1 Way HIPAA Breaches Might Start Costing You More Than a Fine. FB

1 Way HIPAA Breaches Might Start Costing You More Than a Fine

With the number of HIPAA breaches seemingly increasing at an alarming rate there may be a new trend in financial responsibility for the healthcare practice or business associate that is breached.

Most healthcare practices focus on HIPAA best practices (sometimes a little too late) to avoid fines from the HHS.  Many don’t consider other repercussions such as:

  • Damaged Reputation
  • Loss of Clients
  • Increase Insurance Premiums
  • Continued OCR Monitoring
  • Cost of Implementing Changes

And until recently most didn’t concern themselves with being sued after a HIPAA breach.

That looks to be changing.

1 Way HIPAA Breaches Might Start Costing You More Than a Fine.Here’s a list of reported lawsuits stemming from HIPAA breaches.  Some of these cases are a few years old but the lawsuits were all submitted this year.

It seems patients, that is clients of healthcare practices and ancillary services, are growing weary of breach after breach.

HIPAA Compliance is not optional.  Many practices are not taking protecting PHI seriously enough.  Many patients and clients feel the Department of Health and Human Services fines and settlements are not punitive enough.

Imagine a healthcare system with tens of thousands of patients paying a $3 million fine.  It’s a drop in the bucket for them.

Healthcare Clients Have Had Enough of the Lack of HIPAA Compliance

Patients and clients almost never receive any compensation for their PHI being compromised.  If they do its usually credit monitoring for a year or 2.

To add to the frustration many of the HIPAA breaches are avoidable.   In at least two, probably three, of the cases above the attacker gained access via phishing Phishing can be mitigated with stronger password policies, the use of MFA, advanced threat protection and education.

The remaining case involving Google is due to the University of Chicago Medicine sharing patient records with Google without removing personal identifiers.  What makes this interesting is it was recently announced that Google is working with Ascension on a project involving PHI.

HIPAA Compliance Cost Analysis

This is a quick and dirty cost analysis of a HIPAA Breach Versus HIPAA Compliance.

Currently, the average cost of a HIPAA breach is $408 per record.  Many practices have 10,000 records or more (smaller practices).  That means a HIPAA breach could cost an average healthcare provider a little over $4,000,000.

The Average Cost of a Healthcare Breach per record is $408Chances are if the breach is not due to negligence the HIPAA settlement will be far less.

Let’s say the settlement is $100,000.

This does not take any of the following into consideration:

  • Reputation Loss
  • Client Loss
  • Change and Technology Implementation
  • Potential for Lawsuit

Let’s leave it at $100,000 for the sake of argument.

If the practice has 20 employees, it will take almost 2 years to exhaust a budget of $100,000 for IT and HIPAA compliance*.

Healthcare Providers Cannot Afford to Be Out of HIPAA Compliance

Many healthcare providers argue that the cost of hiring a qualified IT consultant and a HIPAA consultant (or an IT consultant who can also provide HIPAA consultation) is too high.

The truth is the risk and potential financial burden of not having a qualified IT consultant and HIPAA consultant is much higher.

Factor in the potential for class-action lawsuits (a very real potential in a litigious society) and the risk and cost are much higher.

Many of the HIPAA breaches are preventable.  Some might see these breaches as negligence.  A phishing attack is preventable with MFA.  Theft is mitigated by encryption.  A court of law might see these are negligence if they’re not in place.

A class-action lawsuit has the potential for being far more damaging financially than a HIPAA settlement.

Time to get your ducks in a row.

*Support Costs Vary Depending on the Healthcare Provider’s Requirements & Support Provider Rates.  This analysis is based on the average price per user at the time of this article.

 

Scott Gombar

Author Scott Gombar

More posts by Scott Gombar

Join the discussion 12 Comments

  • Cris Vanthul says:

    Agree 100%! There’s absolutely no reason for a healthcare provider to not have the most stringent of data protection policies in place.

  • Lyosha says:

    Very insightful post and information. I have thought much about it but I do think I should have

  • Laura G says:

    That’s a good thing! Thanks for including so much helpful information!

  • This is definitely something important that we should always approach when dealing with sensitive information. A lot of people are being victims of identity theft and fraud, because their personal information was accessed or divulged. Thanks for such an informative article. It’s definitely good to know all of this.

  • Sarah M says:

    This is such an insightful post. You have focused on the points that I have never considered before. Thanks for sharing useful information with us!

  • Susan1375 says:

    Insightful post especially for medical clinicians especially interesting to learn about other countries laws on this

  • It is frustrating that some organizations don’t take Hipaa seriously enough. Maybe this will make them start to pay a little bit more attention.

  • Nyxie says:

    Companies should be taking these things a lot more serious than they appear to be. Surely there was a need for these laws to be brought in? So why aren’t they being followed, and seemingly so effortlessly?

  • EG III says:

    It’s quite alarming that major organizations are not taking HIPAA seriously. This post was very insightful and thank you for bringing an important issue to light.

  • This is very insightful. Although these laws doesn’t apply in my own country, but I think most health care institutions should take extra measure in protecting their patient information to avoid lawsuit.

  • Priya says:

    It’s really surprising for me to know that a lot of organizations are not taking HIPAA that seriously as they should be taking them. This post was very detailed and helpful. Thanks.

Leave a Reply