A HIPAA data breach case between CVS Pharmacy, Inc. and Caremark Rx LLC (CVS) and their business associate Press America, Inc highlights the risks of contracting vendors to store or distribute sensitive information.

In the case of CVS Pharmacy, Inc. v. Press America, Inc., a vendor error became a costly financial liability. CVS, serving as the pharmacy benefits manager for an IBM group health plan, hired Press America to print and mail paperwork to beneficiaries that included protected health information (PHI). Press America made an error in a batch of mailings, resulting in the accidental disclosure of PHI for 41 IBM beneficiaries.

The agreement between CVS and IBM required that CVS comply with “performance standards,” including payment of a “fee adjustment” in the event of a “Protection of Information Failure,” which includes PHI disclosures. For Press America’s error, CVS credited IBM $1,845,000, or $45,000 per disclosure. CVS then turned to their vendor, Press America, for reimbursement, but their request was denied, arguing that the fee was not directly associated with the data breach and related costs. CVS followed up by suing Press America to recoup their loss, and the case continues. In this case, the argument is not about who is at fault for the data breach, but rather who is responsible for the damages.

When it comes down to it, every business in the healthcare sector handles sensitive data as part of their daily operations. When vendors are brought into the equation, the risks increase. Clients often require vendors to acquire cyber liability coverage when handling sensitive data or PHI, but with the rising cost of a data breach, cyber coverage alone is not always enough protection. When Press America refused to reimburse CVS for the free adjustments paid to IBM, they cited that the fee was not directly associated with the data breach and related costs.

Industry-specific coverage options can help address the unique exposures that providers face. Features such as business interruption, coverage for HIPAA corrective action plans, post-breach remediation and no exclusion for contractual liability can help providers avoid costly litigation in a dispute with a vendor.

Before entering into a contract with a vendor, partner with a trusted expert in the unique professional and cyber liability needs of healthcare providers. Knowledgeable agents can provide helpful contract suggestions as well as help to market, structure and negotiate insurance to meet the liability needs of both the policyholder and the vendor.

 

About Highland Risk Services

At Highland Risk, we use our expertise and experience to provide insurance information and programs to those who serve long-term care and senior living facilities. Since 2007, we’ve been offering insurance and risk management plans designed to help our agents give their clients the ability to achieve continued growth while simultaneously protecting against loss, containing costs and increasing profitability. With offices to serve you in Chicago, Illinois and Phoenix, Arizona, we do everything we can to make your experience with us as professional and transparent as possible. To learn more, contact us at (847) 832-9100.