The Security Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) reqiores that all covered bodies put in place the appropriate administrative, physical and technical safeguards to keep PHI secure. Failure to adopt those basic minimum standards can lead to more than a fine from the Department of Health and Human Services’ Office for Civil Rights (OCR). The cost of HIPAA non-compliance is high.
Since the HIPAA Enforcement Act, the OCR has been able to fine organizations that fail to implement the proper security measuresto protect healthcare data and the privacy of patients. Fines of up to $1.5 million can be applied for HIPAA violations, with that number made larger by the number of years each violation has been allowed to persist.
Multimillion dollar financial penalties have already been applied for non-compliance, but a HIPAA-violation penalty is one of the lower costs covered entities have to cover. Organizations experiencing even comparatively small data breaches can see the cost of a data healthcare data breach explode.
Tenet Healthcare estimated that its data breach would cost in the region of $32.5 million, while the Anthem hacking incident has been predicted to cost considerably more; conservative estimates start at $100 million.
Breach notification costs cannot be ignored. Printing and mailing millions of letters by first class mail – in addition to sending updates as further information becomes available – sees breach costs soar. The provision of credit monitoring and credit repair services must also be added to the total.
Recent research carried out by credit agency TransUnion showed that patients and health plan members may even change provider after a data violation. 65% of respondents taking part in the survey said they would think about making the change after a data breach exposed their confidential history. Civil Action lawsuits can also be taken against health plans and healthcare providers for data breaches on the grounds of negligence.