Computer Fraud Insurance: What's in Your Medical Practice's Policy?

October 17, 2013
Rachel V. Rose, JD, MBA
Rachel V. Rose, JD, MBA

Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.

With most HIPAA Final Omnibus Rule provisions now in effect, it's a good time for providers to review their policies.

Most people who own homes - especially in areas such as Florida, Texas, and California - own flood insurance. But, how many people actually read the policy? After all, water damage is water damage, right? No. A policy that covers water damage may or may not include damage caused by flooding.

This same concept applies to computer fraud insurance. And, with the September 23, 2013, effective date for most of the HIPAA Final Omnibus Rule provisions, now is a good time for providers to review their policies.

In fact, a New York appeals court, in Universal Am. Corp. v. National Union Fire Ins. Co. of Pittsburgh, PA, No. 2013 N.Y. Slip. Op. 06321 (N.Y. App. Div. Oct. 1, 2013) held that this particular policy only covered losses stemming from the unauthorized use of outsiders or "hackers" violating the system, not claims-submission fraud perpetrated by authorized users. Here, the rider allotted up to $10 million in coverage for "loss resulting directly from a fraudulent … entry of Electronic Data" into Universal's computer system infrastructure. So, Universal argued that $10 million could be used to cover a portion of the $18 million in losses that resulted from providers processing fraudulent Medicare Advantage claims through its computer system. Unfortunately for Universal, it was determined that the policy language was unambiguous and, therefore, other funds had to be used to cover the financial impact sustained from the fraud.

This case highlights the importance of reading the policy and understanding what exactly is covered. A separate cyber security policy may be needed in light of the remote computing, mobile apps, and cloud computing platforms. And, it is crucial to see if violations related to laws such as HIPAA and the Health Information Technology for Economic and Clinical Health Act, or HITECH, which cause financial damage, are covered. Taking the time now could save time, money, and frustration later.