However, the bill would assess additional penalties on organizations that have experienced a security breach. Such organizations would have to provide each individual whose information
was included in the security breach with a credit-monitoring
service for two years after the breach at no cost to the individual.
Moreover, entities may face penalties up to $5 million per violation.
The bill has been referred to the Senate Commerce, Science,
and Transportation Committee. When the Senate reconvenes,
the committee will determine whether to report the bill.
Given the threat of electronic data security breaches and the
increasing size and scale of costs and penalties associated with
such breaches, healthcare organizations may want to consider
investing in cybersecurity insurance.
Common cybersecurity policies include coverage for hazards
such as data privacy loss and repairs to company databases after system failures. Broader policies include coverage for costs
of notifying customers in the event of a breach as required by
the HITECH Act and loss of income from site failure.
Some policies even provide for crisis management coverage,
including hiring an emergency public relations team and monitoring credit for affected persons (as would be required by the
Data Security and Breach Notification Act of 2010). And some
cybersecurity policies provide coverage for the acts of “rogue”
employees in the inappropriate or even willful release of patient
health information. Traditional liability policies might not cover
deliberately inappropriate or illegal employee actions.
HIM Contributions to Cybersecurity Decision
Because they manage protected health information privacy,
HIM professionals have a role in a facility’s consideration of cybersecurity insurance.
HIM professionals know the risks associated with data breaches and inappropriate uses and disclosures, and they are charged
with managing employees whose rogue acts might expose the
healthcare provider to risk. In addition, HIM professionals are
generally the members of a provider’s administrative team that
work most closely with the business associates that provide services utilizing protected health information and thus would be
in the best position to know what risks exist in those relationships.
When making this decision, organizations may need to obtain
the privacy and security policies and procedures implemented
by business associates and make those available to the provid-
er’s insurance underwriters. HIM professionals (in cooperation
with the provider’s counsel) will be in the best position to know
whether these policies and procedures are compliant and pro-
vide adequate coverage of reasonably anticipated problems. To
the extent that a provider’s insurance coverage did not reach the
actions of business associates, HIM professionals should insist
that all business associates obtain and maintain such insurance,
adding the provider as an additional insured.
1. Ponemon Institute. “2009 Annual Study: Cost of a Data
Breach.” January 2010. Available online at www.en-
2. Verizon. “2010 Data Breach Investigations Report.” Available online at www.verizonbusiness.com/resources/re-
3. Symantec. “Symantec Internet Security Threat Report:
Trends for 2008.” April 2009. Available online at http://
4. Open Security Foundation DatalossDB. Available online at
“Cyber Security: Data Breach Insurance Gains in Popularity,”
Bank Technology News, June 2007. Available online at www.
“Cybersecurity Insurance Gains More Adherents.” Homeland
Security Newswire, June 24, 2010. Available online at http://
Data Security and Breach Notification Act of 2010. Available
online at www.govtrack.us/congress/bill.xpd?bill=s111-3742.
DuBois, Shelley. “Electronic Medical Records: Great, but Not
Very Private.” Fortune, October 6, 2010. Available online at
Risen, Tom. “Can Insurers Protect the U.S. from Cyber-Attack?”
National Journal Online, February 10, 2010. Available online
US Department of Health and Human Services. “Summary of the
HIPAA Privacy Rule.” Available online at www.hhs.gov/ocr/
Barry Herrin ( email@example.com) is a partner in the Atlanta office of Smith Moore Leatherwood LLP. Frankie Jones ( frankie.jones@
smithmoorelaw.com) is an associate in the firm’s Greensboro, NC, office.