HIPAA Data Breach: How to Calculate Costs

Calculating the cost of a HIPAA data violation is not a simple process, at least not until a number of years after a data breach happened. Corrective actions must be taken following a data breach, and the cost of notification and damage mitigation can escalate.

Financial penalties are also being applied with higher frequency to healthcare organizations fail to implement the proper privacy and security measures to protect patient healthcare data.

The Health Insurance Portability and Accountability Act places a requirement on covered bodies to use the appropriate administrative, physical and technical safeguards to stop the unauthorized disclosure of Protected Health Information (PHI). Patients must also be given access to their healthcare information on request, privacy must be respected and policies put in place to de-identify data before it is used for research and marketing purposes.

Business Associates – any vendor who must come into contact with PHI – must also be checked to make sure they comply with HIPAA Rules. When a Covered Entity (CE) violates these rules, penalties and sanctions can be applied.

When they result in data breaches and the disclosure of PHI, there are a number of responses that the CE must make to minimize any damage and prevent future breaches from happening. These responses carry a massive cost.

The cost of a HIPAA data breach can be lessened with breach insurance products, but how much cover is needed? To determine that, it is vital to analyze the total possible cost of a data breach. However this is far from a simple errand.

Class-action lawsuits may be submitted on the basis of negligence for failing to do enough to secure patient privacy. Breach fines may also be applied by the OCR and attorney generals’ offices.

Researchers have tried to estimate the cost of a HIPAA data breach; with the Ponemon Institute and Verizon both having formulated models to predict the “cost per record” after a data violation. Since many of the costs are hard to predict there will always be a certain margin of error involved. Minimizing that margin of error can save thousands of dollars in insurance costs and will ensure that if a breach does happen; the insurance company will incur the majority of the bill.