Digital medical records hold particularly sensitive information – including health conditions, diagnoses, and prescribed medications and treatments. But they also contain a wealth of other information that cyber thieves can use to get rich, such as names and addresses linked to Social Security numbers. Thus, data containing personal health information (PHI) is a prime target for hackers.
The US Department of Health and Human Services (HHS), which regulates how PHI records are handled, issued final rulings on several elements of the HITECH Act (Health Insurance Technology for Economic and Clinical Health Act) and HIPAA (Health Insurance Portability and Accountability Act) in January 2013.
Collectively known as the Omnibus Rule, these new regulations have significant liability ramifications for health care providers and they firms they do business with, called “business associates” in regulatory language.
One of the biggest changes from a cyber liability perspective is that business associates are now burdened with greater responsibility for their custody of PHI data. Before the Omnibus Rule, medical practices’ business associates were not directly subject to fines and penalties resulting from data breaches.
But now, explains law firm Honigman, Miller, Schwartz, and Cohn, HHS can “investigate violations and impose direct civil monetary penalties on business associates for violations of the HIPAA Privacy and Security Rules.”
Furthermore, the definition of business associate has been expanded. In the old world, a business associate was a firm that contracted directly with a health care provider. Post-Omnibus Rule, though, any firm that contracts with a business associate, and that has possession of PHI data, is itself construed as a business associate. So no matter how many degrees of separation exist between the health care provider and its business associates’ contractors, all the firms in the chain now have a legal duty to safeguard the PHI data.
The rule governing how a breach notification process is triggered has also become more stringent. According to law firm Morris, Manning, and Martin, prior to the new regulations, a firm only had to notify individuals of a breach of their PHI data if there was “significant risk of harm.” But now, affected individuals must be notified unless the breached firm can prove that there is a low probability of harm as a result of the breach.
Steve Haase, INSUREtrust President, describes the insurance ramifications of the regulatory changes: “Before the Omnibus Rule, direct business associates could get by with pure tech E&O coverage or just add low-level cyber coverage. But now they are exposed directly to HIPAA sanctions and need more robust cyber liability insurance.” And businesses associates’ contractors are now on the hook too, which is a major departure from past policy.
In addition to creating a need for new kinds of insurance coverage for many firms, the Omnibus Rule also imposes other duties on companies, requiring them to create technical and physical safeguards and policies and procedures to protect PHI.
We’ve written before about particular data liability issues faced by the ambulance and senior care facility sectors of the health care industry. And even Medicare has been a victim of a hacking attack. PHI breaches happen, and firms caught uninsured will face major financial hurdles.
PHI breach costs can be extensive: In addition to the fines levied by HHS and state regulatory agencies, the hacked company will almost certainly face lawsuits, computer forensics expenses, and business interruption losses, among other costs.
If your firm deals with PHI, or any other sensitive data, you need cyber liability insurance. We at INSUREtrust have been experts in cyber liability for over 15 years, and every day we help large and small businesses obtain the right policies for their particular needs.
Internet insurance doesn’t have to be expensive, but it is money well spent. The premium cost for a cyber insurance policy can be as little as $1000 for a $1 million policy limit.
Over the past ten years, INSUREtrust has written more than $100 million in premiums and paid more than $30 million in claims. Insurers are looking for business and we can find competitive pricing and terms for almost any risk.