This article assumes you have a good understanding of HIPAA. You can learn about HIPAA from a variety of sources including our first blog post on HIPAA. In this article we will discuss the rise in medical records data breaches, and how being HIPAA compliant will protect your business’s reputation and liability. We also dive into the risk pertaining not being compliant.
In the past most medical records were on paper, and now they are digital and online. Breaches primarily occurred with hospitals and health insurance companies. There was no enforcement for small practices. Lax security practices have given rise to data breaches in recent years, especially with smaller practices. In 2009, the American Recovery and Reinvestment Act set aside $27 billion under the Health information Technology for Economic and Clinical Health Act (HITECH Act) to foster increased use of Electronic Health Records (EHRs) by physicians and hospitals. The incentive program also known as “Meaningful Use” provided covered entities with additional Medicare payments if they implemented EHRs. According to The U.S. Centers for Medicare and Medicaid Services (CMS), approximately 80% of eligible hospitals and 50% of eligible physicians have adopted EHRs and received incentive payments from Medicare and Medicaid. The success of the Meaningful Use program is driving the use of EHRs. However, as the push to implement EHRs grows so does the amount of breached patient records .
According to the United States Department of Health and Human Services (HHS), more than 20 million patient records have been breached since 2009. Numerous breaches resulted from lost or stolen laptops, smartphones, tablets, USB drives and other portable media. Insecure emails and stolen records due to hackers are also a major cause. However, dishonest or careless employees are known to be the chief causes when it comes breach incidents. Reacting to this epidemic of patient record breaches, the HHS Office of Civil Rights (OCR), which is tasked with enforcing the HIPAA regulations, is dedicated to ensuring that HIPAA regulations are strictly enforced and patient information is secure. OCR implemented a pilot program in 2012 that randomly audited 115 healthcare organizations of all sizes. The audits involved billion dollar healthcare corporations, insurance companies, and even small physician practices. OCR is ramping up their HIPAA privacy and security audit program for covered entities and business associates. Delayed until 2015, the second round of HIPAA audits is anticipated to be more comprehensive. Unlike previous audits, fines are expected to be handed out. Their focus will be on everyday, real-world application of HIPAA policies and procedures across the entire organization.
The cost of data breaches and HIPAA violations can be catastrophic for small and large practices. The Ponemon Institute conducted a study in 2011 that looked into the cost of data breaches in the U.S. It found that the estimated cost of data breaches in the Healthcare industry was $240 per record. This number does not include HIPAA fines but covers direct and indirect cost. Direct Costs are the detection and escalation costs that include forensics investigative activities and crisis management activities. This also takes into account notification and post data breach costs. What many practices don’t take into account are the indirect costs. These are the cost that are the hardest to recover from and this is the damage done to your practice’s reputation. Indirect cost are associated with the loss of patients and in turn the effective turnover of existing customers. The biggest part of indirect cost is associated with the HHS “Wall of Shame.” The HIPAA Breach Notification Rule, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. The OCR post the all large data breaches online which can be found here. This translates to diminished customer acquisition and damaged reputation. If you haven’t seen the news, OCR just reached a settlement of $5.5 million with the North Memorial Health System of Minnesota and Feinstein. Google “North Memorial Health,” and it won’t take long to see the damage that breaches and fines can cause to a practice.
These two blog posts just scratch the surface on what HIPAA is and the importance for medical practices in becoming compliant. Here at Nexxtep we pride ourselves on being a technology leader and advisor to our strategic partners. If you are medical practice or know of business that is needing help in navigating the process of becoming HIPAA compliant, please share these post with them.