Are HIPAA-Covered Entities Required to Purchase Cyber Insurance?

Modified on Wed, 16 Jul at 9:25 AM

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

Introduction

This article discusses whether HIPAA-covered entities are required to purchase cyber insurance.

Does HIPAA Require the Purchase of Cyber Liability Insurance?


HIPAA does not require the purchase of cyber  insurance by a HIPAA covered entity. Nonetheless, a healthcare organization may wish to purchase cyber insurance to protect against loses resulting from a cyber attack.

What are Some Resources I Can Review to Learn More About Cyber Insurance?

The Federal Trade Commission (FTC) has issued a publication that provides guidance on what a small business should look for in selecting a cyber liability carrier.  This resource from the Department of Health and Human Services provides guidance on what to look for in a cyberinsurance policy.  Page “36” of this HHS guidance document discusses cyber liability insurance coverage specifics. what a cyber insurance policy should cover.

Additional information about cyber insurance can be found in this 405(d) resource. The resource notes that due to different risks and exposures, each healthcare organization's need for cyber insurance is unique to its business. When looking for a good cyber insurance policy, healthcare organizations should consider coverage in several areas, and weigh that with the associated premium and retention amounts.

What are Cyber Insurance Coverage Areas to Consider?

According to this 405(d) resource, small healthcare organizations should consider whether a cyber insurance policy offers coverage against the following

• Data breaches (like incidents involving theft of personal information)
• Cyber-attacks on your data held by vendors and other third parties.
• Cyber-attacks (breaches of your network)
• Cyber-attacks that occur anywhere in the world (not just in the United States)
• Cyber-attacks determined to be nation-state attackers
• Cyber-attacks aided by insiders both intentional and unintentional • Cyber-attacks that lead to extortion (ransomware attacks)
• Terrorist acts
• Cyber warfare

The resource also notes that small healthcare organizations can also consider whether a cyber insurance provider will:

• Defend you in a lawsuit or regulatory investigation (called a “duty to defend”)
• Provide coverage more than any other applicable insurance you have
• Offer a breach hotline that’s available every day of the year at-all-times
• Provide access to third-party breach specialists, including forensics, independent legal counsel working on your behalf, not the cyber insurance provider, and incident remediation firms
• Provide coverage for notification costs including printing, mailing, phone centers, and PR assistance
• Loss of business coverage or revenue


The decision as to whether to purchase cyber liability insurance, and as to what amount of insurance might be appropriate, should be made after contacting an insurance broker to understand what the security requirements are for retaining the cyber insurance policy. Consulting with a qualified healthcare and/or healthcare insurance attorney should also be considered.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article