Digital health companies face significant challenges when assessing their risks and their exposure to things like medical malpractice claims, HIPAA fines and penalties, and other costly litigation and regulation. Navigating this maze can be challenging and the results are often inconclusive.
To help provide more clarity, we recommend three crucial steps that typically are not considered in this process.
- How do your client contracts address your exposure to bodily injury, outage, or a breach of PHI caused by a failure of your technology? EXAMPLE: If you’re providing a data analytics platform, does your contract specify that you’re just providing data to better inform the physician and not directing the physician to provide care?
- How do your critical vendor contracts transfer risk and is there a financial mechanism to support the risk transfer? EXAMPLE: If you host PHI and use Amazon Web Services to host this data, are they taking responsibility for HIPAA fines and penalties as a result of a breach that is their fault? HINT: probably not!!
- How do your cyber liability, professional liability, and general liability policies respond to the risks retained on your balance sheet after analyzing your contracts? EXAMPLE: If you’re assuming responsibility for a breach of PHI from your clients, and not transferring that risk to your hosting provider, does your insurance carrier cover this exposure?
For more information on this process or if you have questions, feel free to reach out to any of our team members at Brush Creek Partners.