Imagine the following scenario: Your employee recently secured a new laptop. While in transit to a client site, he stops for a quick bite at a sub shop. When he returns to his car, he finds his windows broken and his laptop is gone—an unencrypted laptop containing medical information from multiple locations and in various formats. What happens next?
Low-tech Cyber Crime More Common
While so much press is devoted to highly publicized international cyber-crime, the fact is that a very large percentage of protected health information (PHI) loss comes from much more mundane or low tech events. In fact, as of today, 4 of the last 5 resolution agreements as posted on the U.S. Health & Human Services (HHS) website pertain to lost or stolen laptops or hardware.
Many companies are offering “cyber insurance” products to protect against the risks arising from, among other things, liabilities from the wrongful release of all kinds of information. Despite the “cyber” moniker, many of these products will also extend to the low-tech data breach just mentioned.
Many underwriters are offering a one-size-fits-all program for cyber risk. However, the risks faced by hospitals, medical service providers and technology or any other companies that have (or may have) access to PHI is unique.
Who Has Regulatory Exposures?
HIPAA and now HITECH recently extended the regulatory risk to include just about anyone who may be tangentially involved with medical information. So, in addition to contractual obligations, companies handling PHI have a host of regulatory exposures that should be considered. There are also a host of complicated state and federal laws that may or may not trigger patient notification requirements that will take legal expertise to navigate.
Consider again the stolen laptop scenario: what would you do and who would you call first to help determine exactly what was stolen? How would you find out whether or not one or more of the many state and federal notice requirements was triggered? If notice is triggered, what exactly is required and how much might it cost?
A cyber insurance policy especially designed for the unique needs of PHI risk can help not only with civil cases brought by individuals but also with:
- Regulatory actions brought by state and federal regulators
- Your expense related to computer forensics
- Up-front legal assessment
- The cost related to mandatory disclosures and notification