HIPAA Compliance June 1, 2026 8 min read

Cyber Insurance Renewal: The HIPAA Attestation Trap for Texas Practices

By Sam Cherkaoui, CIPP/US Certified Data Privacy Advisor

Quick Answer

The new condition of coverage: Cyber insurance carriers now condition healthcare policies on HIPAA-specific attestations. Coalition lists five required controls: MFA, security awareness training, backups, identity access management, and least-privilege data handling.
The misrepresentation trap: In Travelers v. International Control Services (C.D. Ill. 2022), a federal court voided a cyber policy ab initio because the insured answered 'yes' to MFA on the application when MFA was only on the firewall, not on the ransomware-hit server. Saying 'yes' without documentation is now the canonical denial path.
OCR uses the same paper trail: Every settlement in OCR's Risk Analysis Initiative (13 completed by April 2026) cited a failure to conduct an accurate Risk Analysis under 45 CFR 164.308(a)(1)(ii)(A). If the cyber application says yes and the OCR file says no, both regulators see the discrepancy.
Texas double exposure: A Texas breach triggers HIPAA, Texas HB 300 penalties up to $1.5M/year under §181.201, Tex. Bus. & Com. Code §521.151 civil penalties of $2,000–$50,000 per violation, and a 30-day notice to the Texas Attorney General when 250+ residents are affected, separate from any insurance claim process.
The fix is one document: A current, defensible HIPAA Risk Analysis supports the truthful answer to most attestation questions, satisfies 45 CFR 164.308(a)(1)(ii)(A), and is the first document OCR asks for. It is the connective tissue between cyber insurance, federal compliance, and Texas state law.

Quick answer

A small Texas healthcare practice renewing cyber liability insurance in 2026 will fill out a HIPAA-specific attestation as a condition of coverage. The application asks granular questions about Risk Analysis, Business Associate Agreements, multi-factor authentication scope, workforce training, backups, and incident response. Answering “yes” without supporting documentation is now the most common path to a denied claim, as illustrated by Travelers v. International Control Services, a 2022 federal case that voided a cyber policy from inception over an MFA misrepresentation. The same documentation gap that voids the insurance claim also drives OCR enforcement under 45 CFR 164.308(a)(1)(ii)(A), Texas Attorney General enforcement under HB 300, and Texas breach notification penalties under Texas Business and Commerce Code §521.151. A current, defensible HIPAA Risk Analysis is the single document that supports truthful answers to most attestation questions and protects against all three regulators.

Most Texas practice owners treat the cyber insurance renewal application as a procurement formality. It is not. Carriers underwrite small healthcare risk much more tightly than they did three years ago, and the application questions are where they look for grounds to deny a claim later. The attestation form is now where federal HIPAA, Texas HB 300, and the carrier’s policy language all intersect on one piece of paper.

This post is for solo and small Texas practices (1 to 50 employees) who are about to sign one. It explains what the form actually asks, why the answers have to be defensible with documentation, and how the HIPAA Risk Analysis is the single document that ties the whole picture together.

How Cyber Insurance Got HIPAA Religion

The healthcare cyber insurance market hardened sharply between 2022 and 2025. Two operational realities drove it.

First, healthcare is now one of the most claim-frequent sectors in the cyber market. Per the NetDiligence 2025 Cyber Claims Study, which analyzed 10,402 claims from 2020 through 2024, the average claim in the healthcare sector was $555,000, the average ransomware claim was $229,000, and ransomware events with significant recovery expenses averaged $961,000. The Coalition 2025 Cyber Claims Report shows that even though healthcare claims frequency dropped 19% year-over-year to 1.38% in 2024, average loss severity climbed 32% to $144,662. Fewer claims, costlier per claim.

Second, the At-Bay 2024 InsurSec Report found that remote access technologies were the entry vector for 58% of direct ransomware claims, and self-managed VPNs accounted for 63% of those remote-access events. Carriers responded by writing applications that ask specifically what the post-breach forensic report will look at. Coalition publicly lists five essential cyber insurance requirements: multi-factor authentication enforced on every login, security awareness training, tested backups, identity access management, and least-privilege data classification. The healthcare version of that application includes a HIPAA layer on top.

For a Texas practice, the application is now where federal HIPAA, Texas HB 300, and the policy’s own conditions of coverage all converge on one signature.

What Does the HIPAA Attestation Actually Ask?

A healthcare-segment cyber insurance application in 2026 typically includes specific yes/no questions across these categories. Each question has a documentation expectation behind it.

Risk Analysis. Has the practice conducted an accurate and thorough Risk Analysis within the last 12 months? The federal citation is 45 CFR 164.308(a)(1)(ii)(A). The carrier expects a written document that identifies threats and vulnerabilities, assesses likelihood and impact, and lists the controls in place. A generic vendor template that does not describe the actual practice environment will not survive a post-breach review. The pillar guide on what a defensible HIPAA Risk Analysis actually contains walks through the elements OCR and underwriters both look for.

Business Associate Agreements. Are BAAs in place with every vendor that creates, receives, maintains, or transmits PHI on the practice’s behalf? This typically means the EHR, the IT vendor, the cloud backup service, secure messaging, billing service, and any AI scribe tool. A BAA inventory should list each vendor, the executed agreement, the effective date, and the renewal terms. The companion question of BAA vs DPA and when each is needed frequently confuses small practices.

Multi-factor authentication scope. This is not a single “yes/no” but a list. Is MFA enforced for email accessed remotely? For all administrator and privileged accounts? For all remote access tools including VPN and RDP? For cloud and SaaS platforms? Each line gets its own check. Partial implementation answered as a blanket “yes” is the most common trap. Per a SeedPod cyber underwriting writeup, partial MFA is the single most-misrepresented control on healthcare applications.

Workforce training. Has every workforce member completed HIPAA training, with signed completion records retained? The federal floor is 45 CFR 164.530(b). The Texas floor is stricter: Tex. Health and Safety Code §181.101 requires training within 90 days of hire and signed records retained for six years.

Backups. Are backups tested, offline or immutable, and segregated from production credentials? Carriers ask this because most ransomware groups now actively destroy connected backups before encryption.

Incident response. Is there a written Incident Response Plan with named roles, contact lists, and a tabletop exercise on file?

EDR / MDR. Is endpoint detection deployed across all endpoints? Is there 24/7 managed detection and response? Per At-Bay, more than 50% of cyber claims could have been mitigated by MDR, which is why this question now sits near the top of most applications.

Why “Yes” Is The Trap: Travelers v. International Control Services

The canonical case for “yes without documentation” is Travelers Casualty and Surety Co. of America v. International Control Services, Inc., No. 22-cv-2145 (C.D. Ill., filed July 6, 2022). The facts are clean enough to read like a teaching example.

ICS, an Illinois manufacturer, applied for a Travelers CyberRisk Tech policy effective April 4, 2022. On the application, ICS represented that it used MFA “for administrative or privileged access.” In May 2022, ICS was hit with ransomware. The forensic investigation showed MFA was actually only deployed on the firewall, not on the server where the attack occurred. Travelers sued to rescind the policy on the grounds that ICS made “misrepresentations, omissions, concealment of facts, and incorrect statements” during the application process.

On August 26, 2022, the court entered judgment voiding the policy ab initio (null and void from inception). Travelers had no duty to defend or indemnify any claim under that policy. ICS paid for the entire ransomware response out of pocket.

The pattern keeps repeating. In April 2025, the City of Hamilton, Ontario had an $18.3 million ransomware recovery claim denied because attackers exploited weak credentials on an externally-facing system without MFA, contrary to the application. Fitch Ratings reports nearly 1 in 4 US cyber claims filed in 2024 were rejected for failing to meet coverage requirements. Of UK cyber claims in 2024–2025, more than 40% were rejected, most commonly for insufficient evidence that the security controls represented on the application were active at the time of the breach.

For a Texas practice, the takeaway is simple: a “yes” on the cyber insurance application is a representation that the carrier will validate against the forensic record after a claim. If the documentation does not exist, the policy can be voided.

Will OCR See Your Cyber Insurance Application?

The Travelers risk is not the only one. OCR is now actively cross-checking the same documentation through the HIPAA Security Rule Risk Analysis Initiative, launched in fall 2024.

The first settlement, with Bryan County EMS, was announced October 31, 2024 for $90,000 after a ransomware attack affecting 14,273 patients. The first seven settlements ranged from $10,000 (Northeast Surgical Group, a small Michigan practice) to $350,000 (NERAD). Every single settlement cited the same root failure: a missing or inadequate Risk Analysis under 45 CFR 164.308(a)(1)(ii)(A). By April 2026, OCR had completed 13 Risk Analysis Initiative investigations and 19 ransomware-related breach investigations.

Small practices have been hit hard. In April 2025, Comprehensive Neurology, PC, a small New York neurology practice, settled with OCR for $25,000 plus a two-year corrective action plan after a ransomware attack. Deer Oaks, a behavioral health provider, paid $225,000 after a 2023 ransomware attack affecting 171,871 individuals, with OCR specifically citing the failure to conduct an accurate and thorough Risk Analysis.

Failure to conduct an adequate Risk Analysis was cited in more than 75% of HIPAA resolution agreements involving security incidents from 2020 to 2024. OCR’s January 2026 Cybersecurity Newsletter again identified Risk Analysis as the single most-cited deficiency in OCR investigations.

The connection to cyber insurance is direct. The same forensic report a Texas practice files with its insurer, the same incident response timeline, and the same documentation of which controls were in place, all become discoverable in the OCR investigation. If the cyber application said yes to MFA and OCR’s investigation finds no MFA, the practice has a discrepancy on the record that both regulators can use.

The proposed HIPAA Security Rule update, published in the Federal Register on January 6, 2025, would explicitly require Risk Analysis at least every 12 months, vulnerability scanning every six months, and annual penetration testing. It has not been finalized, but the direction of enforcement is clear. The bar is moving toward what cyber underwriters were already asking.

The Texas Layer: HB 300 and TDPSA Breach Notification

A Texas practice is exposed to more than HIPAA. The cyber insurance application sits on top of a Texas regulatory stack.

Texas HB 300 amended Chapter 181 of the Texas Health and Safety Code. Civil penalties under §181.201 run from up to $5,000 per negligent violation, to $25,000 per knowing or intentional violation, to $250,000 per intentional violation for financial gain, capped at $1.5 million per year for a pattern or practice. Section 181.101 requires HIPAA-plus-Texas training within 90 days of hire, refresher training within one year of any material legal change, and signed training records retained for six years. The Texas Attorney General enforces HB 300 separately from OCR’s enforcement of federal HIPAA. The deeper breakdown is in HIPAA Compliance for Solo Practitioners in Texas.

Texas breach notification. Tex. Bus. & Com. Code §521.053(b) requires notice to affected Texas residents “without unreasonable delay and in each case not later than the 60th day after the date on which the person determines that the breach occurred.” After SB 768 (effective September 1, 2023), §521.053(b-1) requires notice to the Texas Attorney General “as soon as practicable and not later than 30 days” after determining a breach affected 250 or more Texas residents, submitted through the OAG’s online breach portal. That is shorter than the federal HIPAA 60-day window for 500-plus affected individuals.

Texas civil penalties. Tex. Bus. & Com. Code §521.151 imposes civil penalties of $2,000 to $50,000 per violation, plus up to $100 per individual per day for notification failures, capped at $250,000 per single breach.

Active enforcement. In June 2024, the Texas Attorney General launched a data privacy and security enforcement initiative covering the Texas Identity Theft Enforcement and Protection Act, HIPAA, the biometric identifier law, and the Deceptive Trade Practices Act. In September 2024, the AG settled with Pieces Technologies, a healthcare AI company, for deceptive statements made to Texas hospitals about product accuracy and safety. The Texas AG actively enforces health-data laws at the state level.

A single Texas breach can produce: a federal OCR resolution agreement, a federal HIPAA penalty up to the 2026 cap of $2,190,294 per identical-provision category per the January 28, 2026 Federal Register notice, an HB 300 penalty up to $1.5 million annually, a §521.151 penalty up to $250,000, and a rescinded cyber policy. All from one incident.

You can model your own exposure with the HIPAA penalty calculator.

What Documents Should Be on Your Desk Before You Sign?

For a Texas practice owner sitting down to fill out the cyber insurance renewal application, this is the documentation that should be on the desk before any box gets checked:

A Risk Analysis dated within the last 12 months, written specifically for the practice (not a vendor template), naming threats, vulnerabilities, controls, and likelihood/impact assessments per HHS Final Guidance.
A Risk Management Plan under 45 CFR 164.308(a)(1)(ii)(B) with one row per identified risk, listing the owner, remediation step, target date, and current status.
A BAA inventory listing every PHI-handling vendor, the executed agreement, the effective date, and the renewal date. Include the EHR, IT vendor, cloud backup, secure email, billing service, and any AI scribe.
An MFA scope statement that lists every system MFA is currently enforced on. This is what the application will ask. If MFA is on email but not on remote desktop, the answer is not “yes.”
A workforce training log with signed completion statements per Tex. Health and Safety Code §181.101(d), retained for six years.
Backup testing records showing date of last test, success status, and whether backups are offline or immutable.
A written Incident Response Plan with named roles, contact list, and a documented tabletop exercise.
A written sanctions policy under 45 CFR 164.308(a)(1)(ii)(C) with at least one documented application.

If any of these is missing or stale, the right move is to fix it before signing the attestation. The cost of fixing it now is much smaller than the cost of a rescinded claim plus an OCR investigation plus a Texas AG action.

What To Do Next

A Texas practice that does not have a current Risk Analysis on file, or has one that was written by a vendor and does not describe the actual practice, is the highest-risk profile sitting in front of any one of the three regulators above. The HIPAA Risk Analysis service is built specifically for this situation: a written analysis that satisfies 45 CFR 164.308(a)(1)(ii)(A), supports truthful answers to the cyber insurance application, and produces the documentation OCR asks for in the first investigation letter.

For practices that have already received an OCR letter or had a security incident, see the first 72 hours after an OCR investigation letter.

The cyber insurance renewal application is one document. The same documentation that lets a Texas practice answer it honestly also satisfies federal HIPAA, Texas HB 300, and Texas breach notification law. The work is done once. It protects against three regulators and one carrier.

Last Updated: June 1, 2026

Frequently Asked Questions

What does cyber insurance actually ask about HIPAA on renewal?

Healthcare-segment cyber insurance applications ask granular questions about HIPAA Security Rule controls: whether a current Risk Analysis exists under 45 CFR 164.308(a)(1)(ii)(A), whether Business Associate Agreements are in place with every PHI-handling vendor, whether multi-factor authentication is enforced on email, all administrator accounts, all remote access including VPN and RDP, and all cloud platforms, whether workforce training is documented under 45 CFR 164.530(b), whether backups are tested and offline, whether a written incident response plan exists. Coalition publicly lists five essential controls: MFA, training, backups, identity access management, and least-privilege data handling. Underwriters ask each question separately, not 'do you have HIPAA controls.'

Can a cyber insurance claim be denied if my HIPAA documentation doesn't match the application?

Yes, and this is now common. In Travelers v. International Control Services, No. 22-cv-2145 (C.D. Ill., judgment entered August 26, 2022), a federal court voided the cyber policy 'ab initio' because the insured represented on the application that MFA was used for administrative or privileged access when MFA was only deployed on the firewall, not on the server hit by ransomware. Fitch Ratings reported nearly 1 in 4 US cyber claims filed in 2024 were rejected for failure to meet coverage requirements. The City of Hamilton, Ontario had an $18.3 million ransomware claim denied in April 2025 because attackers exploited a system without full MFA, contrary to the application. The pattern is consistent: forensic findings get compared against application answers, and any gap is a rescission opening.

Does Texas have its own breach notification on top of HIPAA?

Yes. Texas Business and Commerce Code §521.053(b) requires notice to affected Texas residents 'without unreasonable delay and in each case not later than the 60th day after the date on which the person determines that the breach occurred.' After SB 768 (effective September 1, 2023), §521.053(b-1) requires notice to the Texas Attorney General 'as soon as practicable and not later than 30 days' after determining a breach affected 250 or more Texas residents, submitted through the OAG's online breach reporting portal. Civil penalties under §521.151 run from $2,000 to $50,000 per violation, with notification-failure penalties of up to $100 per individual per day capped at $250,000 per breach. The Texas AG enforces these separately from HHS OCR enforcement of federal HIPAA.

What documentation should a Texas practice have ready before signing the cyber insurance attestation?

A current Risk Analysis dated within the past 12 months that names threats, vulnerabilities, and controls per HHS Final Guidance; a Risk Management Plan with assigned owners and deadlines under 45 CFR 164.308(a)(1)(ii)(B); a BAA inventory listing every PHI-handling vendor and the executed agreement on file; an MFA scope statement listing every system MFA is enforced on (email, admin accounts, remote access, cloud platforms); a workforce training log with signed completion statements per Texas Health and Safety Code §181.101(d); an Incident Response Plan; backup testing records; and a written sanctions policy with at least one applied example. These are the same documents OCR asks for in the first investigation letter.

Will OCR see my cyber insurance application?

Possibly. If a Texas practice files a cyber claim after a ransomware incident, the same incident likely triggers a HIPAA breach report to HHS under 45 CFR 164.408. OCR opens an investigation. The forensic report produced for the insurer documents which controls were and were not in place at the time of the incident. That same forensic detail, plus the cyber application answers, becomes part of the discoverable record. Plaintiff lawyers in subsequent class actions can subpoena both. A practice that answered 'yes' to MFA on the application, had no MFA on the breached system, and has no Risk Analysis documenting that gap faces three regulators at once: OCR, the Texas Attorney General, and the carrier rescinding coverage.

How much does the average healthcare cyber claim cost in 2024–2025?

Per NetDiligence's 2025 Cyber Claims Study (analyzing 10,402 claims from 2020 through 2024), the average claim in the Healthcare sector was $555,000, the average ransomware claim was $229,000, and ransomware incidents involving recovery expenses averaged $961,000. Coalition's 2025 Cyber Claims Report shows healthcare claims frequency at 1.38% in 2024 (down 19% year-over-year) but average loss severity rose 32% to $144,662. S&P Global Ratings projects cyber insurance premiums to increase 15–20% per year through 2026 as the market hardens, with healthcare premiums already running roughly 50% above the market average.

Last updated: June 1, 2026. This article reflects current US HIPAA and state privacy law enforcement practice. NPA is not a law firm; for case-specific legal advice, consult licensed counsel in your jurisdiction.

Need help with HIPAA compliance or US data privacy law?

NPA helps small healthcare practices and small to mid-sized businesses build and maintain audit-ready compliance programs. CIPP/US certified. Houston-based, serving practices nationwide.

Book a Consultation