Are HIPAA violations insurable ?

The healthcare industry is highly reliant on IT systems, storing sensitive personal data and medical records across multiple systems. Risk management for healthcare providers requires robust cybersecurity controls to prevent financial losses from cyberattacks and to comply with HIPAA to avoid penalties. In other industries, transferring the cyber risk to a cyber insurance policy is straightforward, but in the healthcare industry, it requires some attention to the details and the combination of cyber with professional liability insurance, and still, in some jurisdictions, punitive penalties may not be allowed to be recovered by insurance. This article discusses if and how HIPAA violations can be insurable.

HIPAA (Health Insurance Portability and Accountability Act) is a federal law enacted in 1996 to ensure individuals' portability of health insurance and to hold healthcare providers accountable for protecting sensitive patient health information (PHI) from disclosure without the patient's consent or knowledge. According to Steve Alder's article published in "The HIPAA Journal", among "The 10 most common HIPAA violations to avoid", there are violations related to a Cyber Incident, such as a data breach caused by insufficient Access control to the patient's database, where a hacker can successfully access patient's information, but also some other violations related to how the healthcare organization treat the data like the disposal of PHI that may not be associated with a cyber incident.

How the different Insurance options may respond to HIPAA

To determine whether HIPAA violations are insurable and which component of the violations' costs are covered, it's essential to understand the different Business Insurance options and how they respond to HIPAA violations.

The "Commercial General Liability" is a foundational coverage that protects a business against financial losses from claims for bodily injury, property damage, or personal injury/advertising injury caused to third parties in the course of business operations. Classical coverage examples include a customer slipping and falling in your facilities or a competitor suing your company for defamation over an advertising campaign. This type of insurance policy, by default, excludes regulatory risks and the professional liability associated with medical practice. It will likely not cover any HIPAA violation expenses.

In the healthcare industry, "Medical professional liability", also known as "Errors & Omissions", is the insurance product designed to cover the risks associated with medical practice and, therefore, typically extends coverage to HIPAA proceedings against the insured.

Lessons Learned from HIPAA Violation Cases :

In 2022, a federal court considered an insurance dispute stemming from a multi-state attorneys' general HIPAA investigation. Thirty state AGs had sued a healthcare organization for a data breach, alleging HIPAA and consumer protection violations. The company's general liability insurer ultimately paid $2.7 million toward a settlement with the states, under a reservation of rights. Later, that insurer argued in court that it had no obligation to cover the payment because the policy excluded "any obligation to pay fines or penalties," and the coverage for the settlement was under the Errors & Omissions (E&O) policy. Source: Settlement Paid to States to Resolve HIPAA and Consumer Protection Law Claims Constitutes Non-Covered "Fines and Penalties.": Wiley

As illustrated in the case above, "Medical Professional Liability" is a must-have insurance policy for healthcare providers to protect the organization against medical malpractice claims, and some policies may extend it to HIPAA proceedings, one observation is that depending on the severity of the violation, penalties may result in settlements of thousands and even millions of dollars, making the Standalone Medical Professional Liability Insurance policy coverage insufficient.

"It's important to pay attention to the sub-limit for HIPAA, which may be significantly lower than the policy's aggregate Limit. For example, a standalone $ 1 million Medical Professional Liability coverage policy may have less than $100K in HIPAA or regulation proceedings"

The Cyber Insurance policy gained popularity for protecting companies against cyber incidents, and as HIPAA violations may be triggered by a cyber incident, Cyber Insurance is a good option to increase coverage for regulatory costs if includes coverage for it, because the sub-limit for regulatory costs typically matches the aggregate amount covered. For example, a $1 Million Cyber insurance policy may have the same Limit for regulatory costs.

The challenge for healthcare providers in purchasing Medical Professional Liability insurance separately from Cyber insurance is that it may still fall short in coverage for HIPAA violations unrelated to a cyber incident.

The Benefit of buying a specialty product from Insurance providers that bundles Cyber with Professional Medical Liability is the comprehensive coverage for regulatory proceedings with higher Limits, whether or not related to a cyber incident.

HIPAA Violations expenses: What is covered or not by Insurance?

HIPAA violations may include the following expenses :

-Regulatory investigation and defense costs: Long before any fine is paid, an organization must respond to government inquiries and cover Legal fees for regulatory defense.

-Breach Notification and remediation costs: HIPAA’s Breach Notification Rule and parallel state laws require notifying affected individuals, providing credit monitoring, along with forensic investigations and upgrades to security systems.

-Civil Liabilities and settlements: While HIPAA itself doesn’t allow private lawsuits (individuals can’t sue under HIPAA’s provisions), data breaches often lead to class-action litigation under other theories (like negligence or consumer protection laws). Healthcare providers have faced lawsuits from patients or employees when sensitive health info was exposed. These settlements or judgments represent another category of loss

-Regulatory fines and penalties: OCR can impose civil monetary penalties up to $1.5 million per year for identical violations (and even more under updated HITECH tiers), especially for severe or willful neglect cases. State attorneys general can also bring actions under HIPAA and state consumer protection laws. These fines are considered punitive or deterrent in nature – essentially punishments for failing to protect patient privacy

While regulatory investigations and defense, breach notification and remediation, and civil liabilities and settlement expenses may be insurable, regulatory fines and penalties may not.

It is common nowadays to have some insurance providers, especially in cyber and Medical professional liability insurance policies, covering regulatory fines "if insurable by law". It is recommendable to read and understand the exclusions of the policy, some insurance carriers may deny the payment due to gross neglience or for finding that the statement made by the insured in the application doesn't reflect the reality which is a topic for another discussion.

The statement "if insurable by law" requires interpretation as well because conceptually punitive penalties are not insurable. Some states, like New York and California, have statutes that prevent insurance companies from covering civil and criminal penalties, but when allowed if the policy is affirmative in the coverage for regulatory proceedings, it may eventually respond to recover fines. Considering the large amount of the other expenses, having a comprensive insurance coverage for regulatory expenses is still the best options, especially to cover the legal defense Learn more about the Insurability of Civil Fines and Penalties

What is the Best Risk Management Strategy to minimize the risk of HIPAA violations and their associated expenses?

HIPAA Compliance is the golden rule for avoiding penalties, which includes robust cybersecurity controls and specific procedures related to the protection of PHI. However, cyberattack risks can't be eliminated, so a comprehensive insurance policy that combines Professional Medical Liability and Cyber, as well as affirmative coverage for regulatory fines if insurable by law, is recommended. As penalties may not be insurable in some cases, being proactive and avoiding negligence is essential. Penalties for HIPAA violations also increase with the level of negligence, with different tiers and penalty amounts.

Learn more about Insurance Solutions for Digital Health companies