Published 2026-05-07 · Part of US insurance buyer guides

Cyber insurance for a healthcare practice — what HIPAA actually requires you to have.

If you run a healthcare practice, cyber insurance is more complicated than for other small businesses. The reason: HIPAA. Generic cyber policies often miss what HIPAA actually requires. Here's what to look for.

The short answer

Before you compare carriers, your cyber policy needs to clear three HIPAA-specific checks. A generic cyber policy that doesn't is inadequate for healthcare:

HIPAA breach-notification costs covered at full policy limits, not sub-limited
OCR (Office for Civil Rights) investigation defense covered at full limits
Ransomware sublimit adequate for healthcare exposure (healthcare ransomware demands are typically materially higher than generic SMB cyber)

The carriers that consistently meet these three checks for a typical small-to-mid healthcare practice:

Chubb — deep paper depth, longest-established HIPAA-aware cyber offering. Modal choice for practices that prioritize claims-handling track record.
Coalition — bundled security monitoring and incident response, useful for practices without an in-house IT/security team. Modal choice for tech-forward practices.
Beazley — strong claims-handling reputation for HIPAA breach response. Their Breach Response service is widely-referenced.
At-Bay — insurtech alternative to Coalition.

Quote 2-3 carriers, match the three HIPAA checks, then optimize for price. Specific premium ranges vary widely — get quotes from a healthcare-aware broker.

Why healthcare cyber is different

Three things make healthcare cyber riskier than generic SMB cyber:

1. HIPAA breach notification. Under the HIPAA Breach Notification Rule, providers must notify affected individuals, the Office for Civil Rights (OCR), and sometimes media for breaches affecting 500+ patients. Notification costs are substantial — your cyber policy needs to specifically cover HIPAA-driven notification (not just generic state-AG notification).

2. OCR investigations. OCR enforces HIPAA against small practices including clinics, dental offices, behavioral health. Settlements and corrective action plans are routine; investigations can run years and require meaningful legal defense spend. Cyber policies should explicitly cover OCR investigation defense at full limits.

3. Healthcare is a top ransomware target. Per CISA and FBI IC3 reports, healthcare is consistently among the most-attacked sectors. Small practices are especially targeted because operational urgency (patient care) makes them more likely to pay quickly.

The three things to verify in any quote

1. HIPAA breach-notification cost coverage.

The right endorsement language: "Notification costs covered up to the policy aggregate, including HIPAA-specific breach notification (written notice, credit monitoring offers, call-center coverage)."

The wrong language: any sub-limit specifically applied to HIPAA notification, or coverage limited to "state-AG notification" without HIPAA reference.

2. OCR investigation defense.

The right endorsement: "Regulatory investigation defense covered up to the policy aggregate, including Office for Civil Rights investigations under HIPAA."

The wrong endorsement: regulatory investigation sub-limited at a small fraction of the policy aggregate. For healthcare, this is structurally inadequate.

3. Ransomware sublimit and OFAC compliance.

Verify the ransomware sublimit matches your practice's exposure (which depends on EHR criticality, telehealth, and patient-data volume). Also verify the policy includes OFAC compliance support for ransom payments — recent enforcement actions have penalized organizations that paid sanctioned threat actors.

What healthcare SMBs actually need

A typical practice insurance program:

General Liability + Property — Business Owner's Policy (BOP)
Cyber — separate policy with the three checks above
Professional Liability (medical malpractice) — separate from cyber
Employment Practices Liability (EPL) — for practices with employees

Don't try to consolidate cyber into a "medical practice protection package" — combined products typically have lower per-line limits and inadequate HIPAA endorsements.

What to do — in order

Inventory your cyber surface. EHR system, billing system, payment processing, telehealth platform, business-associate agreements (BAAs) with vendors. Your cyber policy needs to align — including third-party vendor breach exposure.
Quote at least 3 carriers with healthcare-specific endorsements. Coalition + Chubb + one of (Beazley, At-Bay).
Use a healthcare-aware broker. Brokers specializing in healthcare professional liability often carry cyber too: Marsh Healthcare, Lockton Healthcare, NSM Insurance Group (specialty wholesale), CRC Insurance Services.
Verify the three checks (HIPAA notification, OCR defense, ransomware sublimit) before binding. Get the endorsement language in writing.
Match limits to your practice size and exposure. Higher limits for practices handling behavioral health, sensitive populations, or multi-state operations.

Adjacent reading

Best cyber insurance for a SaaS startup — same coverage, different vertical
Best cyber insurance for a fintech startup — adjacent vertical
Best malpractice insurance for therapists — adjacent coverage for healthcare practices

Frequently asked

How much does cyber cost for a healthcare practice?

Pricing varies widely by practice size, EHR system, telehealth exposure, prior incidents, and security posture score. Get specific quotes from a healthcare-aware broker — they see current ranges across their book. The SIR (deductible) and ransomware sublimit matter at least as much as the headline premium.

Do I need cyber separate from medical malpractice?

Yes. Medical malpractice covers clinical care decisions; cyber covers data breaches, ransomware, regulatory investigations, and business interruption from cyber events. Some carriers offer combined 'practice protection' policies, but they typically have lower per-line limits and inadequate HIPAA endorsements. Separate policies with consistent limits is the standard.

What if my practice uses a third-party EHR like Epic or Cerner?

You're still responsible under HIPAA for patient data even when a third-party EHR holds it. Your cyber policy should cover third-party vendor breach exposure — the scenario where your EHR vendor is breached and your patients are affected. Verify vendor-breach coverage, ransom-via-vendor coverage, and business-interruption-via-vendor-outage coverage.

Is Coalition better than Chubb for healthcare?

Different fit. Coalition's bundled security monitoring resonates with under-resourced practices (most don't have a CISO). Chubb's paper depth and longer healthcare claims-handling track record resonates with practice managers who prioritize claims history. Both are credible. Get quotes from both.

Sources

HHS — HIPAA homepage — US Department of Health and Human Services
CISA — Healthcare and Public Health Sector resources — Cybersecurity and Infrastructure Security Agency
Coalition — homepage and product references — Coalition

Last modified 2026-05-12. Target query: best cyber insurance healthcare practice hipaa 2026 ocr breach notification.