The claims against South Shore Hospital alleged the failure to: implement appropriate safeguards, policies and procedures to protect the information; have a business associate agreement in place with Archive Data; and properly train its work force on health data privacy. Healthcare providers should realize, it may not just be a governmental agency coming after them. Lawsuits can arise from a single patient or from a group of patients — Emory Healthcare's alleged data breach has given rise to costly class action litigation. Litigation of this nature is outside of coverage provided traditional medical malpractice insurance.
Understanding Your Options
Health care providers have several options for addressing their cyber risks. Many providers try to be cautious and hope for the best. To these providers I say "best of luck." Other providers realize Health and Human Services (HHS) is not firing blanks anymore and take a proactive approach by securing an insurance policy to cover this exposure. These policies generally come in two varieties: Cyber Liability insurance and Network Risk insurance.
Cyber Liability policies provide coverage for liability that arises out of unauthorized use and unauthorized access to your electronic data within your network or business.
Network Risk policies provide coverage for liability that arises out of negligent use of your electronic data within your network or business.
The coverage typically includes:
1. Liability of the insured arising out the of failure to protect private data
2. Remediation and response following a data breach
3. Fines and penalties that are incurred to investigate and defend claims.
Other areas of coverage are available but may not be typically provided. These areas of coverage include: malicious code, extortion, unintentional acts, mistakes, errors, omissions, virus, security breach, personal and advertising injury, loss of use, copyright infringement, trade and service mark infringement.
The events that trigger insurance benefits under a Network Risk or Cyber Liability policy vary. These events usually include a failure to secure data, losses that may be caused by employee acts, sometimes acts by a third party can be included and losses that result from theft or disappearance of private property that could comprise network security. All policy forms are different and may not contain each of these elements. Policy coverage should be selected to meet the needs of the healthcare provider.
Exclusions are varied and each policy should be examined closely. Julie Davis, the Vice President of Heffernan Insurance Brokers, says most policies do exclude patent infringement, willful acts and certain types of fines.
“Over the past year there has been an expansion of carriers and coverages offered. The marketplace is competitive. Some carriers now offer pre-negotiated breach response costs coverages and other types of risk management services that complement the policy. They could include crisis management services, notification of affected customers and credit monitoring. The size of the business, number of customers and type of data will affect the costs of these policies,” Davis said.
Coverage varies for EMR Systems
The growth in the use of Electronic Medical Record systems has increased the need for cyber insurance. Depending on the size and functionality of a provider's electronic medical record system the coverage and cost of a policy may vary.
Ms. Davis recommends that providers secure a HHS Safe Harbor Certification. “Obtaining HHS Safe Harbor Certification is helpful in reducing the cost of a breach, reducing the likelihood of a data breach, making an actual breach more defendable if a company has Safe Harbor Certification. Also, this can reduce the cost of insurance for selected firms,” Davis said.
Strategies to Minimize Your Cyber Exposure
Healthcare providers have never been exposed to great cyber liability risks. To avoid a costly breach, healthcare facilities and companies should adopt the following objectives:
• Assess your privacy and security policies and make sure they comply with state and federal laws and regulations
• Train your staff annually on HIPAA related compliance
• Perform routine assessments to identify any potential holes in its HIPAA related compliance
• Secure insurance to cover yourself in the event of a data breach
By focusing on HIPAA and HITECH compliance efforts, a healthcare facility greatly reduces its chance of a data breach. Unfortunately, no degree of planning and effort can completely eliminate all cyber risks. For these risks, it is wise to protect yourself with cyber liability insurance.
Related Articles on Business Office / Accounting / HR:Study: Most Patients Reluctant to Disagree With Physicians
5 Reasons to Improve Surgery Center Quality and Efficiency With Automation
Editorial: Why You Shouldn't Copy and Paste in EHRs