Understanding the Costs of a Healthcare Data Breach

Sep 2012
28

Understanding the Costs of a Healthcare Data Breach

Posted by Zaid Rasid
 

Continuing in our series on Medical Breaches, in this post we'll take a look at some of the costs and penalties associated with a breach.

HealthcareBut before we jump into costs let's gain a better understanding of the regulations that are currently in place that affect the Healthcare industry. First, all providers, health insurance plans and employers in the health care industry must comply with specific standards that are found in the Health Insurance Portability and Accountability Act (HIPAA). Following this legislation, in 2009 the US government enacted the Health Information Technology for Economic And Clinical Health Act (HITECH Act). Many of the provisions found in this act are enforced by the US Department of Health and Human Services. The HITECH Act is considered legislation that was created to stimulate the adoption of electronic health care records (EHR) and supporting technology in the US. Because this act anticipates an influx of electronic health care data it also widens the scope of privacy and security protections under HIPAA; with this, comes additional legal liabilities for non-compliance and additional enforcement policies.

Also, we must have a clear definition of what is meant by a breach. According to the HIPAA Breach Notification Rule a breach is defined as follows:

A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.

Prior to any incurred costs or fines, if a covered entity is found guilty of a breach a number of notices must go out which include the following: a notice to all individuals affected by the breach, a notice to the media for breaches affecting more than 500 people, and a notice to the Secretary of Health. Once all notices have been sent out, you can expect a visit by federal investigators and auditors who will determine the level of care you facilitated in protecting Personal Healthcare Information (PHI).

This is where the HITECH Act comes into play and in particular Section 13410(d) of the act dictates the specific costs and penalties of a breach. The penalties are classified in four tiers and are described as follows:

Tier 1: In this case, the violator did not know they were causing a breach and have exercised reasonable diligence to have not known. The fine for this violation is a minimum of $100+ for each patient record that was violated not exceeding a total of $25,000 for the calendar year and no more than $50,000 per violation and not to exceed $1.5M for all identical violations in a calendar year.

Tier 2: In this case, the violation was due to a reasonable cause and not willful neglect. The fine for this violation is a minimum of $1000+ for each patient record that was violated not exceeding a total of $100,000 for the calendar year and no more than $50,000 per violation and not to exceed $1.5M for all identical violations in a calendar year.

Tier 3: In this tier, the violation was due to willful neglect. If the violation is corrected the fine is a minimum of $10,000+ for each patient record that was violated not exceeding a total of $250,000 for the calendar year and no more than $50,000 per violation and not to exceed $1.5M for all identical violations in a calendar year. In the case it is not corrected, the fine is $50,000+ per violation and not to exceed $1.5M for all identical violations in a calendar year.

If the above fines and provisions aren't enough to catch your attention the HHS.gov site lists case examples and resolution agreements of well established providers who have breached PHI data. Some examples include: Massachusetts Provider settling for $1.5M, Alaska DHSS settling for $1.7M, BCBST settling for $1.5M and more. Not to mention, the infamous HHS Wall of Shame, a public website that lists all Healthcare practitioners who have been found guilty of a significant violation.

The above may seem overwhelming and even intimidating. With the current HITECH Act and HIPAA compliance requirements, it can seem almost futile for health care practitioners to avoid incurring these types of costs.   Having to settle a data breach can not only hurt your brand reputation but it can hurt your wallet and encompass a lot of your time. Fortunately, there are preventive measures that are available to help secure PHI data.  One of these measures is ensuring that you have a comprehensive data backup and recovery system.

So instead of living in fear of the repercussions of the HITECH ACT or continuously trying to understand the provisions of HIPAA, take steps now to ensure your patient health information is protected. The technology exists and if you need some help, Asigra is more than happy to assist you in finding a solution that fits your needs. Contact us and we'll put you in touch with an Asigra cloud backup service provider who can work with you to design a cloud backup strategy that's right for you.

Spice IT Email Post

For more information

Get insights about cloud backup and recovery direct to your inbox every month.
Subscribe to our Newsletter
 
Stay connected to the latest data protection insights – subscribe to our blog.
Subscribe to our blog
 
Got questions for one of our recovery specialists?
Need Answers to your Questions?
 
Print this page
Email this page