Physicians are becoming increasingly aware that compliance with HIPAA is imperative. While training and preparation of compliance plans is something many practices can easily accomplish, there remains a challenge to control the multitude of data found on laptops, smartphones, memory sticks, HR systems, and other devices that are used in day-to-day operations of a medical practice.
In 2011, it is estimated that the average cost per record of a healthcare data breach was $240, which is 24 percent higher than other types of data breaches. According to the Health Information Trust Alliance, between 2009 and 2012 there were 500 breaches at U.S. healthcare organizations resulting in 21,000,000 personal records being exposed with an estimated cost of $4,000,000 in damages. Sixty percent of these breaches came from smaller sized physician practices with between one and 100 employees. Sixty seven percent occurred as a result of theft or loss, 38 percent resulted from an unencrypted laptop or other portable electronic device, and 6 percent came from external hacking.
Physicians hopefully will continue to work hard to assure compliance and prevent protected health information breaches, whether technology related or not. Unfortunately, however, even the best prepared practices may not be able to prevent such breaches from occurring. Consequently, every practice should have a plan in place regarding how best to handle a breach if it does occur and must be cognizant of the potentially high financial cost that comes with a breach.
Some expenses physicians can expect to incur when a breach occurs include the following:
1. Legal fees. Your lawyer should be among the first to be contacted in the event of breach. Not only will the practice need guidance on how to respond to the breach and interact with patients and counsel for affected parties, but the practice may need to respond to a government investigation of the breach as well.
2. Regulatory costs, fines, and penalties. Significant penalties can be assessed against a practice involved in a data breach. Penalties can range from $100 to $50,000 per violation, depending on the type of the breach.
3. IT forensic costs. The practice must determine who is affected by a network or other security breach, which patients need to be notified, and what steps need to be taken to prevent future breaches.
4. Notification costs. Affected parties need to be notified of the breach. Depending on the size of the breach, this might involve calling patients and mailing notifications. Mailing by certified mail can cost $2 to $3 per record. For larger practices, addressing a breach may require the establishment of a call center, which can be a substantial expense.
5. Credit monitoring costs. Affected individuals might need to be offered credit monitoring (at the practice’s cost) if the breach included social security numbers or financial information. The cost of credit monitoring can run up to $50 per-person, per-year.
6. Practice reputation. Since a breach can affect a practice’s reputation, the practice might need to incur public relations expenses to salvage patient goodwill, as well as advertising expenses to make the public aware of the steps that have been taken to address the breach. These expenses can be high.
To cover the possible costs related to a data breach, a practice must plan ahead, whether through the establishment of a savings account that could be applied to a data breach event or through the acquisition of cyber liability insurance or other types of insurance products that may be available in the market. In particular, there are new products available all the time that are directed at the healthcare provider market and address the particular liabilities faced by physician practices. In addition to the expenses mentioned above, some insurance policies also will cover potential losses suffered by individuals related to identity theft and breach of privacy and may cover patient class action lawsuits as well as claims by credit card companies and health insurance companies related to a data breach.
While preparation for HIPAA compliance is imperative, practices also should think about how they will financially manage a breach. Given the high costs related to such an event, it’s recommended that physicians talk to their financial advisors and insurance carriers regarding potential options.