Digital medical records hold particularly sensitive health information, but they also contain a wealth of other information that cyber thieves can use to get rich, such as names and addresses linked to Social Security numbers. Thus, data containing personal health information (PHI) is a prime target for hackers.
HHS issues new cyber liability rules
The US Department of Health and Human Services (HHS), which regulates how PHI records are handled, issued final rulings on several elements of the HITECH Act (Health Insurance Technology for Economic and Clinical Health Act) and HIPAA (Health Insurance Portability and Accountability Act) in January 2013.
Collectively known as the Omnibus Rule, these new regulations have significant liability ramifications for health care providers and they firms they do business with, called “business associates” in regulatory language.
Omnibus Rule adds more responsibility put on business associates
One of the biggest changes from a cyber liability perspective is that business associates are now burdened with greater responsibility for their custody of PHI data.
Law firm Honigman, Miller, Schwartz, and Cohn explains that HHS can “investigate violations and impose direct civil monetary penalties on business associates for violations of the HIPAA Privacy and Security Rules.”
Definition of business associate broadened
Furthermore, the definition of business associate has been expanded. In the Post-Omnibus Rule world, any firm that contracts with a business associate, and that has possession of PHI data, is itself construed as a business associate. So no matter how many degrees of separation exist between the health care provider and its business associates’ contractors, all the firms in the chain now have a legal duty to safeguard the PHI data.
More stringent notification trigger standard
The rule governing how a breach notification process is triggered has also become more stringent. According to law firm Morris, Manning, and Martin, now affected individuals must be notified unless the breached firm can prove that there is a low probability of harm as a result of the breach.
HHS regulations have increased liability exposure and responsibilities
Steve Haase, INSUREtrust President, describes the insurance ramifications of the regulatory changes: “Before the Omnibus Rule, direct business associates could get by with pure tech E&O coverage or just add low-level cyber coverage. But now they are exposed directly to HIPAA sanctions and need more robust cyber liability insurance.” And businesses associates’ contractors are now on the hook too, which is a major departure from past policy.
Medical industry is victim of hackers
We’ve written before about particular data liability issues faced by the ambulance and senior care facility sectors of the health care industry. And even Medicare has been a victim of a hacking attack. PHI breaches happen, and firms caught uninsured will face major financial hurdles.
The costs of a PHI data breach can be extensive, and can include:
- Fines levied by governmental agencies
- Notification costs to contact victims
- Computer forensics expenses
- Business interruption losses
- Public relations repair
If your firm deals with PHI, or any other sensitive data, you need cyber liability insurance. You probably already have coverage on all of your company’s physical property. But in many cases, your data is worth more than any other corporate asset. It needs to be insured too.
But finding the right cyber liability insurance isn’t easy. There are many types of policies on the market today, and comparing them is difficult. Plus, you may not be able to get the coverage limits your firm needs with just one policy.
INSUREtrust can help you find the best insurance solution because we have access to many insurance product markets and can, if necessary, combine products to custom build the coverage you need.