The growing risk of HIPAA fines continues to pose a major threat to healthcare organizations across the industry. These ongoing risks result from misconceptions about how to address federal HIPAA regulation. Unfortunately, there are no shortcuts when it comes to HIPAA. If providers want to avoid fines, they must implement an effective compliance program and abide by the HIPAA Rules.
But how do providers like you know where to begin?
HIPAA Fines on the Rise
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) sets standards for protecting the privacy and security of sensitive healthcare information. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) releases routine guidance on HIPAA compliance, and has stated that a culture of HIPAA compliance must be adopted by healthcare organizations in order to protect the privacy, security, and integrity of protected health information (PHI). PHI is any demographic information that can be used to identify a patient.
Many organizations realize the importance of protecting their patients’ information, but are still not HIPAA compliant. While the costs of protecting patient data may seem high, choosing not to be HIPAA compliant may result in far more serious expenses in the form of federal HIPAA fines, civil monetary penalties, state Attorney General settlements, and HIPAA lawsuits (not to mention the reputational damage associated with HIPAA violations).
Noncompliance issues are pervasive throughout the industry, affecting organizations of every size and scope. A HIPAA fine was recently levied against Boston Medical Center, Brigham and Women’s Hospital, and Massachusetts General Hospital. HHS OCR announced a settlement with these organizations for compromising PHI by allowing an ABC television network documentary series to film without first obtaining authorization from patients.
Altogether, the three institutions had to pay $999,000 to settle potential HIPAA violations. This was the second HIPAA fine involving an ABC medical documentary series. In 2016, New York Presbyterian Hospital was also fined over possible privacy violations during the filming of “NY Med.”
In 2016, OCR began performing random HIPAA compliance desk audits. These audits were collectively known as the Phase 2 HIPAA Audits, targeting random covered entities and business associates across the country. The results showed that 94% of the companies’ risk management plans were noncompliant, while 89% did not provide patients with enough personal health data access. Additionally, 83% did not fully conduct risk analyses.
By viewing these high statistics on their own, you think that being HIPAA compliant is optional. But this is far from the truth. With the increasingly digital nature of healthcare and healthcare data, the risk to healthcare providers has never been greater–and by choosing not to address their HIPAA compliance, providers across the country are putting themselves in the crosshairs of data breaches and fines that could cause irreparable damage to their hardfought reputations.
Compliance Costs Less Than Non-Compliance
The Ponemon Institute found compelling cost-related results comparing the costs of compliance against the costs of non-compliance. Interviews were conducted with 237 executives at 53 multinational organizations in the U.S. The December 2017 report concluded that 14.3% of IT spending was going toward compliance, at an average of $5.47 million per company. Analysts also found that the average cost for noncompliance was a staggering $14.82 million.
That means that this report concludes that noncompliance is about 2.71 times costlier than simply implementing an effective compliance program in the first place.
The value of health data is on the rise and so is the cost of safeguarding it. The electronic protected health information (ePHI) managed by organizations that require HIPAA compliance makes them vulnerable to attackers. The truth is, no compliance program is truly effective without properly implemented security measures and no health IT security infrastructure is complete without an underlying compliance program. Compliance and security go hand-in-hand to protect sensitive healthcare data–both are absolutely essential.
The HIPAA Security Rule details three types of safeguards that all healthcare organizations must have in place, including: physical, technical, and administrative. Physical safeguards ensure that you have the proper measures in place to protect the physical premises of a healthcare office, such as locks and alarm systems. The technical safeguards are about implementing network security infrastructure like firewalls, data backup, and encryption. Lastly, administrative safeguards include policies, procedures, documentation and employee training. Healthcare organizations must address HIPAA security standards to maintain the confidentiality, integrity, and availability of PHI.
According to Ponemon’s Cost of a Data Breach Studies from the past three years, healthcare data is worth more than data from any other sector. In two of those three studies, healthcare data was more than double the worldwide average. Below shows worldwide average cost per stolen record versus ePHI from previous years:
- 2017 average $141 vs. healthcare $380
- 2016 average $158 vs. healthcare $355
- 2015 average $217 vs. healthcare $363
In the coming years, the rising cost of healthcare data will mean more risk than ever before, even for small providers or vendors. So how can you protect yourself from these mounting HIPAA fines and data breaches?
HIPAA Compliance, Simplified
Compliancy Group provides healthcare professionals with the tools they need to effectively address their HIPAA compliance with our web-based HIPAA app, The Guard™. The Guard allows users to address every element of HIPAA compliance.
We have a unique methodology that has made the industry leaders in simplified compliance. Users are paired with an expert Compliance Coach™ to guide you through each and every step of your compliance program. We answer your questions and give you a compliance program that is truly tailored to the needs of your individual business.
And in the event of a data breach or HIPAA audit, our Audit Response Team™ works with users through the entire documentation and reporting process. At Compliancy Group, we go above and beyond to help demonstrate that you have taken the necessary steps toward HIPAA compliance.
