Health Information Compliance Alert

Published on Mon Apr 05, 2004 PDF

Our experts help you separate fact from fiction

Accreditation agency URAC is now offering HIPAA privacy and security insurance to its clients. But before you rush order your very own HIPAA indemnification, there are a few facts you'll need to know.

The Basics: ACE Global Markets Jan. 6 began offering liability coverage for privacy and security rule violations as well as coverage for certain specific HIPAA-related damages including unauthorized disclosures of PHI. The coverage is only available to URAC-accredited entities.

Two Types of Coverage: There are two insurance policies of note to covered entities: The first policy covers health care facilities in the event of a HIPAA fine or violation and would indemnify the organization for these violations. The second policy is more of a traditional error and omission policy "that relates to the various things that can happen under the HIPAA requirements: copyright infringement, unauthorized disclosure, virus transmissions, et cetera," says Dave Wynstra, President of Healthcare First, a unit of the Brokerage Services Division of Arthur J. Gallagher & Co.

Wynstra says the coverage equates roughly to traditional medical malpractice coverage. "This is simply an expansion of [med mal] coverage and it relates it in a very meaningful and specific way to the HIPAA mandates," he explains.

Coverage Example: While you're certainly aware that there's no private right of action under HIPAA, one section of ACE Global's insurance covers liability arising out of unauthorized disclosure of private medical information. "The policy is really intended to cover the privacy of medical information. Coverage for specific state laws is available, but this was primarily built as a HIPAA product," says Michael Lamprecht, national practice leader of e-Insurance with Arthur J. Gallagher & Co.

The Costs: Wynstra says there has been a tidal wave of interest in the insurance policies and says he received roughly 100 calls about the policies within the first week of the announcement. And while the cost of the insurance premium will vary based on numbers of episodes of potential disclosures, he says it's probably going to have a minimum premium in the amount of $10,000. However, premiums could reach as high as $10 million, depending on the type and size of the entity requesting the policies and the risks involved with each potential candidate. 

The Benefits: Simply put, "the benefit of the policy is that it covers [corporate policyholders] against penalties by the federal government or state agencies for specific HIPAA violations, but also for liability damages," says Lisa Gallagher, senior VP, URAC I&T Accreditations. And Wynstra feels the coverage offered against unauthorized disclosure of PHI is really what medical facilities will find so appealing.

Potential Drawbacks: First of all, remember that these HIPAA insurance offerings are only available to URAC-accredited entities. Second, the coverage doesn't indemnify your organization in the case of a HIPAA criminal penalty. As HIPAA consultant Matt Anzaldo tells Eli, "HIPAA insurance is one way for large and small companies to mitigate costly HIPAA civil penalties, but not HIPAA criminal penalties." Lastly, remember that obtaining accreditation or HIPAA insurance doesn't mean you can't be busted by the feds for a HIPAA violation.

The Bottom Line: HIPAA insurance could be a great tool for entities worried about potential liabilities, but remember that the Department of Health and Human Services requires neither insurance nor accreditation. As Anzaldo notes, "if done correctly and by following the federal HIPAA regulations, HIPAA compliance can be achieved without insurance. If an organization needs insurance, it [may be] skeptical about the success of its HIPAA compliance plan."

Editor's Note: If you would like more information on the privacy and security rule insurance coverage offered by ACE Global, contact Dave Wynstra by phone at (415) 536-8522, or by e-mail at dave_wynstra@ajg.com.