Understanding Contractual and Insurance Risk Transfer

January 31, 2017 John Southrey


TMLT policyholders have reported 456 cyber incidents since cyber liability coverage was added to their policies. Data breaches of protected health information (PHI) are pervasive in health care. Cyber criminality has become an accepted and lucrative business activity in some places in the world, including ransomware-as-a-service on the dark web.

"Cyber crime has gone pro. You're dealing with highly organized, very well-funded, and extremely smart people that make 10 times more money than they ever could in any other business where they live. Most people do not know that in a country like Ukraine it is legal to hack in foreign countries. So you're dealing with office buildings full of people that arrive at 9, leave at 6, take breaks and have health insurance, and it's a 100% criminal enterprise." (1)


Cyber security experts believe employees and third-party vendors are the weakest links in most organizations' data security management. Under HIPAA, a covered entity that uses the services of an independent contractor or business associate (BA), such as a cloud service provider, for processing and storing electronic protected health information (ePHI), must enter into a HIPAA-compliant business associate agreement (BAA). The BAA makes the business associate both contractually liable for meeting the terms of the agreement and directly liable for compliance with HIPAA Rules.

Covered entities also often sign service level agreements with their BAs that are often wrapped with third-party hold harmless and indemnification provisions, which can be the most important part of a contract. So an important question for medical practices to review with their counsel-before signing a contract with any BA who handles their ePHI-is "my practice an Indemnitor or an Indemnitee in this contract?" In other words, who is agreeing to indemnify whom?

The Indemnitor is the party that provides indemnity to another and the Indemnitee is the party that receives the indemnity arising from their liability to a third-party that's assumed by the Indemnitor. A hold harmless is an agreement to indemnify an Indemnitee, but not a duty to defend them. An indemnity clause is an agreement to defend an Indemnitee, but it does not absolve the Indemnitee from its tort liability to a third party.

Medical practices should make sure they understand their contractual obligations with regards to any liability assumed under contract particularly as it relates to the use, disclosure or safeguarding of ePHI. Today's risk transfer game is for the contracting parties to try to contractually transfer as much risk as possible and to accept as little risk as possible (for themselves). Attempts to contractually transfer all or part of the financial consequences of a third-party loss also occur in a myriad of other contracts too, including website privacy statements, company privacy policies, and Merchant Service Agreements.

A basic indemnity agreement is when the Indemnitor agrees to hold harmless and indemnify the Indemnitee from any claims, liabilities, damages, and attorney fees incurred by the Indemnitee arising from the Indemnitor's breach of its obligations. In some cases, the BA is the Indemnitor and the Indemnitee is the client/medical practice. Conversely, in other agreements, the client could be the Indemnitor and they would be expected to fund any assumed liabilities.

Practices may believe the service agreements they've signed with various BAs will alleviate them of their data breach responsibilities, which is not the case. Typically, the client - who is the owner of the records - will have to respond in the event of an impermissible data breach. The Office for Civil Rights would likely look first at the client's data security management and obligations in any investigation.

Depending upon the circumstances, the client and/or their BA will be faced with dealing with some or all of the following obligations:

  • Who has the responsibility to notify the affected individuals, state and federal regulatory authorities, and the media? (The non-owner of the data may only have an obligation to notify the data owner, but not the affected individuals.)
  • Who pays for the press releases or legal notices about the incident?
  • Who conducts or pays for the forensics investigation to determine the causation of the breach and what, if any, PHI was compromised?
  • Who pays for the credit monitoring and identity theft restoration services for the affected individuals?
  • Whose professional liability/cyber liability insurance is going to pay for these costs, including any potential loss of income due to a business interruption?
  • Do the practice and the BA have insurance coverage for liability assumed under contract?

Even if the notification obligation or indemnification is placed on the BA as the Indemnitor, it still brings up the question of how the Indemnitee can be sure the BA will comply with a contractual indemnification requirement. For example, does the Indemnitor have any financial contingency planning in place (as indemnities can fail)? Does the BA have cyber liability coverage to pay for breach response costs or for third-party damages and if so, do they have adequate limits and will it cover all of the breach response expenses? And, does the BA have insurance coverage for liability assumed under contract to back up their indemnification obligation(s)?


Each breach requires a unique response, depending upon the circumstances. In most breach incident cases, practices are surprised by the spectrum of direct and indirect costs that can arise from a data breach. The direct costs can include legal fees; IT forensic fees to determine the causation of the breach and if any data was exfiltrated and for data restoration; and breach notification and response costs including legal fees, public relations support, hiring a call center and providing credit monitoring and identity theft restoration services. The indirect costs are can include the loss of income and diminished patient goodwill and reputational damage.

Insurance is a form of risk financing and cyber insurance is playing a more vital role in financing the direct and indirect costs of data breaches in health care. Leading-edge cyber insurance policies today provide broad first party and third party coverages. These policies cover data breaches involving not only PHI, but other confidential consumer, corporate, and employee information, as well as negligent or malicious acts committed by employees; privacy claims from third parties and employees; cyber extortion (e.g., ransomware) and, of course, hacking attacks.

Among the most important third-party coverages is the security and privacy liability coverage. It includes a duty-to-defend for third party claims alleging liability resulting from a security or privacy breach, including the failure to safeguard confidential information or to prevent unauthorized access to a computer system containing private information; to safeguard online or offline information; to prevent a denial of service attack; or to prevent the transmission of malicious code from infecting the computer system of a third party.

Among the most important first-party coverages is the breach notification and response coverage. It includes the expenses incurred as a result of a privacy or security breach or adverse media report, as well as paying for the direct expenses outlined above.

It is important to also know if the cyber insurance policy will cover liability assumed under contract for damages resulting from certain wrongful acts-such as a security breach or privacy breach-where such liability has been assumed in the form of a written hold-harmless or indemnity agreement. This coverage can help to secure the insured's indemnity obligation in a service contract with a third party and provide direct liability coverage for the third party.

Some policies exclude coverage for liability assumed under contract or for any kind of indemnity or hold harmless agreement. Other coverage pitfalls can include exclusions relating to the insured's failure to maintain the security of its network or computer system in accordance with industry standards or regulations, and no coverage for unencrypted mobile devices. These types of exclusions can defeat the purpose of the cyber insurance.


Indemnity agreements are not insurance. Insurance is a separate agreement not governed by other contracts, as an indemnity agreement and an insurance policy impose separate and independent duties. So allocating coverage for liabilities directly is typically attempted through Additional Insured (AI) endorsements - rather than trying to rely on a contract's terms or having to engage in a contract dispute.

Importantly, a contractual requirement imposed upon an Indemnitor to provide liability insurance to cover an Indemnitee doesn't effectuate coverage for them in most instances. The Indemnitor's insurer is not bound by a contract executed between their insured and the client-unless the Indemnitee is added or defined as an Insuredwithin the policy or the agreement is considered to be an "insured contract," which typically in liability policies is defined as the tort liability of another that the insured has assumed in specified contracts.

In some liability policies, the definition of Who Is Insured can include other types of Insureds, such as an agent or independent contractor while acting on behalf of the Named Insured. (Note this typically will not cover the agent or independent contractor's sole negligence, which is why they need their own insurance policy in their name.) It may also include, as an Insured, any person or legal entity the Named Insured is required by writtencontract to provide such coverage.

Some contracts also stipulate insurance requirements such as maintaining "professional liability insurance" (a generic term that can include an array of coverage forms) and/or can also require naming a party/Indemnitee as an AI to the insurance policy. (This latter requirement may provide a financial "safety net" in case the hold harmless agreement is deemed unenforceable.) In such cases, a practice should contact their commercial insurance agent/broker to determine if they have the appropriate coverage in place. An agent's contract review can help to determine whether a practice's proposed or current insurance program addresses the types and amounts of insurance coverage referenced in the contract and to evaluate the practice's ability to transfer and retain risk.

Below is an example of specific insurance language in a contract:

INSURANCE. During the Term of this Agreement, Covered Entity will maintain cyber liability insurance with minimum coverage amounts of $1,000,000 per claim and $2,000,000 in the aggregate. Vendor will maintain cyber liability insurance and technology errors and omissions insurance with minimum coverage amounts of $1,000,000 per claim and $2,000,000 in the aggregate. Any cancellation or reduction in coverage will not relieve either party of its continuing obligation to maintain such coverage. Vendor [Indemnitor] will name Covered Entity [Indemnitee] as an Additional Insured to its cyber liability and technology error and omissions policy.

There are benefits to being an AI, but some drawbacks as well. Advantages include giving the AI "privity of contract" in the Indemnitor's insurance policy. Therefore, as an Insured, the AI has the right to a defense and to tender a claim to the Indemnitor's insurer, even if the allegations lack any merit. Additionally, when an insurer owes a duty to an AI, most courts prevent the insurer from subrogating to recover from the AI because they are also an Insured in the same policy.

Among the more significant drawbacks is the more AIs covered under the same policy and sharing the same limits, the less the Named Insured has for their own protection. In other words, the limits of liability can become diluted for all Insureds for claims arising out of the same insured incident. Moreover; the claim and defense expenses in most cyber insurance policies are paid inside the limits, so defending an AI can erode the policy aggregate limit, potentially leaving the Named Insured with inadequate coverage for their own claims.

There will be uncertainties in some situations about the role insurance may play in supporting contractual risk transfer. Depending upon the coverage provisions, it may provide the funding of liabilities assumed by contract, but perhaps not all of them. There is always some retained risk.


1. According to Stu Sjouwerman, the CEO and Founder of the IT security firm KnowBe4


This article is published by Texas Medical Liability Trust as an information and educational service. The information and opinions in this article should not be used or referred to as primary legal sources. The information presented should be used as a resource, selected and adapted with the advice of your attorney. Any description of insurance coverage is subject to the terms of the policy, the insurer's interpretation of coverage, and any applicable regulations. This article is distributed with the understanding that neither Texas Medical Liability Trust nor its affiliates are engaged in rendering legal services.

About the Author

John Southrey is the Director of Cyber Consulting Services at TMLT. John can be reached at john-southrey@tmlt.org.

Visit Website More Content by John Southrey
Previous Article
What to do if you are a victim of ransomware

Ransomware action plan that could help you and your IT staff members preserve sensitive data and limit the ...

Next Article
FDA Issues Safety Alert on Frameless Stereotaxic Navigation Systems

On June 15, FDA issued a safety alert after some health care providers experienced navigational accuracy er...

WEBINAR: Lessons learned from OCR Resolution Agreements in 2020