A new kind of insurance is intended to protect health care organizations from large financial losses associated with data breaches, American Medical News reports.
The HITECH Act, part of the 2009 economic stimulus package, strengthened HIPAA privacy and security rules in part by requiring notification of any breach that involves 500 patients or more to HHS. The new stand-alone policies could cover expenses resulting from a data breach.
Health care providers still would have to comply with federal privacy and security rules.
According to Tracey Vispoli -- vice president and global cyber security manager for the Chubb Group of Insurance Companies -- small group physician practices are a good target for data breach insurance because they might not have staff or resources specifically for security purposes.
Howard Bergstein, an insurance agent, said premiums for a policy covering a practice of five or fewer doctors average $5,000 annually for $1 million worth of coverage. Vispoli said that amendments to data breach policies could be used to cover fines imposed by HHS or state agencies.
Questions Surrounding Data Breach Policies
Questions about how necessary the insurance is remain.
Robert Tennant -- a senior policy adviser at the Medical Group Management Association -- said physician practices should consider if money could be spent more wisely on data security measures instead of on insurance.
He added that a significant challenge for practices is determining how reputation damage would affect the finances of a practice (Dolan, American Medical News, 1/31).