Insurance for HIPAA Violations
HIPAA, the Health Insurance Portability and Accountability Act of 1996, is a federal law designed to set up standards that protect patient data from being disclosed without the patient’s knowledge or consent. The idea behind the law is primarily to protect the information of employees in transit from one employer’s health insurance coverage program to another when changing jobs.
Healthcare Cybersecurity Statistics
- 55 percent of healthcare companies faced cyberattacks in 2018
- 89 percent of healthcare organizations suffered a data breach between 2017 and 2018
- 100 percent of web applications connected to health data storage are vulnerable to cyber attacks
- Data loss and related failures will cost the healthcare industry $6 trillion in damages by 2021
Protecting this kind of information can be a challenge. Any time information is in transit, it is inherently vulnerable. HIPAA places the onus on organizations like yours to protect this information. There are a number of ways in which violations of this regulation can occur, even if you do not intend to violate it or neglect your duty. They include:
- Failure to adhere to authorization expiration dates
- Failure to release information to patients promptly
- Improper or insecure disposal of patient records
- Unauthorized access to patient records
- Failure to obtain a patient signature
- Releasing information to an unauthorized recipient
- Releasing health information without authorization
- Releasing the wrong patient's information
- Missing right-to-revoke clause
- Using an insecure method of storage of private health information
Anyone with access to patient medical information can potentially violate HIPAA standards in any of the above ways, or more. The number of potential avenues to a violation is so large that attempts to describe them usually come in the form of a set of circumstances, any of which may lead to a HIPAA violation.
That being the case, and with potential fines ranging between $50,000 and $1.5 million, many organizations seek to protect themselves by obtaining insurance for HIPAA violations. This is a fairly new concept, but one that is rapidly gaining acceptance.
In addition to the nebulous nature of potential HIPAA violations, cyber threats are also a lurking source of potential violations. Consider the fact that the insecure storage of patient medical records is a violation of the federal act. This means a successful cyber attack on this data could place you in danger of being considered in violation.
HIPAA Insurance Definition
Insurance coverage is designed to protect organizations against the violation conditions listed above and similar conditions. These include being considered in violation of improper data storage after a cyberattack, which may or may not be your fault. This type of insurance is frequently referred to as cyber insurance for healthcare due to the fact that cyber attacks are one of the most common ways organizations are held in violation by the federal government, even when they have taken measures to remain compliant.
HIPAA insurance companies provide cyber insurance for medical practices that are HIPAA compliant, who obey the HIPAA security rules.
The Compliancy Group explains, “HIPAA insurance provides coverage for forensic investigators to determine the scale of a cyber attack or privacy violation. It provides coverage for legal representatives to act as counsel to advise insured organizations of their obligations resulting from a breach of sensitive data. It provides for the costs of informing any affected individuals of a breach of their private information. It also covers the cost of hiring a public relations firm for advice on how to make public statements and whether or not to do so. Finally, HIPAA breach insurance provides coverage for credit or identity monitoring, including coverage for call center support.”
As threats from digital vectors continue to rise, cybersecurity insurance is increasingly becoming an industry norm to guard against HIPAA violations brought about via healthcare cyber attacks.
HIPAA Privacy and Security Rules
With all the confusion surrounding this complex regulation, many professionals are left asking the question, “What is HIPAA, and what is its purpose?” This is not an unreasonable question. It stems from the fact that the threat types it is intended to curtail are difficult to pinpoint.
HIPAA is a federal law issued by the U.S. Department of Health and Human Services (HHS) that requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. It contains the HIPAA Privacy Rule, which protects a subset of information.
What Is the HIPAA Privacy Rule?
This rule establishes a set of standards regarding the use, control, storage, and disclosure of the health information of individuals or patients. For organizations subject to the rule, this type of data is known as “protected health information.”
HIPAA Privacy and Security Rules apply to the following types of entities:
- Healthcare Providers: All healthcare providers who transmit patient health information via digital means, no matter how small, are governed by the HIPAA Privacy Rule.
- Health Insurance Plan Providers: Organizations that pay or provide for the cost of health care including dental, vision, health, and prescription drug insurance are governed by the HIPAA Privacy Rule.
- Healthcare Clearinghouses: Organizations that process non-standard data that they obtain from another organization and store in a standard format, or organizations that execute the same process in the opposite direction, are governed by the HIPAA Privacy Rule.
- Business Associates: Any person or group (other than a member of the covered entity’s workforce) who manages or uses the health information of individuals who can be identified by such information is known as a HIPAA business associate and is/are liable to remain within HIPAA compliance.
Why HIPAA Exists
The purpose of the regulation is to protect the privacy of individuals. HIPAA patient rights considerations are designed with the understanding that powerful entities can easily violate the rights of workers, patients, and other vulnerable actors, even without intending to do so. Its purpose is to make large, powerful organizations sensitive to the privacy and security rights of patients.
HIPAA Fiduciary Coverage
Because of the sweeping scope of potential HIPAA violations and the irresolute nature of their sources, particularly in digital spaces, many executives need a clear understanding of what HIPAA fiduciary coverage is before buying insurance coverage for HIPAA violations.
Fiduciary Responsibility Insurance Definition
Fiduciary liability insurance ensures your plan against losses triggered by a breach of fiduciary liability. Fiduciaries are held to be liable for any losses caused by a plan due to a breach of HIPAA protected information.
Fiduciary liability insurance is not required by the Employee Retirement Income Security Act of 1974 (ERISA), since it is a fidelity bond. However, the holders of any ERISA fiduciary insurance plan should consider acquiring coverage.
Fiduciary vs. Crime Coverage
Fidelity bonds and insurance against crime are similar, but they are not the same thing. There are different kinds of crime coverage for different needs that are selected based on perceived industry/business-model-specific risk factors. A fidelity bond, by contrast, is an insurance product that protects an organization or business from certain fraudulent behaviors.
This is coverage for crimes against your organization perpetrated by outside actors. In this case, we’re concerned primarily with cyber attackers who can trigger an apparent HIPAA privacy violation, but it does not have to be limited to this type of criminal activity.
This type of coverage is designed to protect your organization against losses due to the misdeeds of internal actors such as employees, contractors, and so on.
Reasons You Need Fiduciary Insurance
Fiduciary insurance is not a requirement of ERISA. However, the following practical considerations can make it a necessity:
- When corporate policy does not protect you when you are accused of a fiduciary breach
- When your company’s indemnity agreement is limited to state boundaries
- When, even after having won a lawsuit in which you are deemed to have done nothing wrong, your legal defense fees are excessive
- When you need to pay a settlement or court award
How Much Fiduciary Insurance You Should Have
In most cases, fidelity bond insurance costs 10% of protected assets valued as high as half a million dollars. According to the vice president of Cammack Retirement Group, Michael Webb, “There is no specific amount that is required or recommended by ERISA.”
However, Mr. Webb goes on to explain that there are a number of practical considerations that make buying excess fiduciary insurance a good idea. In doing so, you can protect your most vulnerable assets and provide for some headroom in order to stay in business after taking a significant hit.
HIPAA Business Associate
According to HHS.gov, “A business associate is an individual or entity, such as a contractor, who performs services on behalf of the covered organization which involves access to protected health information.”
The HIPAA business associate system deals with contracts between the covered entity and the business associate. Requirements state that business associates must:
- Set up permitted and required uses of protected information
- Not use or disclose protected information except as permitted
- Guard against unauthorized use of protected information
- Report any use or disclosure of the information to the covered entity
- Disclose protected health information as specified in its contract