HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Calculating the Cost of a HIPAA Data Breach

Calculating the cost of a HIPAA data breach is not a straightforward process, at least not until a number of years after a data breach has occurred. Actions must be taken following a breach, and the cost of notification and damage mitigation can spiral. Financial penalties are also being issued with increasing frequency to healthcare organizations fail to implement the appropriate privacy and security measures to protect patient healthcare data.

HIPAA and Breaches of Protected Health Information

The Health Insurance Portability and Accountability Act places a requirement on covered entities to employ the appropriate administrative, physical and technical safeguards to prevent the unauthorized disclosure of Protected Health Information (PHI). Patients must also be allowed access to their healthcare information on request, privacy must be respected and policies developed to de-identify data before it is used for research and marketing purposes.

Business Associates – any vendor required to come into contact with PHI – must also be vetted to make sure they comply with HIPAA Rules. When a Covered Entity (CE) violates these rules, penalties and sanctions can be applied.

When they lead to a data breaches and the disclosure of PHI, there are a number of responses that the CE must make to mitigate any damage and prevent future breaches from occurring. These responses carry a significant cost.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

The Cost of a HIPAA Data Breach Can be Significant

The cost of a HIPAA data breach can be offset with breach insurance products, but how much cover is required? To determine that, it is essential to analyze the total potential cost of a data breach. However this is far from a simple task.

Class-action lawsuits may be filed on the grounds of negligence for failing to do enough to protect patient privacy. Breach fines may also be issued by the OCR and attorney generals’ offices.

Researchers have attempted to calculate the cost of a HIPAA data breach; with the Ponemon Institute and Verizon both having devised models to predict the “cost per record” after a data breach. Since many of the costs are hard to predict there is naturally a certain margin of error involved. Reducing that margin of error can save thousands of dollars in insurance costs and will ensure that if a breach does occur; the insurance company will foot the majority of the bill.

Even when breaches have been caused through no fault of the CE there are still costs that must be covered. If you need to estimate HIPAA data breach costs, consider the costs indicated in the infographic below



Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.