1 Way HIPAA Breaches Might Start Costing You More Than a Fine
With the number of HIPAA breaches seemingly increasing at an alarming rate there may be a new trend in financial responsibility for the healthcare practice or business associate that is breached.
Most healthcare practices focus on HIPAA best practices (sometimes a little too late) to avoid fines from the HHS. Many don’t consider other repercussions such as:
- Damaged Reputation
- Loss of Clients
- Increase Insurance Premiums
- Continued OCR Monitoring
- Cost of Implementing Changes
And until recently most didn’t concern themselves with being sued after a HIPAA breach.
That looks to be changing.
Here’s a list of reported lawsuits stemming from HIPAA breaches. Some of these cases are a few years old but the lawsuits were all submitted this year.
- Kalispell Regional Healthcare in Montana is being sued over a phishing attack in which hackers gained access to employee email accounts containing the protected health information of almost 130,000 patients.
- Solara Medical Supplies Sued Over 114,000-Record Data Breach
- A class-action lawsuit has been filed against UConn Health, over its reported phishing attack that potentially breached the data of 326,000 patients.
- A class-action lawsuit accuses the UChicago Medicine and Google of violating patient privacy, by sharing thousands of patient records – without removing personal identifiers, according to a New York Times report.
It seems patients, that is clients of healthcare practices and ancillary services, are growing weary of breach after breach.
HIPAA Compliance is not optional. Many practices are not taking protecting PHI seriously enough. Many patients and clients feel the Department of Health and Human Services fines and settlements are not punitive enough.
Imagine a healthcare system with tens of thousands of patients paying a $3 million fine. It’s a drop in the bucket for them.
Healthcare Clients Have Had Enough of the Lack of HIPAA Compliance
Patients and clients almost never receive any compensation for their PHI being compromised. If they do its usually credit monitoring for a year or 2.
To add to the frustration many of the HIPAA breaches are avoidable. In at least two, probably three, of the cases above the attacker gained access via phishing. Phishing can be mitigated with stronger password policies, the use of MFA, advanced threat protection and education.
The remaining case involving Google is due to the University of Chicago Medicine sharing patient records with Google without removing personal identifiers. What makes this interesting is it was recently announced that Google is working with Ascension on a project involving PHI.
HIPAA Compliance Cost Analysis
This is a quick and dirty cost analysis of a HIPAA Breach Versus HIPAA Compliance.
Currently, the average cost of a HIPAA breach is $408 per record. Many practices have 10,000 records or more (smaller practices). That means a HIPAA breach could cost an average healthcare provider a little over $4,000,000.
Chances are if the breach is not due to negligence the HIPAA settlement will be far less.
Let’s say the settlement is $100,000.
This does not take any of the following into consideration:
- Reputation Loss
- Client Loss
- Change and Technology Implementation
- Potential for Lawsuit
Let’s leave it at $100,000 for the sake of argument.
If the practice has 20 employees, it will take almost 2 years to exhaust a budget of $100,000 for IT and HIPAA compliance*.
Healthcare Providers Cannot Afford to Be Out of HIPAA Compliance
Many healthcare providers argue that the cost of hiring a qualified IT consultant and a HIPAA consultant (or an IT consultant who can also provide HIPAA consultation) is too high.
The truth is the risk and potential financial burden of not having a qualified IT consultant and HIPAA consultant is much higher.
Factor in the potential for class-action lawsuits (a very real potential in a litigious society) and the risk and cost are much higher.
Many of the HIPAA breaches are preventable. Some might see these breaches as negligence. A phishing attack is preventable with MFA. Theft is mitigated by encryption. A court of law might see these are negligence if they’re not in place.
A class-action lawsuit has the potential for being far more damaging financially than a HIPAA settlement.
Time to get your ducks in a row.
*Support Costs Vary Depending on the Healthcare Provider’s Requirements & Support Provider Rates. This analysis is based on the average price per user at the time of this article.
Agree 100%! There’s absolutely no reason for a healthcare provider to not have the most stringent of data protection policies in place.
Very insightful post and information. I have thought much about it but I do think I should have
That’s a good thing! Thanks for including so much helpful information!
This is definitely something important that we should always approach when dealing with sensitive information. A lot of people are being victims of identity theft and fraud, because their personal information was accessed or divulged. Thanks for such an informative article. It’s definitely good to know all of this.
This is such an insightful post. You have focused on the points that I have never considered before. Thanks for sharing useful information with us!
Insightful post especially for medical clinicians especially interesting to learn about other countries laws on this
Very detailed post!Its so important for the companies to follow all these carefully!Hope they take more care atleast now!
It is frustrating that some organizations don’t take Hipaa seriously enough. Maybe this will make them start to pay a little bit more attention.
Companies should be taking these things a lot more serious than they appear to be. Surely there was a need for these laws to be brought in? So why aren’t they being followed, and seemingly so effortlessly?
It’s quite alarming that major organizations are not taking HIPAA seriously. This post was very insightful and thank you for bringing an important issue to light.
This is very insightful. Although these laws doesn’t apply in my own country, but I think most health care institutions should take extra measure in protecting their patient information to avoid lawsuit.
It’s really surprising for me to know that a lot of organizations are not taking HIPAA that seriously as they should be taking them. This post was very detailed and helpful. Thanks.