Editorial: The Cost of Non-Compliance with HIPAA
The cost of non-compliance with HIPAA can vary depending on the nature of non-compliant events, the actions of regulators, the effort required to reverse a “culture of non-compliance”, reputational damage, legal fees, and class action lawsuits. Due to the potential cost of non-compliance with HIPAA, it can be beneficial for covered entities and business associates to invest in HIPAA compliance.
Investigations of cyberattacks often trace the cause of the incident back to non-compliance with HIPAA, such as the failure to implement appropriate security measures to comply with the HIPAA Security Rule or the failure to conduct a comprehensive, organization-wide risk analysis to identify risk and vulnerabilities to electronic protected health information (ePHI). These compliance failures can prove incredibly costly. According to IBM’s 2023 Cost of a Data Breach Report, healthcare data breaches cost more than any other sector, and in 2023 have increased to an average of $10.93 million per incident.
Cyberattacks often cause considerable disruption to business operations, which is one of the biggest costs of non-compliance. Cybercriminals understand that healthcare organizations are heavily reliant on their IT systems and need constant access to electronic health records, and that makes them prime targets for extortion. Attacks that prevent access to essential IT systems and patient records force healthcare providers to divert ambulances and postpone or cancel appointments to ensure patient safety, and that can significantly reduce revenue. Without access to IT systems, staff are forced to use pen and paper to record patient data, resulting in massive productivity losses and increased stress for staff members.
Cyberattacks can cause significant delays in providing medical services, patient flow is disrupted, and hospital stays are extended. Attacks stemming from non-compliance with the HIPAA Rules also threaten patient safety. One recent study found that 66% of hospitals that experienced a cyberattack said the attack disrupted patient care, 50% said an attack resulted in an increase in medical procedure complications, and 23% said an attack increased patient mortality rates. To mitigate these issues, healthcare entities must have well-defined incident response plans and business continuity strategies to minimize the operational impact of cyberattacks and allow them to efficiently manage crises when they occur to ensure patient safety and minimize disruption and the financial impact of the attack.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Civil Monetary Penalties
Non-compliance with HIPAA can lead to substantial civil monetary penalties (CMPs). These penalties are imposed to punish organizations for not taking their responsibilities under HIPAA seriously and send a warning to other HIPAA-regulated entities that non-compliance with the HIPAA Rules will not be tolerated. Regulators have stepped up enforcement of HIPAA compliance in recent years to increase the deterrent.
The 2023 penalties for HIPAA violations start at $137 per violation but even at the lowest level, the costs can be considerable. For instance, if a healthcare organization inadvertently discloses patients’ protected health information (PHI) without proper authorization, it may be fined for each individual affected by the breach and the cumulative costs can easily amount to hundreds of thousands of dollars. For the most serious violations, where there has been willful neglect of the HIPAA Rules with no attempt to correct violations, the maximum penalty is $2,067,813 (in 2023) per violation, per calendar year.
The Department of Health and Human Services (HHS) Office for Civil Rights investigates all data breaches of 500 or more records as well as some smaller breaches to determine if they were caused by non-compliance with HIPAA. When OCR identifies serious violations of the HIPAA Privacy Rule, Security Rule, or Breach Notification Rule, HIPAA violation fines are commonly imposed. Cottage Health, Touchstone Medical Imaging, and University of Rochester Medical Center were all fined $3 million for HIPAA violations in 2019, and in 2018, Anthem Inc. was fined $16 million for multiple violations of the HIPAA Rules that contributed to its record-breaking data breach in 2015.
State Attorneys General also have the authority to impose civil monetary penalties for HIPAA violations, and HIPAA enforcement by state attorneys general is increasing. Between January 1 and October 30, 2023, there were 12 enforcement actions over HIPAA violations, including a $49.5 million settlement with Blackbaud to resolve violations of HIPAA and state laws. In addition to the settlement with OCR, Anthem Inc. settled a multistate investigation for $48.2 million.
CMPs are a significant financial burden and send a strong message about the importance of safeguarding patient data and complying with the HIPAA Rules. It may not be possible to prevent all data breaches, but organizations can avoid CMPs if they take their compliance obligations seriously and have a comprehensive HIPAA compliance program, comply with the HIPAA training requirements, and provide regular security awareness training to their employees.
Criminal Penalties
Beyond civil penalties, non-compliance with HIPAA can result in criminal penalties for individuals who intentionally violate patient privacy or misuse PHI. Criminal charges may be brought in cases of negligence or accessing/disclosing PHI with malicious intent, such as selling patient data for personal gain or using the information to cause harm. The fines imposed in criminal cases can be substantial, ranging from thousands to millions of dollars depending on the nature and extent of the violation and the harm that has been caused. In addition to financial penalties, individuals found guilty of HIPAA-related criminal offenses may face imprisonment, and the jail terms for HIPAA violations can be lengthy.
The maximum jail term for a HIPAA violation is ten years, plus 2 years if there is aggregated identity theft. The identity theft sentence must be served in addition to the sentence for the criminal HIPAA violation. These criminal penalties underscore the gravity of intentional HIPAA violations and serve as a strong deterrent to prevent malicious actions. There have been many prosecutions for criminal HIPAA violations, most commonly when healthcare workers have stolen patient data to sell to identity thieves, used PHI to run up debts in the victims’ names, and there have been several cases where healthcare workers have accessed PHI for use in child custody cases.
Organizational and Brand Reputation Damage
One of the intangible but harmful consequences of non-compliance with HIPAA is the damage to an organization’s or individual’s reputation. Trust and credibility are essential in healthcare, and a breach of patient privacy can have lasting negative effects. Negative publicity, media attention, and word-of-mouth can tarnish the reputation of healthcare providers and healthcare professionals, and with the reach of social media, the reputational damage can be sift and extensive.
HIPAA violations and data breaches erode trust and if patients have doubts that their healthcare providers can keep their sensitive healthcare information secure they may choose to seek healthcare care elsewhere. Patient attrition after a data breach can have a significant impact financial impact and potential business partners may hesitate to collaborate with organizations that have a history of non-compliance, limiting growth opportunities and partnerships. Protecting reputation is not only essential for financial stability but also for maintaining the integrity and trustworthiness of healthcare providers and professionals in the eyes of the public.
Patient attrition is one of the hidden costs of a data breach. Following a data breach, especially one that has been caused by non-compliance with HIPAA, patient loss to other healthcare providers can be significant. A study conducted by the Ponemon Institute in 2019 found healthcare experiences the highest churn rate of all studied industry sectors following a data breach. At 6.7%, it is higher than the financial sector (6.1%), services (5.2%), energy (3.0%) and education (2.7%). In an effort to minimize patient loss, hospitals often increase their spending on advertising. One 2019 study determined advertising expenditure increased by 79% in the two years following a healthcare data breach. The researchers suggested that these costs, which can be considerable, were seen as necessary to repair reputations and prevent patient loss.
One of the ways that reputational damage can be limited is through communication. Without careful communication and public relations efforts, non-compliance can cause significant and long-lasting damage to an organization’s reputation, which can contribute significantly to the overall cost of a breach. A 2019 study conducted by Experian highlighted the importance of effective communication following a data breach. 90% of respondents to the survey said they would be somewhat forgiving if they knew that the breached organization had a plan in place for communicating with patients in the event of a data breach.
The loss of patients or clients can lead to decreased market share, making it more challenging to compete in a competitive healthcare landscape. Healthcare entities must prioritize robust data protection measures and privacy safeguards to maintain patient loyalty and trust, ensure they are transparent and issue prompt notifications, and have a plan in place for mitigating the financial and operational impact of patient attrition.
Increased Oversight by Regulators
Non-compliance with HIPAA often leads to increased regulatory oversight from OCR and other relevant authorities. OCR investigates data breaches and often discovers HIPAA violations. While civil monetary penalties are imposed for the most serious violations, the majority of HIPAA compliance issues are resolved through voluntary compliance, where the covered entity or business associate recognizes the HIPAA violation and takes prompt action to correct it, or through technical assistance, where the breached entity is told by OCR where they went wrong and what needs to be done to fix the problem.
If non-compliance with HIPAA is uncovered, healthcare organizations may be required to implement a Corrective Action Plan (CAP). CAPs are designed to address deficiencies, rectify issues, and prevent future violations of HIPAA. These plans can be resource-intensive, both in terms of time and financial resources. They typically involve a comprehensive review of policies and procedures, staff training, security enhancements, and ongoing monitoring to ensure compliance. The cost of implementing a CAP can vary widely depending on the organization’s size and the extent of necessary improvements. These expenditures can strain budgets and divert resources from other healthcare initiatives, impacting both the financial and operational aspects of the organization.
While a CAP is preferable to a CMP, these typically involve heightened scrutiny of HIPAA compliance. OCR often monitors organizations closely for compliance with the CAP, and there may be HIPAA compliance audits, inspections, investigations, and extensive documentation checks. Healthcare organizations must allocate resources to respond to inquiries, provide documentation, and address any identified compliance gaps. The additional administrative burden can divert staff time and financial resources away from core healthcare activities, impacting operational efficiency and productivity.
Some healthcare organizations, especially those that rely on government programs like Medicare and Medicaid, risk losing critical funding if they fail to comply with HIPAA regulations. Non-compliance can result in the suspension or termination of participation in these programs, which can have a devastating financial impact. The loss of government funding not only affects the organization’s bottom line but also limits access to care for vulnerable populations who rely on these programs for essential healthcare services. Consequently, healthcare entities must prioritize HIPAA compliance to ensure the continued availability of government funding and support for patient care.
Legal Fees and Class Action Lawsuits
Non-compliance with HIPAA often leads to legal proceedings and investigations, necessitating the engagement of legal counsel and legal fees can become a significant cost for healthcare organizations. The legal costs include expenses related to hiring attorneys, legal representation during investigations or hearings, and court-related costs. The complexity and duration of legal proceedings can vary widely, impacting the overall legal fees incurred. These expenses can strain financial resources and add to the financial burden of non-compliance. Healthcare entities must allocate budgetary resources for legal support, compliance programs, and risk mitigation strategies to effectively manage these costs and navigate legal challenges.
While it is not possible to sue for a HIPAA violation, individuals affected by healthcare data breaches can take legal action against healthcare organizations for equivalent violations of state consumer privacy and data protection laws. While class action lawsuits were once relatively rare after healthcare data breaches, that is no longer the case. Class action lawsuits are now filed within days of a healthcare data breach being announced, and most large data breaches trigger multiple class action lawsuits. BakerHostetler’s Annual Data Security Incident Response (DSIR) Report reviewed 23 data breaches managed by the firm and found 58 lawsuits had been filed in response to the breaches, with 43 of those lawsuits filed in response to data breaches at healthcare organizations. It is also common for class action lawsuits to be filed in response to small data breaches.
Class action lawsuits can result in costly settlements or judgments, adding to the financial burdens of non-compliance. Legal expenses associated with defending against these lawsuits, including attorney fees and court costs, can further strain resources. Moreover, lawsuits can be time-consuming and emotionally taxing for all parties involved, making them a significant challenge to manage.
The threat of lawsuits is believed to be one of the reasons why healthcare organizations are becoming increasingly opaque about the causes of data breaches and often do not provide sufficient information in their breach notifications to allow the victims to assess the potential for harm. While this lack of detail can potentially reduce legal risk, there is considerable potential for reputational damage which can increase patient attrition.
Costs versus Benefits of HIPAA Compliance
Non-compliance with HIPAA can result in significant financial penalties, legal fees, reputation damage, patient attrition, corrective action plan costs, data breach expenses, increased regulatory oversight, loss of government funding, exclusion from federal programs, lawsuits, and operational disruptions. HIPAA compliance offers benefits such as enhanced patient trust, improved data security, reduced risk of legal and financial penalties, streamlined operations, and adherence to ethical and regulatory standards, ultimately contributing to better patient care and a stronger healthcare ecosystem. The cost of HIPAA compliance can be significant as it requires investment in infrastructure, and ongoing training and monitoring, but the benefits of compliance far outweigh the costs.
Steve Alder, Editor-in-Chief, HIPAA Journal
