Protecting privacy Featured

8:00pm EDT August 26, 2009

Potential privacy liability risks are not limited to organizations that directly provide health care services. Any organization that touches or handles Personally Identifiable Information (PII) and/or Protected Health Information (PHI) is exposed to these risks, regardless of whether or not it is subject to the Health Information Portability and Accountability Act (HIPAA).

Smart Business spoke with Mary Pulley, managing director of health care at Aon Risk Services, about how to limit your health care risks and liability.

How do health care firms face liability risk when dealing with health care privacy?

Due to the nature of operations and the use of PII/PHI in almost all facets of the organization, health care firms have more channels of exposure than those in many other industries. Reasons for that include:

  • Many users: Many individuals have access to PII/PHI, both within a health care organization (physicians, nurses, accounts receivable, etc.) and externally (pharmacies, insurance companies, outsourced service providers). In addition, the continued introduction of new services, such as client-facing Web interfaces, opens new and evolving channels of exposure.
  • Scope of network operations: In order to facilitate availability for the numerous parties, network systems must be configured to allow for multiple points of access.
  • Outsourcing: Increasingly, health care entities are outsourcing in some manner.
  • Information technology implementation: The modernization of operations and implementation of technology can result in tremendous cost savings if performed effectively. The downside, however, can be system integration problems, employee training hurdles and system glitches that can make an organization vulnerable to a breach of confidential information.

How can a business protect itself from liability for breaches in data security?

Review your traditional insurance policies to determine the exact scope of coverage for data breaches. Changes in 2004 to the Insurance Service Organization forms, as well as some insurance litigation, have limited the coverage available under traditional general liability and property forms, and exclusions are becoming more common as general liability carriers offer standalone network security and privacy policies. Also, an increasing number of health care risk retention groups are formalizing exclusions for all cyber risks. And in the health care space, professional liability policies are intended to cover third-party damages and personal/bodily injury from errors, omissions or negligent acts in the course of medical care and related administrative services.

It is possible to endorse security and privacy coverage onto some health care professional liability policies, but most health care entities have elected to keep their security and privacy programs separate to avoid a shared limit and higher retention and to take full advantage of the marketplace because only a limited number of carriers will combine the programs.

What other coverage can help a business protect itself?

Depending on the facts of the data breach and the particular wording of the policies, some coverage could exist in various other policies, including commercial crime policies, employment-related practices policies, data processing policies, computer fraud policies, advertising, or kidnap and ransom (K&R) policies.

For instance, if a hacker claims that confidential information will be distributed on the Internet unless the insured pays an extortion fee, some K&R policies may provide defense and indemnity coverage. In general, however, such policies were not intended to cover privacy/data breaches, and there are significant coverage gaps in each.

In addition, security and privacy liability insurance (also called cyber liability or network risk) is designed to respond to third-party liability and related defense costs as well as some of the insured’s costs following a breach of the security and/or privacy of data.

First-party coverage includes several parts:

  • Information assets: Damage to or theft of the insured’s information assets from its computer system
  • Business interruption: Lost income suffered as the result of a system outage or extended down time due to failure of security
  • Cyber extortion: Threats to commit a computer attack against you
  • Crisis management/identity theft expenses: Costs including notification, credit monitoring and public relations expenses resulting from a breach
  • In addition, third-party coverage is available, which includes:
  • Professional services coverage: Acts, errors or omissions in the course of providing professional services, other than medical services
  • Content/media liability: Personal and advertising injury and some intellectual property infringement arising out of media content created, produced or disseminated by the insured
  • Network security liability: Breaches in network security or unauthorized access events
  • Privacy liability: Wrongful disclosure of confidential information

Health care entities considering this coverage should note that the information asset and business interruption coverage parts have not been especially relevant to the health care industry, due in part to the slow adoption of advanced information technology in the industry. There are exceptions, however, and one example is an entity whose primary revenue stream is from network/Internet activities, such as online pharmacies.

Mary Pulley is managing director of health care at Aon Risk Services. Reach her at (317) 237-2405 or mary_pulley@ars.aon.com. Contributions from Sarah Stephens, assistant vice president, Aon Risk Services, Financial Services Group, and Shannon Fort, associate broker, Aon Risk Services, Financial Services Group.