Catch 22 of HIPAA Cyberinsurance

May 28, 2015

For those of us of a “certain age” Catch 22 was a seminal book. We had always known that the establishment had secret rules that prevented us from doing what we wanted to do but it was spelled out clearly in the World War II book Catch 22. Basically Catch 22 was a rule that stated that if a pilot was crazy he couldn’t be forced to fly combat missions but if the reason that he didn’t want to fly missions was because he didn’t want to die, that proved that he wasn’t crazy so he had to continue to fly missions.

Apparently the Catch 22 for cyberinsurance is that you can be covered for the cost of a breach as long as you met standards that would have prevented the breach. Ipso facto ergo sum, if you had a breach you didn’t meet the standards. The standards in this case would be the standards established in the Health Insurance Portability and Accountability Act (HIPAA) and amended most recently in 2013 by the Omnibus Rule.

One of the Catch 22 rules is that encryption of PHI is not required but if you have a breach and the PHI is encrypted the breach didn’t happen. So you don;t have to encrypt PHI but if you don’t you didn’t meet the “minmum required practices”. You left the safe harbor of encryption and ventured out into the dangerous seas in a leaky boat, which was clearly your fault.

This begs the question, why not just encrypt PHI? Considering the risks, the cost of encryption shouldn’t be a factor. Access speed turns out to be the problem. Electronic PHI has been encouraged and even paid for to allow providers access to patient data that can improve patient outcomes, but providers are busy and impatient so if it takes too long to access the data they won’t use it. Better a fast leaky boat than a slow safe one.

One hopes that the solution is fast access to encrypted data but in the meantime beware of the Catch 22 lurking in your cyberinsurance policy.


Back to News