Breach investigations may be drawn out and you could face costly fines
Healthcare organizations that are breached are often investigated by the Department of Health and Human Services Office for Civil Rights (OCR). The purpose of these investigations is to determine whether or not a HIPAA violation led to the breach. In many cases, OCR investigations can last years, especially when the organization has failed to comply with HIPAA requirements. Healthcare organizations that are found to have failed to meet HIPAA requirements are subject to fines, corrective actions, and OCR monitoring.
Breach victims can open state investigations
Although under the federal HIPAA law individuals do not have a “private right of action,” as in the right to sue a healthcare organization for a HIPAA violation, individuals can file lawsuits at the state level for violations of a state consumer privacy law or data security law.
Plaintiffs can file suit, as long as:
- The state consumer privacy law or data security law expressly provides for lawsuits to be filed, and
- The lawsuit is alleging a violation of the state’s privacy or data security law (as opposed to a “HIPAA violation”).
When breaches are large-scale, affecting individuals in multiple states, plaintiffs can file multi-state lawsuits against the breached healthcare organization. In 2020, a multi-state case filed against Anthem was settled for $39.5 million, after 43 states joined in a case regarding a massive phishing incident.
Reputational damage and downtime can lead to lost profits
Critical business functions can be affected as the result of a data breach, which can cause disruptions in operations. These disruptions coupled with the breach itself can damage a business’s reputation. Studies have found that 29% of businesses experience a loss of revenue as the result of a breach, with 38% of those businesses suffering a revenue loss of 20% or more.
Some breaches lead to businesses closing permanently
In some instances, organizations never recover from a breach. The costs associated with informing affected patients, and dealing with the aftermath of the breach have caused businesses to file for bankruptcy. In several cases, these healthcare organizations have been forced to permanently close their doors after a breach.
HIPAA compliance protects you against breaches and fines
HIPAA compliance and cybersecurity go hand in hand. Several key components of HIPAA bolster an organization’s cybersecurity practices, making this one of the most important healthcare cybersecurity facts.
HIPAA requires healthcare organizations to:
- Conduct annual employee training so that they adequately protect patient data;
- Have an incident response plan in place to enable quick detection and recovery from breaches; and
- Conduct annual security risk assessments to identify deficiencies in security practices.
Not only does HIPAA compliance prevent breaches and aid in breach detection, it also protects organizations against fines. When a healthcare organization is being investigated by OCR as the result of a breach, OCR determines whether or not the organization’s negligence led to the breach. When healthcare organizations have met all of HIPAA requirements, they have made a “good faith effort” to ensure the privacy and security of protected health information, and thus are not subject to fines.