Hospitals and physician practices can buy a new kind of stand-alone insurance policy to shield themselves from losing too much money due to data breaches, American Medical News reports.

The amount a healthcare organization might have to fork over in the event of a privacy breach, such as improperly accessed electronic medical records, could range anywhere from mild to potentially devastating. Last September, for example, Lucile Packard Children’s Hospital at Stanford tried to appeal a California Department of Public Health fine of $250,000 for allegedly reporting a data security breach 11 days beyond the required window.

In recent years, laws have ratcheted up pressure on healthcare entities to push for better reporting of incidents of a certain magnitude, or risk facing the consequences. For example, the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was part of the 2009 federal economic stimulus package, requires healthcare organizations to notify not only the patients possibly affected by a breach, but also the Department of Health and Human Services and local media of any breach involving at least 500 patients. Potential penalties for not complying range as high as $1.5 million per violation.

Privacy breaches can cost more than $200 per patient for notification and loss of income, according to the Ponemon Institute.

Although insurance agents initially thought larger organizations, such as hospitals, were the most vulnerable to data breaches, that might not be true.

Smaller organizations, such as physician practices, might face higher risks for privacy breaches, said Tracey Vispoli, vice president and global cyber security manager for the Chubb Group of Insurance Companies, an insurance underwriter group that has created a security and liability policy for small practices. “Those are the entities that don’t necessarily have an information security person on staff or resources to put around information security,” she said.