Recent Article on Addressing Cyber Insurance Gaps as Both a ‘Risk Management and Brand Management Issue’

April 8, 2016. HIPAA Integrity recommends that you read the excellent April 6, 2016, Health Data Management article by Joseph Goedert entitled: “Cyber insurance gaps may surprise healthcare organizations.” This article is based on an interview with Collin Hite, a security expert with the law firm of Hirschler Fleischer in Richmond, VA. The article discusses the consequence of a breach, the need for cyber insurance, especially for small providers, but also for a thorough understanding of the insurance contract provisions. Cyber insurance coverages are complex, and covered entities and business associates subject to HIPAA/HITECH Act safeguard regulations should avail themselves of outside experts, some of which may be provided by the insurer.


Cornichon Healthcare, which owns HIPAA Integrity, has highlighted in its blog postings over the past two years the importance of covered entities and business associates to acquire cyber insurance coverage because the Insurance Services Office (ISO) commercial general liability (CGL) policies excluded HIPAA/HITECH Act related breach events from coverage, effective May 1, 2014. Now, because of heavy CGL underwriting losses pertaining to HIPAA/HITECH Act breaches, cyber insurance carriers increasingly are requiring written documentation showing that a risk management process, including a risk analysis, and risk mitigation measures are in place. The Ponemon Institute 2015 Annual Survey (sponsored by IBM) shows the following:


  • “The average cost paid for each lost or stolen record containing sensitive and confidential information increased from $145 in 2014 to $154 in this year’s study.
  • “If a healthcare organization has a breach, the average cost could be as high as $363.”


Those costs include remediating the harm, notification of breach to affected individuals, and lost business and reputation.


It is important for covered entities and their business associates to be covered for privacy breach and security incidents, but such cyber insurance coverage increasingly requires evidence of a security management process and risk mitigation measures in place, at a minimum to be compliant with HIPAA/HITECH Act safeguard regulations. The Office for Civil Rights (OCR) March 21, 2016, announcement of desk and onsite compliance audits underway is another incentive to have written safeguard documentation in place. We discussed the OCR initiative in postings last week.


HIPAA Integrity’s Safeguard Compliance Tool Package (Version 3.0), which was released earlier this week, is designed for covered entities and business associates to document and successfully demonstrate safeguard compliance for either a potential selection for an OCR desk or onsite audit or for providing evidence to cyber insurance underwriters of a security management process and security measures in place. HIPAA Integrity is comprised of an easy-to-follow tabular risk analysis template; 92 written generic safeguard policies and procedures that a covered entity or business associate must have in place and that can readily be tailored to its risk analysis findings; 22 authorization and maintenance forms accompanying safeguard procedures; and the safeguard training curriculum in five lessons with test questions for administration by Privacy and Security Officials to their workforce members. Each component of the package is linked via proprietary code and written in plain language. HIPAA Integrity also includes guidance, online accessible authoritative references, and OCR audit protocols. At an affordable $499 for a year’s membership, including any federal regulatory updates, HIPAA Integrity’s Safeguard Compliance Tool Package (Version 3.0) is a much more cost-effective option than being selected for an OCR desk audit and found non-compliant or rejected for cyber insurance coverage and having to deal with the financial and non-financial consequences of a privacy breach or security incident.


Read this important article by Joe Goedert and prepare to not be surprised.



  • October 2017 (1)
  • August 2017 (3)
  • July 2017 (1)
  • June 2017 (7)
  • May 2017 (12)
  • April 2017 (10)
  • March 2017 (2)
  • February 2017 (3)
  • January 2017 (4)
  • December 2016 (4)
  • November 2016 (7)
  • October 2016 (7)
  • September 2016 (2)
  • August 2016 (1)
  • July 2016 (3)
  • June 2016 (1)
  • May 2016 (1)
  • April 2016 (8)
  • March 2016 (6)
  • February 2016 (2)
  • December 2015 (1)
  • November 2015 (1)
  • October 2015 (4)
  • September 2015 (1)
  • June 2015 (8)
  • May 2015 (3)
  • April 2015 (2)
  • March 2015 (1)
  • November 2014 (1)
  • September 2014 (15)
  • August 2014 (6)
  • July 2014 (1)
  • June 2014 (13)
  • May 2014 (11)
  • April 2014 (13)
  • March 2014 (6)
  • February 2014 (12)
  • January 2014 (3)
  • December 2013 (1)