Securing, protecting, and ensuring health information is private has become an ever increasing challenge with fiscal penalties for failure increasing almost at the same rate EHI and EPHI data is expanding. Adherence to HIPAA must not be focused solely on a “point-in-time” that aligns with the organization’s audit and compliance review cycle. Therefore, Healthcare organizations must embrace HIPAA as an on-going, full-time effort that requires a combined program of resources and compliance tools to ensure success. This allows institutions to avoid penalties and remediation costs that aren’t budgeted for.
For example: on the black market a stolen social security card costs one dollar while a stolen medical record is worth $50. Healthcare information is ripe for an information breach due to the fact that it allows a fraudster the ability to take over the victim’s identity in its entirety.
Let’s look at some recent HIPAA violations that have materialized in fines:
- CIGNET → fine: $4,300,000
- Concentra → fine: $1,725,220
- Alaska Department of Health and Human Services → fine: $1,700,000
- WellPoint → fine: $1,700,000
- Blue Cross Blue Shield of Tennessee → fine: $1,500,000
- Massachusetts Eye and Ear Infirmary and Massachusetts
Eye and Ear Associates → fine: $1,500,000
- Affinity Health Plan → fine: $1,215,780
- South Shore Hospital → fine: $750,000
- Idaho State University → fine: $400,000
- Shasta Regional Medical Center → fine: $275,000
- Phoenix Cardiac Surgery → fine: $100,000
- The Hospice of Northern Idaho → fine: $50,000
Source: U.S. Dept. of Health & Human Services (HHS), Case Examples and Resolution Agreements
Below is a slide I recently developed that demonstrates the costs of remediation to an organization that experiences a breach:
The digital age is driving new restrictions on using Personal Health Information (PHI) within Healthcare organizations. HHS Secretary Kathleen Sebelius recently emphasized that “…much has changed in healthcare since HIPAA was enacted over 15 years ago…” and that the “…new rules associated with PHI/EPHI data will help protect patient privacy and safeguard patients’ health information in an ever-expanding digital age”.
Prevention is still the best approach for reducing the risk of information breach and ensuring your organization is HIPAA compliant. The human error factor of security breaches can only truly be solved through educating and re-educating time and time again the organizational resources that interact with sensitive data aligned with HIPAA. Prevention at its core isn’t a one and done concept; it must become part of your organization’s DNA.