Another cost related to healthcare breaches, is reporting the breach to affected patients. This can become extremely costly for organizations that experience large-scale breaches. For instance, in 2019 AMCA, a HIPAA business associate, suffered a breach affecting 7 million patients. They then had to mail breach notification letters to each of these patients, costing the organization $3.8 million, and ultimately leading them to file for bankruptcy.
Additionally, when a breach compromises a patient’s financial information or Social Security number, the organization must offer affected patients 12 months of identity theft protection and credit monitoring.
Then there’s the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR). When a healthcare organization suffers a breach of protected health information (PHI), and the organization lacks an effective HIPAA compliance program, OCR will fine the organization.
HIPAA fines are based on the level of perceived negligence committed by the organization being investigated.
Tier 1 is the “No Knowledge” Tier: $100-$50,000 Per Incident
Under this tier, an organization did not know (and, by exercising reasonable diligence, would not have known) that a member of its workforce violated a HIPAA provision.
Tier 2 is the “Reasonable Cause” Tier: $1,000-$50,000 Per Incident
Under this tier, the violation was due to reasonable cause, not willful neglect. “Reasonable Cause” means an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated a HIPAA regulation. However, the act or omission was not due to willful neglect.
Tier 3 is the “Willful Neglect – Corrected” Tier: $10,000-$50,000 Per Incident
In this tier, the violation is due to willful neglect, but the violation is corrected in a timely manner.
Tier 4 is the “Willful Neglect – Not Corrected” Tier: $50,000 Per Incident
In this tier, the violation is due to willful neglect, and is not corrected in a timely manner.
But the HHS’ OCR doesn’t only investigate organizations that have suffered a breach, they also investigate organizations that have had a complaint issued against them. This complaint can come from an organization employee or a patient. For instance, several of the fines issued in 2020 were the result of patient complaints. These patients, who had requested copies of their medical records, were not given access to them in a timely manner. Therefore, these organizations violated the HIPAA right of access