Protect your business with an integrated cyber risk management strategy.
HIPAA, the Health Insurance Portability and Accountability Act of 1996, is a federal law designed to set up standards that protect patient data from being disclosed without the patient’s knowledge or consent. The idea behind the law is primarily to protect the information of employees in transit from one employer’s health insurance coverage program to another when changing jobs.
Protecting this kind of information can be a challenge. Any time information is in transit, it is inherently vulnerable. HIPAA places the onus on organizations like yours to protect this information. There are a number of ways in which violations of this regulation can occur, even if you do not intend to violate it or neglect your duty. They include:
Anyone with access to patient medical information can potentially violate HIPAA standards in any of the above ways, or more. The number of potential avenues to a violation is so large that attempts to describe them usually come in the form of a set of circumstances, any of which may lead to a HIPAA violation.
That being the case, and with potential fines ranging between $50,000 and $1.5 million, many organizations seek to protect themselves by obtaining insurance for HIPAA violations. This is a fairly new concept, but one that is rapidly gaining acceptance.
In addition to the nebulous nature of potential HIPAA violations, cyber threats are also a lurking source of potential violations. Consider the fact that the insecure storage of patient medical records is a violation of the federal act. This means a successful cyber attack on this data could place you in danger of being considered in violation.
Insurance coverage is designed to protect organizations against the violation conditions listed above and similar conditions. These include being considered in violation of improper data storage after a cyberattack, which may or may not be your fault. This type of insurance is frequently referred to as cyber insurance for healthcare due to the fact that cyber attacks are one of the most common ways organizations are held in violation by the federal government, even when they have taken measures to remain compliant.
HIPAA insurance companies provide cyber insurance for medical practices that are HIPAA compliant, who obey the HIPAA security rules.
The Compliancy Group explains, “HIPAA insurance provides coverage for forensic investigators to determine the scale of a cyber attack or privacy violation. It provides coverage for legal representatives to act as counsel to advise insured organizations of their obligations resulting from a breach of sensitive data. It provides for the costs of informing any affected individuals of a breach of their private information. It also covers the cost of hiring a public relations firm for advice on how to make public statements and whether or not to do so. Finally, HIPAA breach insurance provides coverage for credit or identity monitoring, including coverage for call center support.”
As threats from digital vectors continue to rise, cybersecurity insurance is increasingly becoming an industry norm to guard against HIPAA violations brought about via healthcare cyber attacks.
With all the confusion surrounding this complex regulation, many professionals are left asking the question, “What is HIPAA, and what is its purpose?” This is not an unreasonable question. It stems from the fact that the threat types it is intended to curtail are difficult to pinpoint.
HIPAA is a federal law issued by the U.S. Department of Health and Human Services (HHS) that requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. It contains the HIPAA Privacy Rule, which protects a subset of information.
This rule establishes a set of standards regarding the use, control, storage, and disclosure of the health information of individuals or patients. For organizations subject to the rule, this type of data is known as “protected health information.”
HIPAA Privacy and Security Rules apply to the following types of entities:
The purpose of the regulation is to protect the privacy of individuals. HIPAA patient rights considerations are designed with the understanding that powerful entities can easily violate the rights of workers, patients, and other vulnerable actors, even without intending to do so. Its purpose is to make large, powerful organizations sensitive to the privacy and security rights of patients.
You can't protect yourself from risks you don't know about. Enter your website and receive a completely free risk assessment score along with helpful information delivered instantly to your inbox.
Because of the sweeping scope of potential HIPAA violations and the irresolute nature of their sources, particularly in digital spaces, many executives need a clear understanding of what HIPAA fiduciary coverage is before buying insurance coverage for HIPAA violations.
Fiduciary liability insurance ensures your plan against losses triggered by a breach of fiduciary liability. Fiduciaries are held to be liable for any losses caused by a plan due to a breach of HIPAA protected information.
Fiduciary liability insurance is not required by the Employee Retirement Income Security Act of 1974 (ERISA), since it is a fidelity bond. However, the holders of any ERISA fiduciary insurance plan should consider acquiring coverage.
Fidelity bonds and insurance against crime are similar, but they are not the same thing. There are different kinds of crime coverage for different needs that are selected based on perceived industry/business-model-specific risk factors. A fidelity bond, by contrast, is an insurance product that protects an organization or business from certain fraudulent behaviors.
This is coverage for crimes against your organization perpetrated by outside actors. In this case, we’re concerned primarily with cyber attackers who can trigger an apparent HIPAA privacy violation, but it does not have to be limited to this type of criminal activity.
This type of coverage is designed to protect your organization against losses due to the misdeeds of internal actors such as employees, contractors, and so on.
Fiduciary insurance is not a requirement of ERISA. However, the following practical considerations can make it a necessity:
In most cases, fidelity bond insurance costs 10% of protected assets valued as high as half a million dollars. According to the vice president of Cammack Retirement Group, Michael Webb, “There is no specific amount that is required or recommended by ERISA.”
However, Mr. Webb goes on to explain that there are a number of practical considerations that make buying excess fiduciary insurance a good idea. In doing so, you can protect your most vulnerable assets and provide for some headroom in order to stay in business after taking a significant hit.
According to HHS.gov, “A business associate is an individual or entity, such as a contractor, who performs services on behalf of the covered organization which involves access to protected health information.”
The HIPAA business associate system deals with contracts between the covered entity and the business associate. Requirements state that business associates must: