Estimating the Cost of a HIPAA Data Breach
Estimating the cost of a HIPAA data breach is not a streamlined process, at least not until a number of years after a data breach has taken place. Actions must be implemented after a breach, and the cost of sending alerts and damage mitigation can spiral. Fines are also being issued more often to healthcare organizations fail to implement the appropriate privacy and security measures to protect patient healthcare data.
Breaches of Protected Health Information and HIPAA
The Health Insurance Portability and Accountability Act puts a requirement on covered groups to use the appropriate administrative, physical and technical safeguards to stop the unauthorized disclosure of Protected Health Information (PHI). Patients must also be given access to their healthcare information on request, privacy must be respected and policies developed to de-identify data before it is used for research and marketing reasons.
Business Associates – any vendor that needs to come into contact with PHI – must also be audited to make sure they comply with HIPAA Rules. When a Covered Entity (CE) violates these rules, penalties and sanctions can be applied.
When they result in data breaches and the disclosure of PHI, there are a number of responses that the CE must make to address any damage and stop future breaches from occurring. These responses carry a major cost.
The Price of a HIPAA Data Breach Can be Serious
The cost of a HIPAA data breach can be offset with breach insurance products, but how much cover is necessary? To ascertain that, it is essential to analyze the total potential cost of a data breach. However this is far from a simple job.
Class-action lawsuits may be submitted on the grounds of negligence for failing to do enough to protect patient privacy. Breach fines may also be sanctioned by the OCR and attorney generals’ offices.
Experts have tried to calculate the cost of a HIPAA data breach; with the Ponemon Institute and Verizon both having created models to predict the “cost per record” after a data breach. Since many of the costs are hard to predict there is always a certain margin of error involved. Cutting that margin of error can save thousands of dollars in insurance costs and will ensure that if a breach does take place; the insurance company will foot most of the bill.
Even when breaches have taken place, through no fault of the CE, there are still costs that must be paid.