Before you sign that contract...
Before signing any IT service or business associate agreement, medical practices should carefully review the contract to make sure they understand all of the contractual obligations, particularly any hold harmless, indemnification, and insurance requirements that might be imposed upon the practice. Attempts by cloud service providers (CSPs) to contractually transfer all or part of the financial consequences of a loss is widespread.
Practices should also request proof that CSPs maintain Cyber Liability and Technology Errors and Omissions Coverage before signing any agreement. As a potential client, you need to know if the CSP has the proper insurance coverage to respond to claims arising from a data breach of your patient records and for professional liability claims related to the technology services they provide on your behalf.
Providers should also review these contracts to determine if any insurance requirements are imposed upon them. Signing contracts without determining if you have the appropriate coverage could affect your practice financially. Depending on your insurance coverage provisions, your policy may (or may not) provide the funding of some liabilities/indemnities assumed under contract. If there are any specified insurance requirements, you should obtain coverage that “dovetails” with these indemnity obligations, if possible.
Financial contingency planning is important because the direct and indirect costs of a data breach can be significant. The costs of a data breach can include:
- hiring a privacy attorney to assist with the legal ramifications;
- setting up a call center to manage calls related to the breach;
- providing credit monitoring or identity theft restoration services; and
- conducting a forensic or security audit of the involved computer systems to identify the source and scope of the breach.
Unfortunately, there have been cases where medical practices thought their CSP or another service provider had appropriate cyber liability insurance coverage for a data breach claim — only to find out they did not.
Read our SlideShare presentation, What Every Physician Needs to Know About Cloud Storage, for more information on how to choose a CSP.