There’s no way of getting around HIPAA rules.
If you are a healthcare provider that comes into contact with Protected Health Information (PHI), HIPAA compliance is not voluntary. You simply have no option but to comply with HIPAA policies and procedures.
This can feel daunting, especially if you consider the continuous rise in data breaches experienced by the healthcare industry, particularly in the US.
“Figures from the Department of Health and Human Services’ Office for Civil Rights breach portal show a major increase in healthcare data breaches in 2019. Last year, 510 healthcare data breaches of 500 or more records were reported, which represents a 196% increase from 2018.” – Steve Alder, 2019 Healthcare Data Breach Report
It gets worse.
If your organization violates HIPAA regulations, you can face a jaw-dropping fine. Take, for example, the 2014 case in which the New York Presbyterian Hospital accidentally disclosed the records of 6,800 patients, making them available online and fully Google-able.
“The enactment of the Final Omnibus Rule in 2013 doubled the maximum fine for a single violation of HIPAA from $25,000 to $50,000 per compromised patient record. This meant that when the New York-Presbyterian Hospital inadvertently disclosed the unsecured records of 6,800 patients on the Internet, the potential fine for the violation of HIPAA could have been as much as $340 million. Fortunately (for the New York-Presbyterian Hospital) the breach of PHI was settled for $3.3 million.” – Marc Ladin, The Importance of HIPAA Compliance: 7 Things You Should Know
Here are some other examples of HIPAA violations:
- The University of California Los Angeles Health System was fined $865,000 for failing to restrict access to medical records.
- North Memorial Health Care of Minnesota had to pay $1.55 million in a settlement, for failing to enter into a Business Associate Agreement with a major contractor.
- The Memorial Healthcare System received a $5,500,000 penalty for insufficient ePHI access controls.
- The Memorial Hermann Health System had to pay $2.4 million in a settlement for disclosing a patient’s PHI in a press release.
If you think these are one-off cases, you are sorely mistaken.
A report by the Ponemon Institute found that 90% of surveyed healthcare institutions had at least one data breach within the past two years. What’s even more concerning is the continuous rise in the costs incurred by healthcare organizations facing a breach.
The researchers found for the ninth consecutive year, the healthcare sector is still the hardest hit financially by data breaches.
“Over the past five years, the average cost of a data breach has increased by 12%. The global average cost of a data breach has increased to $3.92 million. The average breach size is 25,575 records and the cost per breached record is now $150; up from $148 last year. Data breach costs are the highest in the United States, where the average cost of a data breach is $8.19 million – or $242 per record. The average cost of a healthcare data breach in the United States is $15 million.” Steve Alder, 2019 Cost of A Data Breach Study Reveals Increase in U.S. Healthcare Data Breach Costs
All things considered, I think it’s clear why HIPAA compliance is so essential for not only protecting sensitive patient information, but also for minimizing the risk of a data breach that could result in a huge fine, not to mention lasting damage to the organization’s reputation.
Process Street’s HIPAA policies and procedures templates
Not to worry though. With the correct processes in place, you can maintain compliance without having to deal with any unwelcome surprises. It’s also not expensive to set up an effective solution.
The costs involved in implementing a secure messaging solution, conducting risk assessments and training employees to use the solution are much less than commonly believed. – Marc Ladin, The Importance of HIPAA Compliance: 7 Things You Should Know
By integrating these checklists into your HIPAA management efforts, you will increase accountability, transparency, and provide your team with the tools they need to execute important workflows.