When we talk about HIPAA compliance much of the emphasis is on avoiding Office of Civil Rights (OCR) fines and penalties. It is understandable that some of you may be skeptical about the threat of an audit happening to your company. However, the cost of a real world breach can extend well beyond any amount OCR can dole out. Once you calculate these costs, you may want to reconsider the need for a well-executed HIPAA compliance plan.
Why Should I Worry?
You are much more likely to experience a breach than you are likely to be audited. According to Identity Theft Resource Center, 91% of all healthcare organizations reported at least one data breach over the last two years. With the value of healthcare data at an all-time high, these breaches are going to increasingly extend beyond healthcare organizations to any covered entity and business associate with access to PHI. While you may be comfortable taking your chances with OCR, you may want to consider whether you can afford the cost of a real world breach. Let’s look at some examples:
Organization: Medical Practice
Breach: Lost device with 600 patient records, no encryption or password protection
Required Response:
- All patients must be notified of breach.
- If the NPP does not clearly state patients will be notified by email, the state may require notification by first class mail.
- Legal professionals must review the notification plan and advise on other legal ramifications that may occur as a result of the breach.
- Credit monitoring must be offered to patients if their financial data may have been compromised.
Estimated Real World Cost: $12,000-$16,750
- Notification cost – $500 – $750 – includes first class postage, stationery, labor
- Legal Fees – $7,500 – $10,000
- Credit Monitoring – $4,000 – $6,000
Real World Cost with a properly implemented HIPAA Compliance Plan: $0
If the device had been encrypted and password protected as the practice’s HIPAA plan should specify, there would be no reason to notify patients since this is not considered a breach.
- Notification Cost – $0
- Legal Fees – $0
- Credit Monitoring – $0
Organization: Employer Health Plan
Breach: Employee HR Database with 200 Employees; PHI is Hacked
Required Response:
- All employees must be notified of breach.
- If the NPP does not clearly state employees will be notified by email, the state may require notification by first class mail.
- Legal professionals must review the notification plan and advise on other legal ramifications that may occur as a result of the breach.
- Security professionals will need to remedy network issues.
- Credit monitoring should be offered to all employees after a breach
Estimated Real World Cost: $11,000 – $19,900+
- Notification cost – $100 – $400 – includes first class postage, stationery, labor
- Legal Fees – $5,000 – $7,500
- Credit Monitoring – $1,000 – $2,000
- IT Security Fees – $5,000 – $10,000
Real World Cost with a properly implemented HIPAA Compliance Plan: $0 – $3,200
- Notification Cost – $0 as notification could be sent by email as documented
- Legal Fees – $700-$1,200 – Disaster Recovery Plan would have dictated correct legal response
- Credit Monitoring – $500 – $1,000 – employees could opt-in if they felt necessary
- IT Security Fees – $0 – $1,000 – A proper Risk Assessment would have been conducted making it easy to determine where the breach occurred and quickly mitigate the issue.
Additional Costs
The costs outlined above are tangible ones that we can put a specific dollar amount against, but there is also the potential for an even larger cost – the loss of your patients, employees and/or customers’ trust.
According to a study conducted by TransUnion Healthcare, more than half of recent hospital patients are willing to switch healthcare providers if their current provider undergoes a data breach; and nearly seven in 10 respondents (65 percent) would avoid healthcare providers that experience a data breach.
The data isn’t any better for employers. In an article by the Society for Human Resource Management, Matthew Tokarz, Senior Corporate Recruiter for Instant Alliance explains, “If employee trust is a casualty of a cyber attack, the organization will inevitably face the daunting challenge of attracting and hiring top-level talent to the organization.”
Double Jeopardy
Ironically, OCR often audits covered entities based on breach complaints filed, which means if you haven’t created and implemented your HIPAA compliance plan, in addition to accounting for the real world costs, you must now also expect OCR fines and penalties. On the other hand, if you can show that you have a HIPAA compliance plan in place OCR will often forgo fines and penalties, providing suggested measures to correct your compliance plan instead.
Regardless of how minor a breach you may experience, the costs of mitigating that breach will always exceed the cost of proactively protecting your organization with a well developed and properly implemented HIPAA compliance plan.
Need to know where to start? Check out from Total HIPAA today!