A Premium Member asked me what I recommended for the policy limits for insurance for HIPAA violations. Without obtaining a lot more information, such as by reviewing the entity’s risk analysis, I could not make such a recommendation, but provided what I trust would be helpful guidance, as follows.

The government has not developed any recommended insurance coverage guidelines, but, for example, CNA Insurance, “Information Privacy Coverage Endorsement: ‘HIPAA’ Fines and Penalties and Notification Costs,” provides the following coverage as a rider on its website:

HEALTH INFORMATION PRIVACY AND NOTIFICATION COSTS

Subject to the Information Privacy aggregate limit of liability stated on the certificate of insurance, we will:

(1) Pay “HIPAA” fines and penalties pursuant to the Health Insurance Portability and Accountability Act “HIPAA,” which you become legally obligated to pay arising from a “HIPAA” proceeding with respect to the management and transmission of confidential health information; and

(2) Reimburse you for notification costs related to the disclosure of confidential personal information provided that you obtain our prior approval before incurring such costs.

(3) Pay claim expenses related to 1. and 2. above.

The maximum civil money penalty for identical violations in any one calendar year is $1.5 million. Thus, $1.5 million may be a good amount for the coverage under 1, above.

Notification costs are the First Class Mail or other costs inherent in notifying victims of a breach. You could estimate the worst-case scenario if you had a breach involving all of your patients’ data to determine this amount.

Claim expenses would include costs of investigation, legal advice and review, and the like. For example, I recently prepared a response to the Office for Civil Rights in response to an investigation into a covered entity for a HIPAA complaint by a patient for $2,000 (cheap at the price—it was only because I know HIPAA intimately and could do a very comprehensive response quickly without spending a lot of time researching the issue), and it worked: Complaint dismissed and investigation closed. A big breach might incur much more in claim expenses.

Thus, I would recommend a minimum of $1.5 million per occurrence and $3 million in the aggregate. These amounts are pretty much what I see when I review business associate contracts from around the country. A very large health plan or hospital might need higher policy limits. But you must determine, as a business matter, whether you need such insurance or want to self-insure and, if you need it, how much coverage is cost-effective.