HIPAA Pricing: The Cost of Noncompliance

HIPAA pricing is made up of several components, and depending on who you ask, you will most likely get a range of answers. So, what does HIPAA cost?

What is HIPAA Pricing?

Well, HIPAA pricing can mean different things to different people. HIPAA pricing includes the cost of conducting self-audits (including a risk analysis), creating remediation plans, implementing remediation plans, building your organization’s policies and procedures, vetting business associates, and responding to and mitigating incidents. 

Cost of Breaches and Fines

HIPAA Pricing

HIPAA compliance becomes expensive when healthcare organizations do not meet, or only partially meet, HIPAA requirements.

When this occurs, healthcare organizations are left vulnerable, often falling victim to breaches due to their lack of HIPAA security policies. Another thing that factors into HIPAA pricing for non compliant organizations is the cost of HIPAA fines, reporting breaches, and implementing corrective action plans.

There has been an explosion of healthcare breaches over the last several years, the majority of which occur due to phishing attacks. On average, there are 600 cyberattacks a week that target healthcare organizations. According to cybersecurity experts, the average cost of a data breach is $8.1 million, taking an organization 287 days to recover. The reason it takes so long for an organization to recover from a cyberattack, particularly healthcare organizations, is because threat actors often maliciously encrypt sensitive data so that it is inaccessible to the organization. Additionally, it is common for threat actors to demand ransom for the return of files, or sell the data to other entities that will exploit the organization for money.

Let’s Simplify Compliance

Do you need help with HIPAA compliance? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

Another cost related to healthcare breaches, is reporting the breach to affected patients. This can become extremely costly for organizations that experience large-scale breaches. For instance, in 2019 AMCA, a HIPAA business associate, suffered a breach affecting 7 million patients. They then had to mail breach notification letters to each of these patients, costing the organization $3.8 million, and ultimately leading them to file for bankruptcy.

Additionally, when a breach compromises a patient’s financial information or Social Security number, the organization must offer affected patients 12 months of identity theft protection and credit monitoring.

Then there’s the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR). When a healthcare organization suffers a breach of protected health information (PHI), and the organization lacks an effective HIPAA compliance program, OCR will fine the organization. 

HIPAA fines are based on the level of perceived negligence committed by the organization being investigated. 

Tier 1 is the “No Knowledge” Tier: $100-$50,000 Per Incident

Under this tier, an organization did not know (and, by exercising reasonable diligence, would not have known) that a member of its workforce violated a HIPAA provision.

Tier 2 is the “Reasonable Cause” Tier: $1,000-$50,000 Per Incident

Under this tier, the violation was due to reasonable cause, not willful neglect. “Reasonable Cause” means an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated a HIPAA regulation. However, the act or omission was not due to willful neglect.

Tier 3 is the “Willful Neglect – Corrected” Tier: $10,000-$50,000 Per Incident 

In this tier, the violation is due to willful neglect, but the violation is corrected in a timely manner.

Tier 4 is the “Willful Neglect – Not Corrected” Tier: $50,000 Per Incident

In this tier, the violation is due to willful neglect, and is not corrected in a timely manner.

But the HHS’ OCR doesn’t only investigate organizations that have suffered a breach, they also investigate organizations that have had a complaint issued against them. This complaint can come from an organization employee or a patient. For instance, several of the fines issued in 2020 were the result of patient complaints. These patients, who had requested copies of their medical records, were not given access to them in a timely manner. Therefore, these organizations violated the HIPAA right of access