Data compliance standards (HIPAA, HITECH and Gramm-Leach-Bliley Act) and the implementation of Electronic Health Records (EHR) requirements of the Affordable Care Act (ACA) require medical practices and healthcare organizations to not only utilize electronic data, but also ensure that the data is secure and methods are in place to report and recover any lost or stolen information.
Any company that maintains private personal/financial information on customers/patients has the responsibility to protect that information. Any unauthorized release of information or outside breach could violate privacy laws and expose the company/medical practice to a lawsuit.
A recent study by research group Advisen found that despite increasing instances of cyber attacks, 1/3 of companies that need cyber liability insurance coverage are adequately protected. Since medical practices and healthcare organizations collect and maintain more information than most other types of businesses, including private financial and health-related information, they can have even greater exposure. Widespread use of laptops, tablets and smartphones present a growing risk for data loss related to the use of unsecured wi-fi networks and loss of the devices themselves. Additionally, an increasing proportion of the losses will involve a 3rd-party partner (off-site data storage and servers, cloud-based storage, wireless network providers, etc.) who may be responsible for the loss, misuse or improper dissemination of information. Even a relatively small breach of records can incur tens of thousands of dollars in notification costs alone, followed by the compounding expense related to the repair of the breached system(s), recovery of data, indemnification of injured parties and attorney compensation.
A study by the Ponemon Institute* found that healthcare-related data breaches are on the rise even in light of improved compliance with HIPAA and HITECH.
Most assume that their existing Business Operating Policy (BOP), Commercial General Liability (CGL) or Medical Professional Liability Insurance (MPLI) will cover data-related losses, when most times information and data-related exposures are not covered and commonly excluded from coverage. Although it is becoming more and more common for MPLI policies to include some form of limited cyber liability coverage in the basic policy, the depth of coverage can vary from carrier to carrier and the standard limits of liability may not be sufficient to cover all costs related to a data exposure. Some MPLI carriers offer the option to increase the liability limits associated with the cyber coverage, and separate coverage can be obtained on a stand-alone basis or as an endorsement to a carrier’s BOP policy.
Premiums for cyber liability policies are determined by a variety of factors including the volume of patient records being maintained, the annual revenue of the practice, existing practice controls, loss history and the location of the practice. As the industry has gained a better understanding of cyber-related exposures in recent years, coverage is becoming broader and premiums more affordable considering the risks involved. It is certainly prudent for physicians and/or practice managers to seek advice from their agent/broker regarding an adequate level of coverage needed in case of a loss.
* “The Second Annual Benchmark Study on Patient Privacy and Data Security”. Study conducted by the Ponemon Institute through a sponsorship by ID Experts.To contact the author, call 800-457-7790 and ask for Rob Cash.