Data security and privacy insurance policies, commonly known as cyber policies, look set to rise following the release of the long-awaited HIPAA/HITECH final rule, which lays out strict rules regarding the handling and storage of patients’ protected health information.
William Boeck, senior vice president, insurance and claims counsel for Lockton Global Technology and Privacy Practice, says the final rule may lead to an upsurge in demand for cyber policies, which can give protection against the often costly consequences of a data breach.
“A typical policy will cover costs to investigate the breach, to respond to it, to provide notice, and to defend any resulting lawsuits that may come,” he said. “The policy will provide coverage to respond to regulatory bodies, for example the Office of Civil Rights of the Department of Health and Human Services (HHS). There has been a huge groundswell of interest in these policies over the last few years. That’s been driven largely by healthcare entities – and their interest is being driven by obligations under HIPAA and HITECH.”
He added that the director of the Office of Civil Rights has stated publically that the final rule gives his department increased ability to enforce HIPAA and HITECH.
“Given that that is a reality and given the endless creativity of lawyers to come up with a lawsuit on behalf of people that have suffered some form of harm, insurance is becoming, at least from my standpoint, less of a luxury and more of a necessity, particularly for healthcare entities,” he said.
He anticipates that as the final rule stipulates that there must be the presumption of harm in the event of a data breach, companies may feel compelled to give notice where they might not have done so in the past, thereby increasing the possibility that they are going to have some significant financial cost arising from a breach event.
“Not every hospital, not every business associate, is going to need the same policy but we’re in a climate right now where we are able to customise policies for particular entities so that they receive the coverage that they really need – it’s a bespoke policy for each entity,” he added.
“It is something that we’d certainly advise risk managers to consider so that all of their exposures – some of which may be unique to them – will be fully covered and that policy is designed to address the risks that they are most concerned about.”
cyber liability, HIPAA/HITECH, cyber policies, HIT, PHI, EHRs
