Share this article on:
Calculating the cost of a HIPAA data breach is not a straightforward process, at least not until a number of years after a data breach has occurred. Actions must be taken following a breach, and the cost of notification and damage mitigation can spiral. Financial penalties are also being issued with increasing frequency to healthcare organizations fail to implement the appropriate privacy and security measures to protect patient healthcare data.
HIPAA and Breaches of Protected Health Information
The Health Insurance Portability and Accountability Act places a requirement on covered entities to employ the appropriate administrative, physical and technical safeguards to prevent the unauthorized disclosure of Protected Health Information (PHI). Patients must also be allowed access to their healthcare information on request, privacy must be respected and policies developed to de-identify data before it is used for research and marketing purposes.
Business Associates – any vendor required to come into contact with PHI – must also be vetted to make sure they comply with HIPAA Rules. When a Covered Entity (CE) violates these rules, penalties and sanctions can be applied.
When they lead to a data breaches and the disclosure of PHI, there are a number of responses that the CE must make to mitigate any damage and prevent future breaches from occurring. These responses carry a significant cost.
The Cost of a HIPAA Data Breach Can be Significant
The cost of a HIPAA data breach can be offset with breach insurance products, but how much cover is required? To determine that, it is essential to analyze the total potential cost of a data breach. However this is far from a simple task.
Class-action lawsuits may be filed on the grounds of negligence for failing to do enough to protect patient privacy. Breach fines may also be issued by the OCR and attorney generals’ offices.
Researchers have attempted to calculate the cost of a HIPAA data breach; with the Ponemon Institute and Verizon both having devised models to predict the “cost per record” after a data breach. Since many of the costs are hard to predict there is naturally a certain margin of error involved. Reducing that margin of error can save thousands of dollars in insurance costs and will ensure that if a breach does occur; the insurance company will foot the majority of the bill.
Even when breaches have been caused through no fault of the CE there are still costs that must be covered. If you need to estimate HIPAA data breach costs, consider the costs indicated in the infographic below