HIPAA Can Create Liability for Vendors: Carefully Crafted Cyber Insurance Coverage is ImperativeJune 17, 2019
Matt Donovan, RPLU, AVP, Professional Lines Broker
The Health Insurance and Portability and Accountability Act of 1996 (HIPAA), a national standard to protect medical records and protected health information (PHI), applies to “covered entities” – health plans, healthcare providers and healthcare clearinghouses.
Clearinghouses are entities that provide repricing or other services like billing for insurance providers and payers. HIPAA privacy rules allow disclosure of protected health information to business associates, provided those companies agree in writing to appropriately use and protect that information.
“A ‘business associate’ is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.” [Health plans, healthcare clearinghouses and healthcare providers who transmit any health information per HIPAA.]
Contractual liability is a major exposure once a covered entity contracts with a business associate. Not all cyber insurance policies treat contractual liability the same. Recommending the wrong cyber form to your insured can mean an uncovered claim, which can create significant liability exposures for your agency or brokerage.
Another Data Breach Creates Major Liability
In response to another major PHI breach, involving as many as 12 million customers by Quest Diagnostics laboratories, the Health and Human Services Office for Civil Rights issued a fact sheet, Direct Liability of Business Associates, listing situations in which a healthcare business associate might be liable for failure to follow rules protecting PHI.
Here are a few highlights of that advisory bulletin, showing situations where a healthcare business associate might be liable:
- Failure to provide breach notification to a covered entity or business associate
- Impermissible uses and disclosures of personal health information (PHI)
- Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the purpose of the request
- Failure to take steps to address a material breach or violation of the subcontractor’s business associate agreement
While healthcare providers insure themselves for a breach arising from their own operations, cyber insurance coverage for breaches that arise because of a relationship with a business associate can be more complex. It is important that your insureds identify how the vendors they contract with, and those vendors’ subcontractors, will use and protect PHI.
Strong contractual language is imperative to protect your insureds – but recommending the correct cyber insurance forms and endorsements can mean the difference between coverage and no coverage, should a contractor or subcontractor suffer a breach. For example, first-party breach response obligations may not truly be triggered in the policy if the notification onus falls on the HIPAA covered-entity instead of the business associate.
Contractual liability exclusions originated to prevent payment for losses regarding liability that insureds willingly assume by contract. In today’s heavily electronic and interconnected healthcare world, the need for contractual liability coverage in cyber insurance that extends to business associate agreements is essential. In cyber, contractual liabilities are many. Cloud storage, technology work or other data services for medical providers (like billing or repricing) can create significant liability.
Typical policy wording can include: “With respect to all insuring clauses, the carrier shall not be liable for any loss arising from or in consequence of any liability assumed by any insured under any contract or agreement.” (See: Don’t Get Burned By Contractual Liability Exclusions In Cyber Policies.) This type of language can greatly affect the breach response payment should a breach occur that involves contractual triggered obligations.
Working with an experienced wholesaler who understands the coverage exposures and form limitations can help you recommend the appropriate coverages to your insured.
For more information, contact Matt Donovan at (678) 502-1278 or firstname.lastname@example.org