Insurance policy to cover violations of HIPAA rules

A San Francisco insurer is offering health care providers what it says may be a first in underwriting — a professional liability insurance policy specifically geared toward electronic-based and web-enabled transactions for health care operations. The policy might be especially useful in insuring against violations of the Health Insurance Portability and Accountability Act (HIPAA), the company says. The insurance is offered by Healthcare First, a unit of the brokerage services division of Arthur J. Gallagher & Co.

Healthcare First president David Wynstra tells Healthcare Risk Management that the insurance product was developed in response to the way many health care systems have become more dependent on electronic-based transactions via the Internet to carry out business basic functions.

"As a result, those organizations are now assessing their information technology risks and liability exposures," he says. "This corporate liability coverage will continue to indemnify electronic-based transactions that health care organizations use to manage, process, and disseminate information. Moreover, the coverage now helps indemnify corporate policyholders from damages resulting from HIPAA events, such as unauthorized disclosures of protected health information arising out of computer security violations."

Coverage for inadvertent violations

Wynstra says the intent of the policy is to cover organizations for inadvertent HIPAA violations and the policy would not cover any fraudulent activities. Health care providers would benefit in situations in which an unauthorized disclosure is made that results in damage to an individual or organization, and that party decides to sue for damages.

Though that may sound appealing to risk managers worried about violating the new HIPAA provisions, Wynstra notes that the coverage will not cover fines levied by the government for HIPAA violations. That is consistent with other forms of insurance that commonly cover civil liabilities but cannot pay fines imposed by government agencies or law enforcement.

The eHealth/Internet Liability Policy will be underwritten by Mt. Hawley Insurance Co., a subsidiary of RLI Corp., and will provide premium discounts to health care providers accredited by URAC, an accrediting body in Washington, DC. The policy covers more than just HIPAA violations, says Michael Lamprecht, national practice leader of e-Insurance with Arthur J. Gallagher & Co.

The policy provides worldwide cyber liability coverage for exposures such as privacy infringement arising out of computer security breaches and contingent bodily injury arising from web site content, he says. The policy provides coverage for media perils such as copyright and trademark infringement, libel, slander, defamation, and product disparagement.

Wynstra notes that the underwriter will expect your organization to take all appropriate precautions regarding HIPAA, including the implementation of policies and procedures.

"There’s a rather rigorous underwriting program," he says. "Certainly, a security audit is necessary. We expect to see that the insured has taken all necessary steps to comply with HIPAA."