Archive for Liability

Advocacy Efforts During COVID-19

Advocacy Efforts During COVID-19

The spread of COVID-19 has affected nearly all aspects of our daily lives. For the Medical Association’s efforts in protecting physicians and patients, this was also true. Nonetheless, between March 13 (when Gov. Ivey issued the COVID-19 state of emergency) and mid-May, our advocacy work continued in full-force.

Executive Actions & Proposals

  • Worked with various stakeholders and Governor Ivey to secure liability protections via an Executive Order for physicians, their staff and their practices against frivolous COVID-19 lawsuits (summary available here);
  • Successfully advocated against multiple dangerous scope of practice expansions proposed by both state and national organizations. Among other things, these proposals would have (1) eliminated physician supervision and destroyed the team-based care model; (2) granted CRNAs the ability to prescribe controlled substances; and (3) allowed pharmacists to switch a patient’s drugs without prescriber authorization and without any requirement to notify to the prescriber or the patient; and
  • Successfully advocated against a proposal to give out-of-state telehealth corporations special treatment that physicians currently living, working, and paying taxes in Alabama do not enjoy.

Telehealth Payment Parity

  • As one of our longstanding priorities (payment parity between in-person visits and telehealth services), we were proud to see reimbursement rates addressed and the policy of parity come to fruition.

Miss our 2020 Legislative Recap, What if No One was on Call? Click here for the annual rundown.

Posted in: Advocacy, Coronavirus, Liability, Members

Leave a Comment (0) →

COVID-19 State Liability Protection Bill to Be Filed

Alabama State Senator Arthur Orr (R-Decatur) is preparing to file a bill today to provide liability protection to physicians, health facilities and businesses from claims arising from COVID-19 and the state’s response to the pandemic. 

“These are unprecedented times and the Legislature must take swift action to protect physicians and businesses from COVID-19 frivolous lawsuits,” Sen. Orr said.  “We cannot wait to pass this legislation, as every day that goes by without these protections in place could mean these entities have unknown liability exposure for situations and dynamics far beyond their control.”

Medical Association President John Meigs, M.D., thanked Sen. Orr for his willingness to bring forward the legislation. 

“Practices of every specialty of medicine have been affected by this pandemic, from both the care-provision aspects but also the economic and business side.  The association appreciates Senator Orr’s leadership and willingness to bring this critical legislation forward,” Dr. Meigs said. 

The bill has widespread support among the health care and business communities.  The Legislature may meet as few as five legislative days this week but has as many as 14 at its disposal.  Most of the focus this week will be on local bills and the two state budgets, but the Medical Association is also encouraging legislators to take up Sen. Orr’s bill as a top priority.  

Posted in: Advocacy, Legal Watch, Liability

Leave a Comment (0) →

Rural Patients Wait Longest for EMS

Rural Patients Wait Longest for EMS

WASHINGTON, DC – The average interval between a call to 911 and arrival on the scene of emergency medical services is seven minutes in the United States, but patients in rural areas wait as long as 30 minutes for help to arrive. How long is too long to wait for medical attention?

The results of a study of EMS records from 2015 were published recently in JAMA Surgery (“Emergency Medical Service Response Times in Rural, Suburban and Urban Areas”) and revealed that patients wait seven minutes for an ambulance on average, but much longer in rural areas.

“Those seven minutes – or even longer in rural areas – are ripe for bystander intervention, especially for bystanders trained in first aid and/or CPR,” said one of the study’s authors, Howard Mell, MD, FACEP, a spokesperson for The American College of Emergency Physicians (ACEP).

The study, which analyzed 1.7 million EMS runs in the US, concluded that average wait time for EMS to arrive in suburban and urban areas was 6 minutes, while the average wait time in rural areas was more than double that, at 13 minutes. Nearly one in 10 911 calls in rural zip codes resulted in waits of nearly 30 minutes. The authors point out that in cases of severe bleeding, life-threating allergic reactions, cardiopulmonary arrest, or other time sensitive illnesses or injuries, bystanders need to be ready to help while waiting for the ambulance.

“A new public education campaign called ‘Until Help Arrives’ was designed to empower lay persons to provide care to the ill and injured until EMS personnel arrive,” said Dr. Mell. “This program can be helpful to all communities, particularly those in rural areas where the wait for EMS can be so long. Recognizing that you are the help until help arrives may be lifesaving.”

Posted in: Liability

Leave a Comment (0) →

What is the ProAssurance Legal Defense Endorsement?

What is the ProAssurance Legal Defense Endorsement?

As a ProAssurance insured, did you know that in addition to medical professional liability coverage your ProAssurance insurance policy also has embedded legal expense coverage for a variety of regulatory risk exposures, certain types of disciplinary proceedings, and other types of covered investigations? It’s called the Legal Defense Endorsement, and it is an automatic part of your policy at no additional cost to you. Generally speaking – and subject to applicable deductibles, policy period aggregates, and other terms and conditions – the Legal Defense Endorsement provides up to $25,000 of legal expense coverage on a per claim basis for a laundry list of “covered investigations” specifically listed in the endorsement.*

Many of the covered investigations are of the regulatory risk variety – like HIPAA, EMTALA, the federal Anti-Kickback and False Claims Act statutes, the Patient Protection and Affordable Care Act, and others. In the event of an investigation or proceeding commenced against you by a governmental or regulatory agency charged with the enforcement of compliance with those laws and regulations, call ProAssurance because your Legal Defense Endorsement could provide up to $25,000 of legal expense coverage to help you navigate the investigative process.

Several other covered investigations relate specifically to Medicare and Medicaid. Again, in the event of an investigation or proceeding commenced against you by any federal or state agency charged with the enforcement of compliance with certain laws regulating Medicare or Medicaid and the rules and regulations related to billing and reimbursement for medical services under those programs, your Legal Defense Endorsement could provide up to $25,000 of coverage for legal expenses you incur as a result of such investigations.

Some of the remaining covered investigations include disciplinary proceedings commenced by the state’s medical licensure commission investigating alleged unprofessional conduct that could result in action being taken against your license to practice medicine. Disciplinary proceedings commenced by a hospital or its medical staff for the purpose of suspending, modifying, restricting, revoking, non-renewing, or terminating your staff privileges are also covered investigations under your Legal Defense Endorsement. Many an unwitting physician has tried to represent him or herself in these types of proceedings, only to later regret not enlisting the assistance of legal counsel.

There are additional covered investigations in the Legal Defense Endorsement not mentioned in this article. If you want to read your Legal Defense Endorsement look for the form titled “Professional Legal Defense Coverage Part” in your current ProAssurance policy. The endorsement itself is about two-and-a-half pages. You can always access your policy documents online through the ProAssurance secure customer portal at

Knowing and understanding how the coverage in your Legal Defense Endorsement works can help you to avoid spending money out of your own pocket on legal expenses that could be covered by the endorsement. More importantly, taking advantage of the coverage in your Legal Defense Endorsement can help you to avoid digging yourself into a deeper hole by attempting to handle a covered investigation on your own without the assistance of legal counsel.

For more information about your Legal Defense Endorsement or if you have questions about the coverage in the endorsement, contact your ProAssurance representative for assistance.

*Please note that legal counsel must be either appointed directly by ProAssurance or if selected by the insured, appointed by ProAssurance with prior written approval before their legal expenses can be covered under the Legal Defense Endorsement.

Posted in: Liability

Leave a Comment (0) →

“WannaCry” Ransomware Holds True to its Name

“WannaCry” Ransomware Holds True to its Name

This week, countries around the world faced an unprecedented cyber security attack. On May 12, 2017, the Critical Infrastructure Protection Lead for the Department of Health and Human Services Laura Wolfe first reported it as a “significant security issue.” Hours later, the Department of Homeland Security’s Computer Emergency Readiness Team warned the public of a malware virus called “WannaCry.” As with typical ransomware, an individual would receive an email purposely designed to look like an email sent by a business or individual the recipient may be familiar with and contain either a link or attachment. Once opened, the virus spreads giving the attackers access to computer systems and the ability to encrypt the information and extort money from the victim.

What’s the relationship between HIPAA and ransomware?

When a health care entity is the victim of a ransomware attack, the protected health information accessed during the attack is considered to be breached. Therefore, unless the affected entity can prove the information was encrypted prior to the attack, it must go through all of the usual steps to comply with the HIPAA Breach Notification Rule. This includes, but is not limited to, reporting the breach to people whose information was compromised no later than 60 days from discovering the breach. If the breach includes the protected health information of greater than 500 people, there must also be contemporaneous notice to HHS and news media outlets.

Why can’t you just follow the money?

Often, individuals connected to ransomware activity will use a currency called “Bitcoin.” Since around 2009, bitcoin has allowed for the exchange of goods and services without regard to the identity of the sender or recipient. Since there is no bank to act as a conduit, there are no transaction fees which have allowed the use of bitcoins to increase in popularity among merchants. However, the anonymous nature of the transactions makes it difficult, if not impossible, to trace. This anonymity makes it a currency of choice among hackers.

Who does this affect?

Many health care entities built their information technology infrastructure around Windows XP when it was introduced in 2001. Windows XP was discontinued in 2014 and is no longer supported by Microsoft. As a result, it has not received necessary updates or security patches. Due to its initial popularity, many entities may still have at least one Windows XP device and have been sluggish to fully convert to a more secure operating system. Fortunately, as of the date of this article, experts have been able to identify the threat and dramatically slow the spread of the most recent virus. However, health care entities must be vigilant about addressing these cyber security concerns. Hackers are aware of these vulnerabilities and will continue to use their resources to exploit those weaknesses.

How can you protect yourself?

Make sure that you are using up-to-date antivirus software, and be sure to implement updates and patches as they are made available. Educate your staff on the importance of not opening suspicious emails, and teach them how to look for subtle irregularities hackers often use when they are attempting to pose as someone familiar to the recipient. Additionally, ensure you and your staff never click on links in emails that appear bizarre. A common example is an email from your banking institution that you were not expecting or a link to collect a fictitious lottery prize.

Victims of this cyber crime are encouraged not to pay the ransom because most often the information is still not made available by the hacker. Instead, if you believe that your system has been exposed to this malicious software, please report this threat to authorities. You can begin the process by contacting your FBI Field Office Cyber Task Force by visiting  You can also report cyber incidents to the US-CERT and FBI’s Internet Crime Complaint Center at

Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.

Posted in: Liability

Leave a Comment (0) →

Texting and Emailing in the World of HIPAA

Texting and Emailing in the World of HIPAA

If you experience anxiety every time you consider texting and/or emailing in your health care setting, you are not alone. On one hand, the world that we live in necessitates that information is communicated in a quick and easy manner. The ability to text or email staff and patients has become a high priority for many health care entities. On the other hand, patient privacy and confidentiality is essential to meeting compliance standards. Though emailing and texting are convenient, it certainly does not come without the possibility of pitfalls. It is a complex issue that requires meeting several factors in order to be implemented properly.

But Everybody Is Doing It, Right?

The perception is that many health care entities are already taking advantage of emailing and texting capabilities.  That may be accurate.  But the bigger question is whether they are utilizing those tools in accordance with HIPAA Privacy and Security requirements.  Health care entities should consider the following:

A Risk Analysis is key.  An adequate Risk Analysis is required to be performed at the outset of the practice, prior to developing a HIPAA policy.  This Risk Analysis identifies the type of information that you maintain or access and the areas within your entity where protected health information (PHI) is vulnerable. The Risk Analysis should be reviewed, and amended if necessary, whenever there is a change in your information technology environment.  This includes adopting the use of email and text messaging. The entity will need to consider potential vulnerabilities and threats, then document their plan to ensure that health information stays secure.

Show me the policy.  The HIPAA Privacy and Security policy must document your entity’s use of these services and define how employees are to utilize them.  This includes specifying whether only business owned devices can be used or whether the entity allows employees to utilize their own personal device (BYOD). The policy should also be specific about any differences in procedure for emailing and texting internally, versus outside communication with patients and other health care providers.  The policy requirement should be followed by adequate training.

Encryption, encryption, encryption.  Many entities that utilize PHI in email communications secure the information via encryption.  Within health care entities, the information is often secured by firewalls.  Firewalls make it much easier to implement security measures, oversee procedures and secure information.  Some health care entities choose to transmit PHI via electronic health records and customized patient portals. However, using emails to properly transmit PHI outside the entity is a much more complicated process.  To properly transmit PHI via email, encryption must be utilized.  Encryption software will resolve security issues because the patient receives an email containing a link which requires a unique username and password to access the PHI. Some patients find the process of logging in and remembering required passwords to be cumbersome, but others appreciate knowing that their information is secure.

Less is moreWhen communicating with individuals outside of your entity about PHI, utilize the Minimum Necessary Rule.  The Minimum Necessary Rule requires health care entities to limit the PHI produced to the amount of information necessary for the recipient to carry out their function.  For example, if another provider requests a patient’s diabetes lab work, only provide the requested lab work and not the patient’s entire medical record.  Also, it is recommended that you not share sensitive information including, but not limited to, a patient’s mental health, communicable disease status, child or elder abuse, and substance abuse issues.  The entity’s policies/procedures should define and describe how sensitive information should be transmitted.

The patient gets their way. HIPAA requires entities to communicate with patients in the manner determined by the patient, so long as it is reasonable. An entity’s Notice of Privacy Practices will generally articulate methods of intended communication by the entity.  However, a patient may choose not to receive communications through a traditional method. An example would be a patient request not to use U.S. mail, but to use email instead.  That entity may find that they do not have encrypted email capabilities that would appropriately safeguard the information. In this scenario, the health care entity must still comply with the patient’s request; however, they should have the patient sign a form that memorializes the patient’s request to use email communication and documents the risks associated with this request.

The guidance above does not apply to patient initiated communications. Patients are not considered to be HIPAA covered entities and therefore, their actions are not HIPAA violations.  Thus, patients are free to initiate emails or text messages with health care providers at their pleasure. Health care entities should have a form on hand for the patient to sign prior to responding to an email or text message from the patient. This form documents that the patient is aware of the inherent risk of email or text message communications, but wishes to receive the communication in that form anyway. This will help to satisfy the patient’s preference while helping to shield the health care entity from liability if communications are intercepted beyond the entity’s control.

Texting Has Added Risks

Text messages are generally available to anyone who utilizes that person’s phone because there is generally not separate password security for access to the text messaging feature.  Additionally, because the text messages do not pass through the entity’s servers, it is difficult, if not impossible, for IT staff and Security Officers to audit the texts.  And if these communications are intended to be a part of the patient’s record to demonstrate communication, the patient loses the right to amend the communication if it is not readily available in the paper or electronic record. There are vendors who offer “secure texting” solutions. If a health care entity is considering a secure texting vendor, have your designated Security Officer review their system carefully and converse extensively with the vendor about whether their product is indeed secure. A BAA with the vendor is also required. Finally, the entity should revisit its written policy and retrain when necessary.

To ensure that your practice is in compliance, and for assistance with determining whether your entity should proceed with implementing text or email communications, please consult a health care compliance professional.

Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.

Posted in: Legal Watch, Liability

Leave a Comment (0) →

What is a Business Associate Agreement, and Why Should You Care?

What is a Business Associate Agreement, and Why Should You Care?

Health care providers are primarily concerned with the treatment and wellbeing of their patients. They gather and maintain tremendous amounts of protected health information[1]  (PHI) throughout the treatment process and commonly share that PHI with third parties who assist them with carrying out their work. This process of sharing PHI with a third party, non-workforce member, may create a business associate relationship. With the passage of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, medical practices are now required to identify business associate relationships and enter into Business Associate Agreements (BAAs). Failure to comply can led to heavy fines imposed by the Department of Health and Human Services.

A common challenge to compliance with this regulation is assessing whether an individual or entity falls within the definition of a Business Associate.  To make this determination, medical practices are required to identify third parties who create, receive, maintain, or transmit PHI on behalf of the covered entity, including subcontractors. After documenting this process, an appropriate BAA must be executed to govern the relationship and to protect any PHI.

BAAs are contracts that dictate how a Business Associate must use, disclose and safeguard PHI, as well as the covered entity’s responsibilities to the Business Associate. At a minimum, the BAA must include the following provisions:

  • Establish the permitted and required uses and disclosures of PHI by the Business Associate;
  • Provide that the Business Associate will not use or further disclose the information other than as permitted or required by the contract or as required by law;
  • Require the Business Associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI;
  • Require the Business Associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured PHI;
  • Require the Business Associate to disclose PHI as specified in its contract to satisfy a covered entity’s obligation with respect to individuals’ requests for copies of their PHI, as well as make available PHI for amendments (and incorporate any amendments, if required) and accountings;
  • To the extent the Business Associate is to carry out a covered entity’s obligation under the Privacy Rule, require the Business Associate to comply with the requirements applicable to the obligation;
  • Require the Business Associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of PHI received from, created, or received by the Business Associate on behalf of the covered entity for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule;
  • At termination of the contract, if feasible, require the Business Associate to return or destroy all PHI received from, or created or received by the Business Associate on behalf of, the covered entity;
  • Require the Business Associate to ensure that any subcontractors it may engage on its behalf that will have access to PHI agree to the same restrictions and conditions that apply to the Business Associate with respect to such information; and
  • Authorize termination of the contract by the covered entity if the Business Associate violates a material term of the contract. Contracts between Business Associates and their subcontractors are subject to these same requirements.[2] (DHHS, 2013)

Don’t Think This Applies to You? Think Again!

Business Associate relationships are voluminous in medical practices.  More often than not, the modern medical practice will have multiple relationships that require a BAA. A few examples may include:

  • Tech support for an Electronic Health Record (EHR)
  • Data storage services
  • Repair services for copiers with hard drives
  • Data destruction
  • Cloud hosting
  • CPA firms that provide accounting services
  • Independent medical transcription services
  • Claims processing

Business Associates May Face Penalties as Well

In June of 2016, Catholic Health Services of the Archdiocese of Philadelphia settled with HHS for $650,000 when it was discovered that they may have violated the HIPAA Security Rule. CHCS provided management and information technology services to the nursing home company creating a Business Associate relationship. HHS alleged that the theft of a CHCS iPhone without password protection compromised the PHI of numerous nursing home residents.

“Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities,” said U.S. Department of Health and Human Services Office for Civil Rights (OCR) Director Jocelyn Samuels. “This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule.”

Medical practices should be eager to institute BAAs where appropriate as they shift liability to the Business Associate for the inappropriate conduct of the Business Associate. Medical practices should not allow any relationship with contractors to exist without first analyzing the need for a Business Associate Agreement. If not, the medical practice could be required to perform breach notification or pay litigation costs for the actions of the Business Associate. It is paramount that your medical practice attain BAAs when necessary and have a system in place to track them. A proper tracking system will notify you when BAAs expire. Additionally, a proper tracking system will ensure that nothing slips through the cracks.  Understand that if during an audit it is determined that your medical practice lacks the necessary BAAs, has expired BAAs or that they don’t have the required provisions, your entity could be fined for non-compliance with the HITECH Act.

It is important to note that there are a number of exceptions to the Business Associate Agreement requirement that may apply. Some exceptions include conduits, workforce members and janitors. To protect your practice, you should have a qualified professional perform a risk analysis to determine if a BAA is necessary and to fashion a BAA to the specific relationship.

Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.

[1] PHI includes many common identifiers, like a patient’s name, date of birth, address, social security number, full-face photo or any other personal identifiers.

[2] Department of Health and Human Services. (2013) Business Associate Agreement Contracts. Retrieved from

Posted in: Liability

Leave a Comment (0) →

Managing Your Practice: How to Lessen Your Risk of Workplace Violence


Editor’s Note: This issue was originally published in the 2016 Spring Issue of Alabama Medicine magazine.

Going postal, unfortunately, is part of our pop-culture lexicon. This well-known phrase indicates the workplace isn’t as safe as we once thought.
Hospitals and health care facilities were once considered safe havens from violent incidents. Unfortunately, the health care industry is more likely to experience workplace violence than most realize.

Data from the U.S. Bureau of Labor Statistics indicates in 2010 health care and social assistance workers were the victims of 11,370 assaults, more than a 13 percent increase since the year before. This shows more than a 13 percent increase since. In 2011, Modern Healthcare reported the Bureau’s statistics showed the chance of registered nurses being assaulted at work are more than triple that of the average American worker. Nurses had a 6.1 in 10,000 chance, while the general population had a one in 10,000 chance. The article further pointed out registered nurses are at greater risk of workplace violence than taxi-cab drivers or bartenders.1

The increase in workplace health care violence may be attributed to:

  • deinstitutionalization of psychiatric patients;
  • increased substance abuse (both street drugs and controlled substances);
  • gang violence;
  • economic stress;
  • frustration due to long waits in emergency departments; and
  • increased use of emergency departments by police to hold unruly/intoxicated patients.

Defining “Workplace Violence” and Taking Action

The National Institute for Occupational Safety and Health (NIOSH), defines workplace violence as “violent acts, including physical assaults and threats of assaults, directed toward persons at work or on duty.” 2Once violence is defined, the next step is to develop a workplace violence prevention program. The American Society for Industrial Security (ASIS) Health Care Security Council’s 2011 white paper, “Managing Disruptive Behavior and Workplace Violence in Health Care,” recommends workplace violence prevention teams adopt a multidisciplinary approach. This approach includes security, first responders, clinical staff, risk management, legal, human resources, administration, and other key stakeholders. Security experts recommend IT and security staff coordinate efforts due to increased use of technology in hospital security.

Once violence is defined, the next step is to develop a workplace violence prevention program. The American Society for Industrial Security (ASIS) Health Care Security Council’s 2011 white paper, “Managing Disruptive Behavior and Workplace Violence in Health Care,” recommends workplace violence prevention teams adopt a multidisciplinary approach. This approach includes security, first responders, clinical staff, risk management, legal, human resources, administration, and other key stakeholders. Security experts recommend IT and security staff coordinate efforts due to increased use of technology in hospital security.

The white paper also cites the International Association for Health Care Safety & Security’s five components of an effective workplace violence prevention program, which include:

  1. management commitment and employee involvement,
  2. worksite analysis (including evaluating the physical environment),
  3. hazard reduction and response,
  4. training, and
  5. recordkeeping and program evaluation (measured by empirical data). The white paper includes a sample threat assessment checklist, a workplace violence prevention policy, a list of common warning signs, and an assessment outline.3

The Joint Commission requires accredited hospitals assess their risk of violence, develop written plans, and implement security measures.4
Risks may vary by facility and by department, underscoring the importance of individualized analysis.

Worksite Analysis

Multiple sources suggest researching crime statistics in your facility’s immediate area. A physical environment assessment may include monitoring of facility entrances, parking ramps, and grounds. A walk-through also may determine whether in-house emergency call numbers are posted and that panic buttons are available at registration desks and nursing stations.

Additionally, determine if staff lounges are locked and layouts of patient rooms help prevent entrapment. Some facilities ensure bulletproof vests are readily available.

Identify additional risks by conducting surveys with all shifts and in multiple situations. This allows you to determine whether employees are familiar with the facility’s violence prevention program and their reporting responsibilities.

A number of federal and state agencies provide easy access to information and tools to assist in conducting assessments. The Occupational Safety and Health Administration’s (OSHA) “Guidelines for Preventing Workplace Violence for Health Care and Social Service Workers” lists specific steps to access, monitor, and analyze violent events and to evaluate the effectiveness of your workplace violence program. The Guidelines also list engineering and administrative controls to help minimize violence. The guidelines, sample checklists and violence incident report forms are available on OSHA’s website,

Hazard Reduction and Response

The next step is developing strategies and policies for preventing and managing the potential for violence. Consider implementing and/or revising:

  • education for administration and staff on recognizing the risk of violence;
  • definitions for “violence” and certain crimes;
  • an easily accessible reporting and documentation system;
  • written policies and procedures and personnel responsibilities, including reporting of incidents (describe specific codes to call, who to notify in specific situations, and interactions with law enforcement);
  • the facility’s assistance to employees following a violent incident;
  • debriefings (within 24-72 hours of an incident); and
  • ongoing training programs with required staff attendance.

Additional security measures might include metal detectors, bag searches, cameras, appropriate lighting, video monitoring, security personnel,
stationing security in high-risk locations, and nighttime escorts to parking lots.


Staff training may be one of your most effective tools in reducing violent incidents. New employees should receive violence prevention training as part of their orientation. Training should be ongoing and include supervisors and security staff. Topics may include:recognizing potentially violent situations and using de-escalation techniques;

  • recognizing potentially violent situations and using de-escalation techniques;behaviors that help diffuse anger – a calm and caring attitude, avoiding giving orders, and acknowledging the individual’s feelings; avoiding behavior that might be interpreted as aggressive (rapid movement, speaking loudly, or getting too close);
  • behaviors that help diffuse anger – a calm and caring attitude, avoiding giving orders, and acknowledging the individual’s feelings; avoiding behavior that might be interpreted as aggressive (rapid movement, speaking loudly, or getting too close);
  • taking patients to safe and quiet areas to calm emotions; and
  • move disruptive patients away from the rest of the hospital population.

Record Keeping and Program Evaluation

Lastly, it is key to document your violence prevention efforts ­whether to defend an employee’s or the hospital’s actions, or in response to an OSHA investigation. Thorough documentation also will assist in evaluating the effectiveness of your violence prevention program.

When Violence Occurs

Additional training may be necessary for employees in high-risk areas which typically includes emergency departments, ICUs, behavioral health, and operating rooms. Training may include proper use of restraints, physical techniques to subdue violent individuals, and administering medical care once the individual is subdued.

The Emergency Nurses Association’s November 2011 Emergency Department Violence Surveillance Study indicated the overall frequency of physical violence and verbal abuse for an ED nurse working 36.9 hours in a seven-day period was 54 percent of the 7,169 nurses participating in the study. Nurses were most often involved in triaging a patient, performing an invasive procedure, or restraining/subduing a patient when the violence occurred. Patients were the main perpetrators in all incidents; over 83 percent of the incidents occurred in patients’ rooms.

Further, the study indicates that physical violence rates increase as population density increases (9.1 percent rural vs. 14.1 percent large urban areas). The odds of physical violence occurring were higher for younger nurses; male nurses were more likely to experience physical violence than females. Also, the use of panic buttons/silent alarms correlated with less physical violence. And decreased odds for physical violence and verbal abuse were associated with enclosed nursing stations, locked or coded ED entries, security signs, and well-lit areas.5

Risk management experts recommend the following should a health care workplace violence incident occur:avoid confrontation – retreat to a safe place if possible;

  • avoid confrontation – retreat to a safe place if possible;
  • do not approach or attempt to disarm an individual with a weapon;
  • summon security or a behavioral response team, or call 911;
  • remain calm – refrain from agitating or threatening a violent person;
  • isolate the individual – protect patients, lock doors, direct traffic away from the area, and evacuate if possible.

Dealing with Media and Law Enforcement

ProAssurance Risk Resource Consultants suggest hospitals develop policies and procedures for communicating with the media and law enforcement. We also suggest designating a hospital spokesperson and making sure that staff receives ongoing training for these situations.

Ensure staff knows how to respond to requests for interviews, subpoenas, and/or search warrants. Be sure to provide contact information and back-up numbers so staff knows whom to contact in such situations. Staff also should be trained on how to preserve and maintain a chain of evidence, which may include illegal firearms or drugs and statements of witnesses and victims. Lastly, ensure staff understands HIPAA privacy issues in these situations.

Of Course, Document

Once the situation diffuses, staff should document what was seen, heard, and / or done. Documentation will be critical should the facility or an employee be named in a professional liability lawsuit.

Unfortunately, violence occurs all too often in health care, but it still catches health care staff off-guard because it’s so unpredictable. Implementing and adhering to a workplace violence program will assist you and your facility in preparing for these situations and help prevent injury to you, your staff, your patients, and patients’ families.


  1. U.S. Bureau of Labor Statistics:\
  2. National Institute for Occupational Safety and Health:
  3. The Joint Commission, Division of Health Care Improvement, Advisory on Safety & Quality Issues:
  4. Emergency Nurses Association, Institute for Emergency Nursing Research, Emergency Department Violence Surveillance Study:

platinummvpProAssurance-insured physicians and their practice managers may contact Risk Resource for prompt answers to liability questions by calling (205) 877-5015 or email at ProAssurance is an official Platinum Partner with the Medical Association.

Posted in: Liability

Leave a Comment (0) →

ProAssurance: When Treated Fairly® is More than a Promise


Editor’s Note: This article was originally published in the 2016 Winter Issue of Alabama Medicine magazine.

Choosing the right company for your professional liability insurance is one of the most important decisions you make as a physician. With multimillion dollar jury verdicts on the rise again – Alabama has seen eight in the last 36 months alone – professional liability remains a significant threat to Alabama physicians. Yet given today’s financial pressures, it’s tempting to think of only price when considering professional liability insurance; for now is when the urge to cut a corner with a cheaper insurance choice can appear to make sense. But that’s the kind of short-term thinking that gets some insurance companies and, unwittingly, their insureds in trouble. When policies are sold on price alone, those who buy them may be left with a worthless piece of paper and myriad resulting problems.

Lured by low-cost premiums some physicians and physician groups in Alabama have switched insurance companies in recent years only to discover — sometimes mere months into the new relationship — that the new company’s idea of an unbridled defense in the event of a claim or lawsuit pales in comparison to the same promise ProAssurance makes and has consistently delivered to physicians in Alabama for more than 35 years. Dismayed, discouraged and dissatisfied with their new company’s inability to deliver the same quality of claims handling and legal defense, many of these same physicians have decided to return to ProAssurance, sometimes after having been insured by their new companies less than one year.

Founded by Alabama physicians in the 1970s when other insurance companies had left the state, ProAssurance has worked to level the legal playing field over the years and has helped make Alabama a safer and more predictable place to practice medicine. ProAssurance pioneered the aggressive defense of physicians in Alabama with a steadfast resolve to defend good medicine, discourage the filing of non-meritorious claims, and force plaintiff lawyers to think twice before suing a physician for malpractice — a time-tested and proven defense philosophy that has served well the physicians of Alabama. We don’t spare expenses, and we ensure that our defense lawyers have the resources necessary to defend our insured physicians. To date, ProAssurance and its exclusive panel of highly experienced defense lawyers have secured more than 1,300 defense verdicts at trial on behalf of Alabama physicians.

No other medical professional liability insurance company has committed anywhere near the time, effort, and financial resources that ProAssurance has committed to create, support, protect and defend the more favorable environment in which Alabama physicians now practice. What assurances are there other companies would do the same? None; but ProAssurance’s track record in Alabama speaks for itself.

ProAssurance understands the economic realities and challenging health care environment you face every day. The need for financial discipline is, in many ways, more urgent now than ever before — which is why you should seek full value in your professional liability insurance policy, demanding that every dollar you pay for that insurance purchases the full promise of an unfettered defense and the peace of mind that comes from knowing your insurance company is devoted to maintaining the financial strength to be here for you many years from now. You get that with ProAssurance. We don’t compromise the defense of a case for cost-saving reasons; other companies have, and still do — sometimes with catastrophic results. Furthermore, part of our commitment to you is that we will maintain the discipline and stability to do what’s right for you in the long-term.

ProAssurance exists to protect others. Our physician-focused mission is crystallized in the company’s guiding principle Treated Fairly®. Everything we do in Alabama — from our relationship with the Medical Association, to physician involvement on our Claims & Underwriting Committee and Regional Advisory Boards, to our unparalleled track record for successfully defending physicians in lawsuits, including at trial — underscores our Treated Fairly® pledge to you. Your policy will always be priced at a reasonable premium, but we will never risk your future by endangering the financial strength and long-term viability of the very company you trust to protect it.

Contributed by Hayes V. Whiteside, M.D., Medical Director, ProAssurance

platinummvpProAssurance-insured physicians and their practice managers may contact Risk Resource for prompt answers to liability questions by calling (205) 877-5015 or email at ProAssurance is an official Platinum Partner with the Medical Association.

Posted in: Liability

Leave a Comment (0) →