HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

The Cost of HIPAA Non-Compliance

The Security Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) demands that all covered entities implement the appropriate administrative, physical and technical safeguards to keep PHI secure. Failure to implement those basic minimum standards can lead to more than just a fine from the Department of Health and Human Services’ Office for Civil Rights (OCR). The cost of HIPAA non-compliance is considerable.

The True Cost of HIPAA Non-Compliance

Since the HIPAA Enforcement Act, the OCR has been able to fine organizations that fail to implement the appropriate controls to protect healthcare data and the privacy of patients. Fines of up to $1.5 million can be issued for HIPAA violations, with that number multiplied by the number of years each violation has been allowed to persist.

Multimillion dollar financial penalties have already been issued for non-compliance, but a HIPAA-violation penalty is one of the smaller costs covered entities have to cover. Organizations experiencing even relatively small data breaches can see the cost of a data healthcare data breach spiral.

Tenet Healthcare predicted that its data breach would cost in the region of $32.5 million, while the Anthem hacking incident has been tipped to cost considerably more; conservative estimates start at $100 million.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Breach notification costs cannot be ignored. Printing and mailing millions of letters by first class mail – in addition to sending updates as further information becomes available – sees breach costs soar. The provision of credit monitoring and credit repair services must also be added to the total.

Real Cost of Data Breaches Difficult to Calculate

Recent research conducted by credit agency TransUnion showed that patients and health plan members may even change provider after a data breach. 65% of respondents taking part in the survey said they would consider making the change after a data breach exposed their confidential records. Civil Action lawsuits can also be filed against health plans and healthcare providers for data breaches on the grounds of negligence.

It can take many years after a data breach before the final cost becomes known, and almost impossible to accurately predict how much a data breach actually costs healthcare providers, but if you need to calculate insurance cover, consider the costs detailed in the infographic below:



Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.