“HIPAA Fines and the Physical-Digital Divide”

Health and Human Services’ (HHS) Office for Civil Rights recently issued a $239,000.00 HIPAA fine to Lincare, Inc.  I don’t know if the fine will be covered by cyberinsurance.  I don’t even know whether the company has cyberinsurance.

What I do know is that the fact pattern highlights a critical coverage issue for healthcare entities.  The Lincare breach did not involve electronic records.  An employee had stored physical records for 278 patients in his home.  When the employee moved, he left the records behind.  They were discovered by a third party who was – surprise – not authorized to access them.  Earlier this month, an administrative law judge affirmed the relatively hefty fine in light of the modest number of compromised records.

Had Lincare’s breach been of the electronic variety, a cyberinsurance policy with regulatory coverage would likely pick up the tab (dependent on policy language, of course).  The situation is  more complicated when physical documents are involved.  There’s case law on how physical data breaches interact with other types of insurance, such as commercial general liability (CGL), but I’m not aware of any reported case determining whether a physical breach triggers cyberinsurance coverage (if you are, let me know).

The answer likely depends on a myriad of policy-specific definitions, coverage elements and exclusions.  More broadly, though, cyberinsurance policies were created primarily with electronic data in mind.  In fact, much of the case law leading to the widespread proliferation of these policies specifically grappled with whether electronic data was “physical” or “tangible” property within the meaning of CGL policies.  As carriers have mostly cleared up any ambiguity by incorporating new language and more precise exclusions, cyberinsurance has become a means of filling the gap created by the absence of electronic data coverage in CGL and other traditional policies.

But what about physical data?  While there may be coverage under CGL or other policies because the records are physical property, the type of coverage is likely inadequate.  For example, most CGL policies – unlike well-conceived cyber policies – don’t cover regulatory fines.  This is only one way in which multiple markets continue to struggle with the physical-digital data divide, but it’s one that entities maintaining large amounts of physical records have at least 239,000 new reasons not to ignore.