My colleague, Michael Kline, has been regularly reporting on this blog about the parade of Protected Health Information (PHI) privacy and security breaches that are occurring at large, sophisticated hospital systems, such as the Henry Ford Health System in Michigan, and health insurance carriers, such as Wellpoint, Inc. in Indiana.  A recent breach at the Puerto Rico Department of Health involved an estimated 400,000 individuals.  Breaches involving more than 500 individuals, including those referenced in this paragraph, must be reported to the Secretary of Health and Human Services (HHS) and can be accessed at the HHS Web site. 

If state agencies, insurance carriers, and large health care systems are vulnerable to the devastating aftermath of large breaches, how can a smaller covered entity, such as a free-standing specialty hospital or a physician practice group, or a business associate or subcontractor whose business does not revolve around or even frequently involve PHI, effectively limit its vulnerability to the heavy costs of a PHI security breach?

Whether HIPAA/HITECH privacy and security issues are in the forefront of an entity’s compliance mindset or are a periodically worrisome background buzz, an entity should investigate measures to protect itself against privacy and security breaches and the ensuing economic costs associated with investigation of the potential breach, notice to affected individuals and, potentially, HHS, damage to reputation, remediation and protection actions, and, possibly, penalties, fines, and other damages asserted by the government or third parties.

I was intrigued to learn recently of a type of relatively new insurance coverage called "Privacy & Computer Security Protection." This coverage may be a good option for those among us who worry that even airtight, well-implemented policies and procedures may not be enough. Whether a breach results from human error (a typical cause for breach) or from organized or individual cyber crime such as hacking and stolen laptops (a less typical, but increasing risk), insurance companies such as Chartis, Beazley, and Hiscox are willing to underwrite certain computer security risks and cover specified losses that may be incurred by an insured from a PHI security breach.


According to my friends at Marsh USA Inc. (an insurance broker and an original creator of "cyber" policy forms), subject to the results of an underwriting pre-assessment of risks specifically associated with an entity that is applying for insurance coverage against losses from a PHI security breach, such an entity may pay as little as about $20,000 for $1 million in coverage. Insurance protection might cover claims arising from actual or alleged breaches of duty, neglect, or other acts, errors, or omissions that result in disclosure of PHI or other confidential information; vicarious liability for privacy breaches of an entity’s vendor/subcontractor; costs associated with defense of regulatory actions; costs associated with compliance with PHI breach notification requirements, costs associated with public relations/crisis management professionals, etc.


The extent of financial risk involved in the HIPAA/HITECH security breach context is daunting. The cost of just setting up and operating a toll-free line for PHI security breaches involving 3,000 individuals is estimated by the federal Office of Civil Rights to be upwards of $8 million (table on page 42764).


I plan to review and report back in future blog postings on the current coverage options specifically designed to protect against the costs of HIPAA/HITECH security breaches, gaps that may exist in the currently available coverage and other related matters.