In 2017, we published an article outlining the complications that arise when a healthcare organization violates HIPAA requirements. In the three years since we shared those facts, a lot has changed. The US healthcare system has seen new federal regulations on data sharing, an increase in telehealth and interoperability, and faced a global pandemic. One constant has been the need to protect patient health information.
Patient health information (PHI) is some of the most valuable data out there. A single PHI file can yield a profit of up to $20,000 for hackers. The main reason PHI is so valuable to cybercriminals is because it contains important information, such as social security numbers. Additionally, cybercriminals can usually take advantage of PHI for a longer period of time because it can take weeks or months for a healthcare data breach to be discovered.
Healthcare organizations often underinvest in IT. The SANS institute the world’s largest provider of cybersecurity training, recommends spending 10% of a business's annual IT budget on cybersecurity. But most healthcare organizations only spend about 3%.
So, the question remains: what is your business risking by underinvesting in healthcare data security?
Before we dive in, it’s important to note the recent changes to HIPAA requirements driven by the COVID-19 pandemic. The Department of Health and Human Services and the Office of Civil Rights (OCR) relaxed HIPAA requirements in some areas as a response to COVID-19.
Some of these changes were made to smooth the transition from in-person to telehealth appointments. There are several additional HIPAA updates to expand abilities in other areas, such as providing first responders with a patient’s infection status.
A major motivator for ensuring HIPAA compliance across your organization is avoiding the hefty fines. In March 2020, the Department of Health and Human Services upped the financial penalties for HIPAA violations as follows:
- If a facility was unaware (and could not have reasonably been aware) of a violation, the penalty ranges from $119 to $59,522 per violation.
- If a violation occurs due to reasonable cause (and not willful neglect), the penalty ranges from $1,191 to $59,522 per violation.
- If a violation is due to willful neglect but is corrected in a timely manner, the penalty ranges from $11,904 to $59,522 per violation.
- For violations caused by willful neglect that are not corrected, the penalty amount is $59,522 per violation, with an annual cap of $1,785,651 for all violations of an identical requirement.
In 2020, the Office of Civil Rights saw the second largest settlement in its history. After a breach affecting 10.4 million people, Premera Blue Cross (PBC) agreed to pay $6.85 million to resolve the HIPAA investigation. Now, you may be thinking that your organization doesn’t hold nearly enough data to pay a major sum like that. If data breaches go unreported or unresolved, the fines can pile up and end up bankrupting a business.
But HIPAA violations are more than just simply paying a fine. Before the fines start rolling in, OCR will seek to resolve the issue by requiring your organization to work through a deadline-driven corrective action plan (CAP). While the dollar amounts appear to be the worst part of resolving your HIPAA violation, the corrective action plan is just as bad. It’s mandatory, burdensome, and constantly monitored by OCR.
These plans typically last one to three years and are designed to address the specific issues uncovered in the initial investigation. The key requirements of a CAP are usually:
- Conduct a Risk Analysis every year
- Develop and implement a Risk Management Plan
- Report events that may lead to HIPAA violations
- Keep documentation for six years
Additional requirements may be included based on the specific security weaknesses plaguing an organization. These requirements might include better oversight of business associates, updated policies, or workforce training.
Some HIPAA penalties haven’t changed at all since we initially published our 2017 article. For example, some HIPAA violations still lead to criminal penalties. Arrest isn’t a major concern for most healthcare organizations. However, if someone deliberately discloses or sells a patient’s personal health information, that person could face criminal charges.
HIPAA violations by employees can result in a fine of up to $250,000 with a maximum jail term of 12 years. Jail time may be ordered based on a three-tiered approach:
Career Decline and Patient Mistrust
One of the most valuable assets your healthcare organization has is the trust of patients. A huge business generator for many providers is word of mouth from your patients. Your patients put a lot of faith in your organization to keep their most valuable information safe. If you compromise their privacy, they will lose trust in you and potentially seek healthcare elsewhere and be unlikely to recommend your practice to others.
Additionally, many patients likely find your practice after an internet search for services in their area. The Freedom of Information Act makes reported HIPAA violations publicly accessible, meaning even one small violation could be the first thing that pops up when a patient searches for your organization.
Failing to comply with HIPAA requirements can be really damaging for your business. All of this will strip your organization of credibility. For small practices, this damage could be irreversible. you of your credibility.
Failing to comply with HIPAA requirements puts your business at serious risks for consequences. Make sure you’re using HIPAA compliant solutions like Formstack. Start a free trial today to start collecting and managing patient health data securely.