only liability coverage you could pursue would be the$25,000 policy that of that person that hit you. That's not going to compensate you fully for your injuries or your losses. The biggest protector that most people don't realize is something called uninsured or underinsured motorist coverage. And that's something that is part of your general car, your car policy. And most people don't understand or realize how that works. But what uninsured or underinsured motorist coverage provides you is an extra layer of coverage to protect you from those who don't have sufficient insurance. And it varies from state to state. There have been certain interesting in the states where I practice, Georgia, and Illinois, and Tennessee, and Florida, but primarily Georgia and Illinois. The insurance laws vary in terms of what type of coverage you can have and how it would apply. But the important thing is most people on the roadways don't have a lot of insurance, to begin with. So if you happen to get hit, the odds are you're going to need to have certain layers of protection that you plan for, and that's in the form of uninsured or underinsured motorist coverage. And it doesn't cost that much more in your monthly premium. But what's gone on with all the big box carriers of insurance progressive and State Farm and Geico? People don't just want to get insurance coverage, and they're not doing a thorough job researching what that means. It's always important to have to talk with someone who poses embarks on a website to purchase your insurance coverage. So it's always important to talk with a person to explain to you what those various coverages are. And I had conversations with clients all the time. There's a point in the litigation where I sit them down and say, I'm going to scold you a little bit, but you have the bare minimum, uninsured or underinsured motorist coverage. And this is going to limit or restrict your ability to make a full recovery in your case. And then I say, Hey, look, send me your deck page, your declarations page for your insurance. And I can tell you where your policy limits should be. And then I tell them to go and call their insurance agent and make those changes immediately. So in the event, something else happens down the road, they'll have additional protection from the unknown.
Craig Petronella:That's very good information. Is there any audit process around that sound like 25,000 is not nearly enough these days?
Sean Park:It should; it's not. But that's all governed by state statute.
Craig Petronella:So every state has a different minimum?
Sean Park:Every state has different minimum requirements. And usually, it's a minimum policy of insurance that you have to get to show you have general liability coverage. And you have to have that to get your car registered to be your tag renewed. And so and when people have the minimum level of insurance, and those are probably the ones that are the most at-risk drivers, because they're usually the ones driving around enough and beat up at a Nissan Pathfinder, or whatever, some old dated car that's all banged up. They're just getting the minimum coverage because the vehicles are not worth that much. And they just need to be able to get it because it's their mode of transportation. And they're probably the ones that will put you most at risk because they don't have much to lose.
Craig Petronella:Got it. So is there some kind of process? It sounds like it's state-driven.
Sean Park:It is state-driven. And the insurance laws are different. But again, it's just the bare minimum that's required by state law. To get your car registered, you have to have a minimum policy of liability insurance coverage on your vehicle. And it's left up to the individual to take additional steps to protect them beyond what the bare minimums are.
Craig Petronella:It sounds like there should be some major reform around that. Because if you leave it to the individual, most are going to choose the cheapest option.
Sean Park:Most people who are essentially living hand to mouth don't have the means to pay for good coverage. And even if you have bare minimum coverage, it's still the devils in the policy's details. I see it all the time where you pay a premium, thinking you've got certain amounts of coverage. But then, because you didn't read the policy book in detail. There could be certain exclusions that prevent you from using your medical payments coverage, which you paid for. Or you're uninsured or underinsured motorist coverage, which is a contractual benefit that you pay for when you purchase that additional layer of coverage under your policy. The devil is always in the details. And so you'll have some substandard carriers that will issue insurance policies and give you the expectation, you've got certain layers of coverage that might give you confidence. But unless a person goes and reads that policy, they don't know. They don't know the coverage they've got, and they may not have the coverage status they think they paid for.
Craig Petronella:And they might not be the best ones to go through it themselves. They should probably get help, at least maybe annually, from an insurance agent or somebody like yourself to go through that and pick it apart together to make sure that the individual understands their risks for the choices.
Sean Park:Exactly. As you were talking about, people should always get a will, the very important thing, if you have the ability and the means to plan for it. A lot of people have financial planners. Financial planners will consult with wills and estate attorneys. Financial Planners will also consult with insurance agents to determine if you have appropriate levels of business insurance coverage, malpractice insurance coverage, an umbrella policy on your home for excess liability. Those are all things that can help you tick all those boxes if you put a plan in place. But I think the most critical with all of that is the need for personal relationships where you can get on the phone with someone and talk with them who got a question. And that's one thing I can't do with my clients. I can't roll the clock back to the day before they needed me. I can only try to be proactive and help them get a resolution or recovery in their case. Also, I guide them with directions on getting a will in the state's attorney or going through a divorce second before the divorce attorney. But the key is always to have good personal relationships. And that's one of the things that's been great about how you and I met is just the broad network that our business network has allowed us to meet people across the country and make those relationships and get to know people on a more personal level. So you know what it is they exactly do. And you can refer them on to someone that you might cross paths within another sector to help get them the help they need.
Craig Petronella:Absolutely, be that connector, for sure.
Sean Park:Absolutely.
Craig Petronella:It sounds like the top two tips have your phone number in their glove box if they're in one of the states you practice in.
Sean Park:Yes!
Craig Petronella:Ideally, call you first. But admit, at a minimum, almost make a little checklist. Or if you have one that you can share, that'd be awesome. But if you're in an accident, these are the top three things you need to do righ now. And the second one you entioned was making sure yo
Sean Park:Right. Now the insurance in most people isn't r insurance's inadequate condi ion in order. I would recommend t least annually audit your i surance and go through that w th a licensed professional to make sure that you underst nd what you're signing up for Let's be real. Most people want to do the minimum because it s cheaper. Everybody wants to ave money, but you might not nderstand the risks associa ed with that cost savings. A d there's a lot of movement o online platforms. But this i, in my opinion, more of reason to have that personable relationship with an insurance gent and somebody like yourse f so that you can pick up th t phone, you can ask these que tions. going to be. If you want to have a surefire way to fall asleep at night, read the details of an insurance policy not to put you to sleep after like the first page. So getting into the details of what your coverage is and the possible exclusions that are there. You need to have someone in a professional setting explain that to you and help guide you through that. So you can make informed decisions on it. But the three bullet points I would send away or send your audience away with is if you're even better in a wreck, and you're in the hospital, do not sign up with an attorney in the hospital. Do not talk with the insurance company or anyone from an insurance company until you speak with a lawyer. And if you're in the states of Georgia, Illinois, Tennessee, or Florida, and you're in a wreck, call me. My cell number is 678-592-8743.
Craig Petronella:Awesome. Thank you so much, Sean. That has been fantastic. I was looking at cyber insurance for a client of mine. And on the cyber insurance side of things. Some vendors will require certain cyber requirements to do business with them. And we call sometime they're given a question aire; we call those question aires a vendor security question aire or VSQ. And there might be certain coverage limits or requi ements on there. But one thin that I learned in intervie ing a cybersecurity professi nal is your annual revenue. So say the VSQ requires 5 millio in coverage, but your annual r venue is only one; you can't ge 5 million in coverage. I didn't realize that it was. So you can nly get covered; you can get little bit more than a million. So if your revenue is a million, you might be able to get a mi lion and a half or 2 million f you combine an umbrella with things together. But you' e not going to get to 5 million f your revenues aren't there ye. So I thought that was very int resting to hear. So I was just wondering if that kind of conce t correlates to the individu l level. If your net worth is X, maybe you only can get this certain amount of coverage for maximum. So on the other en s of the spec, not the cheapest coverage, but what's the best that I can get, too?
Sean Park:I think with the consumer level with regards to just general premises insurance, like your typical homeowner's insurance for your auto insurance, they have certain levels that are in place. It gets to a point where it may be a company. You want to protect what you know you can lose. An that's the thing that I think rom a casualty or hazard s andpoint. You don't want to ver-insure yourself, but you ant to protect yourself from the liability side of things. You ant to be able to protect your elf from what you could lose. et's say if you look down to g ab yourself. You hit a k d on a bicycle or something, or just or you have some unfortu ate incident where you po sibly can be at fault. You can e suspect or subject to a possi le judgment. You want to make sure you've got good suffi ient levels of insurance i place. And that's the differ nce between the insurance you're talking about the e rnings that they might have over a year and being able to have c mparable coverage and not get c verage at a certain level becau e their earnings aren't as much. You're seeking to protect w at you already have what you co ld lose the event; you're at fau t for something on the liab lity side of things.
Craig Petronella:Right. One thing that came to mind when you're talking about that is, what about dash cams? Or dashcam technologies? Do you read those? Is that a good thing?
Sean Park:I would recommend those in the sense that they are great captures of information. They can be distracting. And you could also mean pictures, always with 1000 words. And I have had a good fortune lately of getting surveillance footage that shows exactly how my client was injured and how my client was not at fault at all and what had happened. And there's a lot of legal channels you've got to go through to get that, especially when I had a guy who got hit by a car in a mall parking lot. And because I hadn't filed suit yet, the mall's risk manager said we're not going to respond to any document requests until you provide a subpoena. Well, that's I can't. I can't issue a subpoena until there's a formal court case. Often, the goal is to resolve my cases for my clients without having to resort to litigation. And it would give my clients a better ability to argue their case pre-suit if they would provide that information.
Craig Petronella:Right.
Sean Park:But I had to work with what I was given in a pre-suit capacity, and we turned up and turned up having to file suit. So I ended up getting the surveillance footage, but dashcam videos you've seen come on in the United States a lot like recently. But if you just watch random videos on Twitter on the internet, everyone in Europe has them. Even Russia seems to have them, and they're always on, and they're great ways to keep the information, gather information, and be able to provide your best case. They could also show that you might have been at fault.
Craig Petronella:Right. Yeah. Providing factual evidence.
Sean Park:Right. The camera is going to capture everything good and or bad for you. Thankfully, I've had a good fortune, and the times I've had good surveillance footage of cases. They've all seemed to cut my way. But yeah, that's another thing that I would recommend just because it's another way to protect yourself.
Craig Petronella:Absolutely. Great information. Thank you so much. I appreciate it very much, and thanks for joining.
Sean Park:I enjoyed it, Craig. Thanks a lot. Thanks for having me.
Craig Petronella:All right, we're going to stop.
Announcer:Thanks for listening to yet another episode of cybersecurity and compliance with Craig Petronella. Listen to all of our podcasts on Apple, Google, and Spotify. Visit us online at Petronellatech.com to book a meeting with Craig about your business.