HIPAA Data Breach: How to Calculate Costs

by | May 1, 2015

Calculating the cost of a HIPAA data violation is not a simple process, at least not until a number of years after a data breach happened. Corrective actions must be taken following a data breach, and the cost of notification and damage mitigation can escalate.

Financial penalties are also being applied with higher frequency to healthcare organizations fail to implement the proper privacy and security measures to protect patient healthcare data.

The Health Insurance Portability and Accountability Act places a requirement on covered bodies to use the appropriate administrative, physical and technical safeguards to stop the unauthorized disclosure of Protected Health Information (PHI). Patients must also be given access to their healthcare information on request, privacy must be respected and policies put in place to de-identify data before it is used for research and marketing purposes.

Business Associates – any vendor who must come into contact with PHI – must also be checked to make sure they comply with HIPAA Rules. When a Covered Entity (CE) violates these rules, penalties and sanctions can be applied.

When they result in data breaches and the disclosure of PHI, there are a number of responses that the CE must make to minimize any damage and prevent future breaches from happening. These responses carry a massive cost.

The cost of a HIPAA data breach can be lessened with breach insurance products, but how much cover is needed? To determine that, it is vital to analyze the total possible cost of a data breach. However this is far from a simple errand.

Class-action lawsuits may be submitted on the basis of negligence for failing to do enough to secure patient privacy. Breach fines may also be applied by the OCR and attorney generals’ offices.

Researchers have tried to estimate the cost of a HIPAA data breach; with the Ponemon Institute and Verizon both having formulated models to predict the “cost per record” after a data violation. Since many of the costs are hard to predict there will always be a certain margin of error involved. Minimizing that margin of error can save thousands of dollars in insurance costs and will ensure that if a breach does happen; the insurance company will incur the majority of the bill.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy