HIPAA Compliance is a Business Decision
A couple of weeks ago, I was talking with a technology vendor who is starting to move into the healthcare space. Their technology isn’t used in the creation or manipulation of patients’ protected health information (PHI), but they do store information on behalf of healthcare organizations that could potentially include PHI. They wanted to know, “Are we required to comply with HIPAA?” Technically – yes. On the other hand, there are hundreds of healthcare organizations and healthcare vendors who actively choose not to comply.
As a healthcare organization or vendor with narrow profit margins, it’s understandable that one might think of HIPAA as a deferrable expense. After all, what are the chances of an information breach? Of an OCR audit?
Unfortunately, the chances are significant - and growing. Consider these facts:
- A healthcare record is worth 100-300 times the value of a credit card record on the black market (i.e., $100-$300 per healthcare record vs. $1 per credit card account number). Consequently, cyber criminals are targeting healthcare organizations.
- Healthcare organizations, in general, are very vulnerable to cyber attacks for a variety of reasons, including lack of personnel with cybersecurity expertise; years of under-investment in IT infrastructure; naivete regarding the threats; high staff churn; and poor physical facility controls.
- The risk of an OCR audit is very small. The risk of a covered entity being breached is very high. If breached, the risk of an OCR audit goes to 100%.
- If a Covered Entity is breached and then audited, the risk of that Covered Entity’s Business Associates being audited is also very high.
- When audited, organizations that can demonstrate they have taken all appropriate precautions will be fined at the lowest rate - or not at all. On the other hand, organizations that have actively neglected cybersecurity and HIPAA compliance will be fined at the "highest rate." In fact, some recent fines levied by the OCR have exceeded what was previously thought to be the "maximum allowable."
- The fine is only a portion of the total breach remediation costs. Other costs include patient notification (approximately $4 per affected patient); credit monitoring for affected individuals (free to the patients) for 1-3 years; legal fees; class action lawsuit settlements; personnel time spent handling the remediation; and reputation loss.
- Finally, HIPAA violations can now be prosecuted as both civil and criminal offenses.
Whether and how to invest in cybersecurity training and technology and HIPAA compliance is a business decision only you can make based on your own ethics and risk tolerance. Be sure, however, to base your decision on facts. Up-to-date breach information across industries is available at the Identity Theft Resource Center (ITRC). A list of healthcare organizations fined for HIPAA violations following a breach can be found on the HHS OCR’s Breach Report list. Whatever your choice, ensure that you have protected your customers’ data, protected your organization from the risk of data loss, and protected yourself by understanding and complying with all relevant laws.