Your HIPAA risk assessment is current. Your policies are signed, your Business Associate Agreements are on file, and your last OCR review came back clean. Then your cyber insurance renewal application lands on your desk, and the underwriter wants proof of phishing-resistant multi-factor authentication on every system, endpoint detection and response on every device, and a written incident response plan you tested in the last twelve months. Being HIPAA compliant, it turns out, was never the question they were asking.
That gap is the reality behind the cyber insurance requirements for medical practice applicants now face: HIPAA compliance and cyber insurance underwriting measure two different things, using two different standards of proof. HIPAA confirms you have a documented process for managing risk to protected health information. A cyber insurance underwriter confirms your specific technical controls will hold up against the kind of attack that generates a six- or seven-figure claim. A practice can pass one review and fail the other, and more of them are finding that out during renewal, or after a breach, when a denied claim is the difference between a bad quarter and a closed practice.
Is HIPAA Compliance Enough for Cyber Insurance?
No. HIPAA compliance confirms that you have documented administrative, physical, and technical safeguards and can produce that documentation if the Office for Civil Rights (OCR) comes asking. Cyber insurance underwriting confirms something narrower and more technical: that specific controls—phishing-resistant MFA, monitored EDR, immutable backups, a tested incident response plan—are active in your environment today, not just written into a policy binder.
The two frameworks were never built to answer the same question. The HIPAA Security Rule, largely unchanged since the 2013 Omnibus Rule, sets a regulatory floor of administrative, physical, and technical safeguards, evaluated after the fact through audits and breach investigations. Cyber insurance is a commercial risk-transfer product. Underwriters price coverage based on claims data—what controls were present, or missing, in the incidents that already cost their industry billions—and they revise those requirements every renewal cycle, often faster than a regulator can move. HHS has effectively admitted the lag: the proposed 2025 HIPAA Security Rule update, still not finalized as of mid-2026, would make multi-factor authentication mandatory under a revised 45 CFR 164.312 and eliminate the “addressable” safeguard category entirely. Insurers made both of those changes to their own requirements years ago.
HIPAA and Cyber Insurance Are Grading Two Different Exams
A HIPAA Security Risk Assessment (SRA) is a documentation exercise: a systematic review of where protected health information lives, who can access it, and whether your administrative, physical, and technical safeguards match what 45 CFR 164.308 requires. OCR’s enforcement pattern makes clear what it rewards. In the first five months of 2025 alone, the agency announced ten settlements with healthcare organizations, with fines reaching $3 million per case, and in nearly every one, the underlying failure was not a sophisticated attack—it was the absence of a current, enterprise-wide risk analysis. OCR forgives a lot when the documentation is in order.
Cyber insurance underwriting stopped forgiving anything in 2026. The market has moved from a questionnaire-based model, where a policyholder could check a box that read “we have MFA” and move on, to an evidence-based one, where the underwriter asks for configuration exports, endpoint agent counts, and backup restoration logs before binding a policy. That shift means a healthcare organization can have a fully compliant SRA on file, current BAAs, and a clean training log, and still get flagged, non-renewed, or hit with a ransomware sublimit—because the underwriting review tested something the SRA was never designed to catch.
Know Exactly Where Your HIPAA Documentation Stands
What Cyber Insurance Underwriters Actually Require From Medical Practices
Ask ten carriers for their questionnaire and you’ll get ten different formats, but the substance converges on the same handful of controls. This is the cyber insurance checklist healthcare underwriters are working from in 2026, whether or not they hand it to you directly.
Phishing-Resistant MFA on Every System That Touches PHI
HIPAA has treated multi-factor authentication as an “addressable” specification for over a decade, meaning practices could document a reasonable alternative instead of deploying it. Cyber insurance underwriters do not offer that flexibility. Carriers expect MFA enforced on email, your EHR, VPN and remote access tools, administrative consoles, and practice management software, with no exceptions carved out for legacy systems. SMS-based codes are increasingly discounted for privileged accounts in favor of app-based or hardware-key authentication. The stakes of getting this wrong are documented: according to Coalition’s Cyber Claims Report, 82% of the claims it denied involved organizations that lacked properly implemented MFA across their environment.
EDR With 24/7 Monitoring, Not Legacy Antivirus
Antivirus software that scans for known signatures no longer satisfies a carrier’s technical questionnaire. The 2026 baseline is endpoint detection and response (EDR) or extended detection and response (XDR) running on every workstation, laptop, and server, with alerts routed to a security operations center staffed around the clock—whether that’s an internal team, a managed detection and response (MDR) provider, or an MSP that operates one. Underwriters increasingly ask how quickly an alert gets a human response, not just whether the software is installed.
Immutable, Encrypted, Restore-Tested Backups
“We have backups” is not an answer a carrier accepts anymore. The underwriting standard now specifies backups that are encrypted, isolated from the production network so ransomware can’t reach them, and restore-tested on a documented schedule — not just backed up, but proven recoverable. A backup you have never tried to restore is a theory, not a control.
A Written, Recently Tested Incident Response Plan
A plan that has lived in a shared drive since 2021 will not clear underwriting in 2026. Carriers want a written incident response plan refreshed within the last twelve months, with at least one tabletop exercise where leadership walks through a simulated ransomware or breach scenario and produces an after-action report documenting what needs to change. This is precisely the kind of program a vCISO builds and maintains as a standing responsibility, rather than a document drafted once and forgotten—which matters, because “documented but stale” fails an underwriting review almost as often as “never written at all.”
Turn HIPAA Documentation Into Insurer-Ready Evidence
Why Malpractice Insurance Won’t Cover a Data Breach
Medical malpractice insurance and cyber liability insurance protect against entirely different failures, and conflating them is one of the more expensive mistakes a practice administrator can make. Malpractice coverage responds to errors in clinical judgment and treatment. It does not respond to a ransomware attack that encrypts your EHR for a week, a phishing email that exposes a patient list, or the OCR investigation and breach notification costs that follow. Those require a dedicated cyber liability policy, evaluated against the same technical controls described above.
The lines are blurring in one direction, though: a growing number of malpractice carriers now ask cybersecurity questions on renewal applications, because a ransomware event that takes down clinical systems is also a patient-safety and standard-of-care issue, not just a data problem. A practice with a spotless malpractice claims history and weak technical controls is not insulated from that scrutiny. Answering “yes, we have a written policy” without the MFA, EDR, and backup controls behind it creates the same exposure on a malpractice renewal that it does on a dedicated cyber application—this is where malpractice insurance cybersecurity requirements and cyber liability requirements start to overlap.
What “HIPAA Compliant but Not Insurable” Looks Like in Practice
The consequences show up in three forms: a premium increase, a coverage restriction, or an outright denial. Brokers report that practices failing a carrier’s technical review are seeing premium increases of 40 to 100 percent, new sublimits that cap ransomware payouts well below the policy’s headline limit, or non-renewal. Industry-wide, the payout odds aren’t generous even for policies that stay in force: of the roughly 38,000 cyber insurance claims closed in 2024, fewer than one in three resulted in a payout, according to data from the NAIC and Fitch Ratings.
The mechanism carriers use to enforce this isn’t new. In one of the earliest and most cited examples, Columbia Casualty Company sued Cottage Health System after funding a $4.125 million settlement over an exposed-records breach, arguing that Cottage had failed to follow the “Minimum Required Practices” it attested to on its application—specifically, that patient records sat on a system reachable from the open internet without encryption. The case was ultimately dismissed on procedural grounds rather than decided on the merits, but the exposure it revealed hasn’t gone away: carriers can, and do, look behind an application after a claim is filed and challenge coverage based on what your actual environment looked like versus what you represented.
That gap matters most in healthcare because the stakes are the highest of any industry. According to IBM’s Cost of a Data Breach Report 2025, healthcare breaches averaged $7.42 million and took 279 days to identify and contain — the longest of any sector, and the fourteenth consecutive year healthcare has topped the cost rankings. A HIPAA risk assessment proves you have a process. It doesn’t cover a single dollar of that exposure if your cyber policy is reduced to a sublimit, or denied outright, because the underwriter finds a gap your SRA was never designed to catch.
Closing the Gap Before Your Next Renewal
None of this requires starting over. It requires treating your next cyber insurance application as a technical audit rather than a form, and closing the gap between what your HIPAA program documents and what an underwriter will actually verify.
- Run a controls-specific gap assessment. Map your current environment against a real underwriting questionnaire, not just the HIPAA safeguards you already track.
- Verify MFA is enforced everywhere PHI lives, not just on email. Start with administrative accounts and remote access, where gaps are most common and most heavily scrutinized.
- Confirm EDR is active and monitored on 100 percent of endpoints and servers. “Most of them” is a finding an underwriter will flag, not a control they’ll credit.
- Test your backup restoration process and document the date and result. An untested backup and no backup carry the same practical risk in an underwriting review.
- Write or refresh your incident response plan and run a tabletop exercise within the next twelve months, with an after-action report to show for it.
- Document all of it the way you would document a HIPAA SRA. Underwriters, like OCR, don’t credit controls they can’t see.
Most practice administrators aren’t equipped to run this kind of gap analysis on top of an already full HIPAA compliance calendar, and they shouldn’t have to be. A vCISO engagement is built to own exactly this: one gap assessment that speaks to both your OCR documentation requirements and your underwriter’s technical questionnaire, instead of two disconnected reviews that leave you guessing which one actually protects you.
Find Out Where Your Practice Stands Before Your Carrier Does
Frequently Asked Questions
Is a HIPAA risk assessment the same as a cyber insurance application?
No. A HIPAA Security Risk Assessment documents your administrative, physical, and technical safeguards for OCR’s benefit and is required under 45 CFR 164.308(a)(1). A cyber insurance application asks a narrower, more technical set of questions—whether specific controls like MFA, EDR, and tested backups are active today—and increasingly requires evidence, not just attestation.
What does cyber insurance require that HIPAA doesn’t?
Cyber insurers require phishing-resistant MFA with no exceptions, EDR with 24/7 monitoring on every endpoint and server, immutable and restore-tested backups, and a written incident response plan tested within the last year. HIPAA currently treats MFA as an addressable specification rather than a strict requirement, though the proposed 2025 Security Rule update would close that gap.
Can my cyber insurance claim be denied even if I’m HIPAA compliant?
Yes. Carriers evaluate claims against the specific controls you attested to on your application, not against your HIPAA compliance status. If your actual environment doesn’t match what you represented—commonly around MFA coverage, patching, or backup practices—a carrier can invoke a failure-to-maintain-practices exclusion and deny the claim regardless of your OCR standing.
Does malpractice insurance cover a data breach?
No. Malpractice insurance covers errors in clinical judgment and treatment. Data breaches, ransomware attacks, and HIPAA violations require a separate cyber liability policy, evaluated against the technical controls carriers now expect from every healthcare applicant.
The Bottom Line
HIPAA compliance and cyber insurance eligibility are both necessary, and neither substitutes for the other. A HIPAA risk assessment proves you have a process for managing risk to patient data. A cyber insurance underwriter wants proof that your controls will actually hold up when that risk becomes an incident. Practices that treat the two as the same exercise are the ones discovering the difference at the worst possible time—during a renewal, or in the middle of a claim. The ones that treat them as related but separate reviews are the ones still standing, and still covered, when something goes wrong.