Can business consultants have HIPAA liability?

Brought to you by Insureon Small Business Blog: Risk management insights and more for your business.
HIPAA violations can lead to $1 million fines. If consultants are hired by healthcare companies, they need to know this law and be ready to meet its standards.
Shadow falls on HIPAA regulations file.

As a management consultant or independent contractor, you may have HIPAA liability if you're hired by healthcare businesses and other companies with access to medical data. Because HIPAA violations can lead to million-dollar fines, it's important to know what you're getting into before your consult with healthcare companies.

So what is HIPAA? HIPAA and its 2009 update HITECH are laws requiring businesses with access to patient health records to take extra precautions to ensure the security and accuracy of these records. HIPAA can require businesses to:

  • Use encryption while transferring data
  • Go to extra lengths to secure their network
  • Strictly limit access to data
  • Take extra measures to protect hard drives, laptops, and mobile devices from being stolen

Those are only a few of the basic HIPAA requirements. What matters for consulting firms is that the minute you have access to a healthcare company's network, you face a new liability that could lead to expensive fines and lawsuit costs.

Even consultants with years of experience working with HIPAA-compliant companies are sometimes confused by the law's requirements. Let's look at an example of how this law works and how a management consultant could be exposed to HIPAA liability.

Management consultants and HIPAA liability: Proceed with caution

Say you're hired by a hospital to do a utilization review. To do your work, you'll get access to the hospital's data, files (physical and digital), and network.

To be HIPAA compliant, the hospital will ask you to sign a business associate agreement, which is a contract that requires you to know and follow HIPAA guidelines. These provisions can be in a standalone agreement or included in your consulting agreement.

Let's say you upload some of this medical data to your company's secure cloud network. The cloud servers are secure, so you can upload this data, right? Not so fast.

Only some cloud providers have qualified security standards to be fully compliant. Some companies like Dropbox keep your data encrypted, but aren't HIPAA compliant because of the way they store their encryption keys. If an employee at Dropbox chose to do so, they could theoretically open your data and view its contents. Even if data on the cloud is protected from outside attacks, it has to be stored in such a way that makes it invulnerable to insider attacks as well.

The point of this article isn't to get into the technical details of encryption and data storage; the point is to show that HIPAA requires extremely tight data security and it's easy to make a mistake and use a non-HIPAA compliant service. If you uploaded your client's data to a non-secure cloud, your business could be fined for this confidentiality violation.

Let's look at one more example. Affinity Health Plan was fined $1.2 million when it returned a photocopier to the leasing company that owned the machine. The problem? Old images of medical records were still on the device's hard drive. Whoops.

It's easy to see how hospital employees could have forgotten to wipe the copier's hard drive, or perhaps they had simply forgotten that the machine stored this data.

To be a HIPAA-compliant consultant, not only will you need to make sure that data transfer, storage, emails, and data entry systems are secure, but you'll need to avoid simple mistakes like this, which could lead to million-dollar fines.

Does your insurance cover a HIPAA violation?

Most likely, your consultant insurance won't cover a HIPAA fine. You may have cyber liability insurance or professional liability insurance, but these policies probably won't pay for a consultant's HIPAA violation. However, professional liability insurance, also called errors and omissions insurance, does offer you protection in other ways.

If a client sues you over your work, errors and omissions insurance can cover the cost of a lawsuit. If a client is fined over a HIPAA violation, they could sue you alleging you didn't protect their data properly and contributed to the violation. In this instance, E&O Insurance could cover:

  • Legal costs
  • Lawyer's fees
  • Damages you owe the client

While E&O will offer protection against lawsuits, the best way to protect your company from HIPAA liabilities is:

  • Communicating clearly with clients about their data security
  • Making efforts to stay informed about HIPAA regulations
  • Working with IT professionals who know which software and services meet HIPAA standards

Compare quotes from trusted carriers with Insureon

Complete Insureon’s easy online application today to compare quotes for professional liability and other kinds of insurance from top-rated U.S. carriers. Once you find the right policy, you can begin coverage in less than 24 hours.

Save money by comparing insurance quotes from multiple carriers
What kind of work do you do?