A file storage service was sued by the Illinois AG for disposing of paper records in a dumpster, and some of those records included PHI (personal health information).  The storage service clients included a small for profit pediatric sub-specialty practice with 7 locations in Illinois (see herehere & here).  The HHS’ Office for Civil Rights (OCR) conducted a compliance review of the practice and found that it did not have a written Business Associate Agreement (see herehere & here) to help ensure protection of its patients’ PHI.  The practice settled, including a payment of $31,000.

In August 2015, the HHS Office for Civil Rights (OCR) initiated a compliance review of the Center for Children’s Digestive Health (CCDH) following an initiation of an investigation of a business associate, FileFax, Inc., which stored records containing protected health information (PHI) for CCDH. While CCDH began disclosing PHI to Filefax in 2003, neither party could produce a signed Business Associate Agreement (BAA) prior to Oct. 12, 2015.

Attention to regulatory requirements, along with strong IT security, is essential in protecting both the organization and clients’ information.  However, this particular example does not involve any technology or IT breach – it involved paper records at a third party, and a fine.  With the right policy form, Cyber Risk Insurance can provide protection from regulator’s fines or penalties emanating from a breach of paper records such as the breach noted above.  Coverages vary widely, and so a thorough review by your expert partner is essential to ensure that comprehensive coverage is in place.

Read More: http://specialtyinsurance.typepad.com/specialty_insurance_blog/2017/08/healthcare-data-breach-exposure.html