UCLA Health recently settled a class action lawsuit against it for $7.5 million. The plaintiffs were victims of a hack attack on UCLA’s network that exposed the data of 4.5 million patients. The lawsuit alleged that UCLA was negligent in its security efforts to protect patient data and that it had not complied with HIPAA’s breach notification rule. This settlement comes on top of other settlements and civil money penalties (“CMPs”), such as the following:
- $3 million settlement by Cottage Health, which operates four hospitals in California, for failure to conduct a thorough, system-wide risk analysis and for failure to reduce risks to a reasonable and appropriate level.
- $4.5 million settlement by Community Health Systems in a lawsuit brought in the Federal District Court of the Northern District of Alabama, which alleged that Community Health had failed to comply with HIPAA’s requirements and the concomitant promise to act reasonably to safeguard confidential patient data.
- Aetna added another $935,000 settlement payable to the State of California to its earlier settlement for $17 million to victims of the breach in a case in the Federal District Court for the Eastern District of Pennsylvania. Aetna also settled with Connecticut, Washington, New Jersey, and Washington, DC, for its data breach.
These and other class action lawsuit settlements indicate that Health and Human Services (“HHS”) civil money penalties (“CMPs”) (what HHS calls fines) and settlements in lieu thereof are not the only financial risk of noncompliance with HIPAA and, indeed, may not be the greatest risk. The increased enforcement of HIPAA, with a recent record $16 million settlement in lieu of a CMP by Anthem, Inc., and its concomitant $115 million settlement with the victims of the breach, highlights whether you need Cyber Liability Insurance, also called Data Breach Insurance. Whether a cyber liability policy covers a HIPAA fine depends on the language in the policy. Ask your agent whether the policy covers such fines, and get it in writing if he says that it does. You should also have your lawyer look over the policy’s language. Some policies that cover HIPAA have a sublimit—which means that, if you are covered for, say, $1 million, but there’s a sublimit for HIPAA fines and violations of $200,000, the insurer would only pay the smaller amount for a fine or settlement of a HIPAA violation.
In considering whether insurance for a HIPAA breach or other violation is cost-effective, remember that the costs of mitigation (remediation of the failed or lacking security measure(s), notification to victims and compensation for the breach, and the like) often greatly exceed the CMP or settlement in lieu thereof. Blue Cross Blue Shield of Tennessee paid $1.5 million in lieu of a CMP to settle the HHS enforcement action but paid $17 million in remediation costs for a total of $18.5 million. A thief had stolen 57 hard drives containing about one million Blue Cross members’ unencrypted information.
Cyber liability insurance typically covers the following:
- Contacting customers after a breach of private information.
- Hiring IT forensic specialists to investigate a possible breach and figure out where the leak had occurred.
- PR/marketing professionals to handle your response to the breach.
- Credit monitoring for patients whose records were exposed.
Another form of such insurance, called Privacy and Computer Security Protection, generally covers the following:
- Claims arising from actual or alleged breaches of duty, neglect, or other acts, errors, or omissions that result in disclosure of protected health information (“PHI”) or other confidential information.
- Vicarious liability for privacy breaches of an entity’s vendor/subcontractor.
- Costs associated with defense of regulatory actions.
- Costs associated with compliance with PHI breach notification requirements.
- Costs associated with public relations/crisis management professionals, and so forth.
Highly rated cyber insurance carriers include AIG, Chubb, Hiscok, Liberty Mutual, and HSB. In addition, your existing malpractice, errors and omissions, or general liability might provide a cyber security rider or similar rider if such policy does not cover HIPAA breaches and violations now.
Note, however, that insurance is not a substitute for HIPAA compliance. The insurer may assess your state of compliance in setting its rate for the policy. Nor can insurance totally make you whole from a major breach. The damage may be above the policy limits or, as in the case of lost business, be so hard to quantify that it can’t be adequately compensated for or consist of punitive damages if you were grossly negligent in your HIPAA compliance efforts. Punitive damages cannot, as a matter of public policy, be insured against because it doesn’t punish the offender to pay such damages if an insurer ultimately foots the bill. So if you don’t have insurance, consider whether it is necessary, but don’t fail to get and keep compliant. The Blue Cross Blue Shield loss, above, was largely for failure to update its risk analysis. Don’t forget to update yours!
Alice here: Yes, once again, I am here to try to sell things to keep you and us in business. If you need help with your risk analysis, either initially or for an update, Jon Tomes has written a Risk Analysis ToolKit to provide the structure and tools to help you complete the requirement under HIPAA. You and your risk analysis team can fill it out and document your decisions as to what is reasonable and appropriate for you to adopt in the way of policies and procedures and be done with it. Or you could send your completed risk analysis to Jon to review and render his professional opinion as the country’s leading HIPAA expert (IMO) as to whether it is sufficient to keep you from getting that free trip to Leavenworth or that very expensive trip to the bank. If you have Jon’s Compliance Guide to HIPAA and the DHHS Regulations, 6th edition, with the accompanying HIPAA Documents Resources Center CD, also 6th edition, you can find the Risk Analysis ToolKit on the CD. It is also available with a review by Jon at https://www.veteranspress.com/product/hipaa-risk-analysis-toolkit. Also, Jon Tomes presented a webinar recently on “How to Do a HIPAA and HITECH Risk Analysis.” You can buy a recording of it at https://www.complianceiq.com/trainings/LiveWebinar/2255/how-to-do-a-hipaa-and-hitech-risk-analysis. Jon is also writing a Risk Analysis Update ToolKit, which will be available for you in the near future on the Premium Member section of our website. Please stay tuned for our announcement when it is up and running for you there. Also, include in your risk analysis the lack of a business associate agreement if you are considering hiring a business associate or a downstream business associate.
If you need guidance on how to draft the policies and procedures that your risk analysis or your newly updated risk analysis has shown are reasonable and appropriate for your organization, Jon has also written The Complete HIPAA Policies and Procedures Guide, with the accompanying CD of several dozen HIPAA policies and procedures templates for you to adapt to your situation. That book also contains a chapter by me on how to write in general, but more specifically on how to write a good policy.
Make sure that you train your entire workforce on HIPAA in general and on the HIPAA policies and procedures according to who needs to know what to perform their duties for you. If you need handy HIPAA training in general, consider Jon’s training video and training manual in either of two forms available here: https://www.veteranspress.com/product/basic-hipaa-training-video-dvd-workbook or https://www.veteranspress.com/product/online-hipaa-training-video-certification. Or you could hire Jon to present HIPAA training onsite to your workforce. Just contact him at jon@veteranspress.com or 816-527-3858.
Keep your written documentation of all of these HIPAA compliance efforts where you can find them easily and quickly if HHS shows up demanding your HIPAA compliance documentation. We recommend keeping all of it in Your Happy HIPAA Book. Jon included tabs in the three-ring binder for everything that you need to document and a checklist for each tab. I recommend adding the date that you check off each item in each checklist, as one of our clients suggested to us.
If you have had a security incident that you were unsure as to what exactly to do about, or if you are concerned that you may have one, consider reading Jon’s book How to Handle HIPAA and HITECH Act Breaches, Complaints, and Investigations: Everything You Need to Know.
A sample business associate agreement policy and a sample business associate agreement are posted in the Premium Member section of our website at www.veteranspress.com.
As always, thanks for reading Jon’s blog, buying his books and other HIPAA compliance tools, attending our seminars and webinars, and hiring Jon for HIPAA consulting and training. We wish you every success with your HIPAA compliance efforts. Happy Easter week or Passover later this week.