Health care organizations have a new type of insurance designated to protect from a crippling financial loss in the event of a data breach. The stand-alone insurance policies would cover the expenses a practice can expect when a data breach occurs. And those expenses are rising each year.
The per-patient costs associated with a breach have risen to more than $200 for notification and loss of income, according to the Ponemon Institute, a research firm in Traverse City, Mich. And the government now has the power to impose hefty fines against health care organizations that fail to protect their patients’ privacy. A policy covering these costs may offer peace of mind to practices that would be devastated if a worst-case scenario happened, say sellers of data breach insurance.
Peace of mind comes at a price, however. Practices are left to wonder if buying a policy is a small price to pay for protection from a breach that could cost the practice millions. Or is that money better spent on beefing up data security? Data breach insurance doesn’t absolve practices from complying with federal rules on ensuring data privacy and security.
Security and liability insurance was created about 10 years ago for the financial industry after the Gramm-Leach-Bliley Act, passed in 1999, included mandates for financial institutions to protect their clients’ private information. Typical business insurance policies cover loss caused by events such as fire and floods, but not by breaches.
It wasn’t until six years ago, as health care institutions started to become more digitized, that the insurance industry realized that, like financial institutions, health care organizations had a lot to lose.
Stakes on protecting patient privacy were raised even higher with the passage of the Health Information Technology for Economic and Clinical Health Act, part of the 2009 federal economic stimulus package. This strengthened the regulations of the Health Insurance Portability and Accountability Act.
The Hi-tech Act not only required notification of any breach involving 500 or more patients to those affected, the Dept. of Health and Human Services and the local media, it also imposed penalties for noncompliance that could reach $1.5 million per violation.
To read more please visit here…
