By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
Health Works CollectiveHealth Works CollectiveHealth Works Collective
  • Health
    • Mental Health
    Health
    Healthcare organizations are operating on slimmer profit margins than ever. One report in August showed that they are even lower than the beginning of the…
    Show More
    Top News
    physical health
    5 Ways Playing Games Can Improve Neural and Physical Health
    September 9, 2022
    Reasons For Hair Loss and Its Treatment
    Reasons For Hair Loss and Its Treatment
    February 16, 2022
    healthcare organization
    5 Actionable Strategies For Healthcare Organizations
    August 15, 2022
    Latest News
    Grounded Healing: A Natural Ally for Sustainable Healthcare Systems
    May 16, 2025
    Learn how to Renew your Medical Card in West Virginia
    May 16, 2025
    Choosing the Right Supplement Manufacturer for Your Brand
    May 1, 2025
    Engineering Temporary Hospitals for Extreme Weather
    April 24, 2025
  • Policy and Law
    • Global Healthcare
    • Medical Ethics
    Policy and Law
    Get the latest updates about Insurance policies and Laws in the Healthcare industry for different geographical locations.
    Show More
    Top News
    email marketing in healthcare
    Harnessing the Power of Email Marketing in Healthcare
    October 26, 2023
    healthcare claims
    The Role of Communication in Resolving Complex Workers’ Compensation Claims in Healthcare Settings
    September 22, 2024
    Wounds and Wisdom: What Motorcycle Accidents Teach Us About Health and Healing
    Wounds and Wisdom: What Motorcycle Accidents Teach Us About Health and Healing
    February 12, 2025
    Latest News
    Building Smarter Care Teams: Aligning Roles, Structure, and Clinical Expertise
    May 18, 2025
    The Critical Role of Healthcare in Personal Injury Recovery: A Comprehensive Guide for Victims
    May 14, 2025
    The Backbone of Successful Trials: Clinical Data Management
    April 28, 2025
    Advancing Your Healthcare Career through Education and Specialization
    April 16, 2025
  • Medical Innovations
  • News
  • Wellness
  • Tech
Search
© 2023 HealthWorks Collective. All Rights Reserved.
Reading: Cost of Non-Compliance with HIPAA and HITECH
Share
Notification Show More
Font ResizerAa
Health Works CollectiveHealth Works Collective
Font ResizerAa
Search
Follow US
  • About
  • Contact
  • Privacy
© 2023 HealthWorks Collective. All Rights Reserved.
Health Works Collective > Business > Hospital Administration > Cost of Non-Compliance with HIPAA and HITECH
eHealthHospital AdministrationNewsPolicy & LawTechnology

Cost of Non-Compliance with HIPAA and HITECH

Adnan Raja
Last updated: February 5, 2021 8:45 am
Adnan Raja
Share
12 Min Read
SHARE

In May, an organization with 45 offices, the Women’s Health Care Group of Pennsylvania, informed 300,000 patients who had been treated in its facilities that a ransomware attack had compromised their healthcare data. The healthcare firm found the intrusive software both on a workstation and a server on May 16. Both of the machines were taken off the network, and the forensics team started rooting out the issue. Like many of these incidents, the attackers had remained undetected for months. They had been in the system since as far back as January, making their way into the system via a security loophole. The security issue gave the hackers the ability to access patient files prior to the encryption of the data. The information that was taken included details such as names, dates of birth, Social Security numbers, medical record numbers, diagnoses, lab test results, blood type data, pregnancy records, and insurance information. The above story is, unfortunately, very common. The true cost of non-compliance is complex, including the fine and many other possible expenses. Let?s look at the average real total cost of a breach; the ways in which the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) changed the Health Insurance Portability and Accountability Act of 1996 (HIPAA) rules; the range of possible HIPAA fines; additional non-compliance costs; and how to take action so that you can consistently stay within the confines of the regulations.

Contents
How much do healthcare data breaches cost?How HITECH changed HIPAAMinimum and maximum levels for HIPAA finesAdditional costs of HIPAA non-complianceTaking action to avoid HIPAA non-compliance

How much do healthcare data breaches cost?

A study from patient privacy monitoring firm Protenus, released in early 2017, found that 200 exploits of patient data had been revealed so far this year through the Office for Civil Rights (the subagency of the Department of Health and Human Services that is responsible for the enforcement of HIPAA). This list, often referred to as the HIPAA Hall of Shame, notifies the public of any exposures of protected health information that extended to a population of at least 500 patients. The company noted that 450 breach incidents occurred throughout 2016. By the date of publication of the Protenus analysis, 233 had taken place so far this year. Of course, every incident is different, partially because a greater amount of compromised data will mean a higher extent of expenses. The Ponemon Institute’s research on this topic, as seen in the 2016 ?Benchmark Study on Privacy & Security of Healthcare Data,? has found that most healthcare companies are impacted by numerous hacking efforts. What’s more disconcerting, the analyst organization has determined that many healthcare companies lack the funds and resources to properly manage these events. The 2016 study looked at 91 covered entities (healthcare providers, plans, and data clearinghouses) and 84 business associates (contracted partners that handle health data for covered entities). The total impact of healthcare data breaches is astounding. According to Ponemon, it is $6.2 billion annually. In the analysis, about 9 out of every 10 covered entities had experienced a data breach within the last two years. Almost half of them had suffered greater than five of them within that windows. What is the cost to you, though, if you get hit by an attack? The average total expenses related to a single breach event are over $2.2 million, Ponemon noted (although that could be an underestimate, as revealed by the below data). The average expense incurred by business associates was not quite as high but was also substantial at over $1 million per incident. In 2016 as in 2015, cybercrime was the top reason that breaches occurred within healthcare, according to Ponemon. “In fact,” noted the research team, “50 percent of healthcare organizations say the nature of the breach was a criminal attack and 13 percent say it was due to a malicious insider.” With business associates, the number is a bit lower: respondents said that it was a criminal event in 41% of cases, whereas a malicious insider was responsible 9% of the time.

How HITECH changed HIPAA

Our primary focus will be HIPAA since the security and privacy concerns of that law are the primary need of compliance in healthcare settings. However, HITECH also must be addressed. HITECH was a part of the American Recovery and Reinvestment Act of 2009. It was a bill with the principle intent of increasing the adoption of health information technology (expediting the transition to digitization of records). When people talk about compliance with HITECH, they are primarily pointing to the ways in which it changed the requirements of HIPAA. The most significant example of this is the stronger rules related to breach notification. Today, when a breach occurs, the fine is larger and there need to be more notifications if data is lost or stolen. Plus, the security and privacy needs of HIPAA also must be met directly by business associates ? as opposed to the covered entity bearing the only responsibility for protection. Other updates to HIPAA compliance that were effectuated by HITECH include authorization parameters for communications and marketing.

Minimum and maximum levels for HIPAA fines

The HHS’s Office for Civil Rights goes about enforcement of the HIPAA Security and Privacy Rules through investigations of complaints, random compliance audits, and outreach to increase the industry’s understanding of the law. When the OCR investigates a particular company for compliance, they check the information they are able to collect and may decide that no violation occurred. If a violation did occur by the agency’s assessment, the OCR will seek voluntary compliance, corrective action, and/or a resolution agreement. Civil penalties can result. Actually, if the criminal portions of the healthcare law are violated, the case may be referred to the Department of Justice for further investigation. In terms of the most common issue of civil fines, those occur through a tier of possible amounts. The HHS Secretary can decide what is appropriate within the range described by that tiered system. Also note that the secretary cannot impose a civil fine if corrections are made within 30 days, except in the case of willful neglect. Let’s look at the minimum and maximum dollar amounts for HIPAA infractions. In the event of an unknowing violation, the minimum fine for one of these instances is $100 for each violation, up to a limit of $25,000 if there are numerous violations. The most that someone can be fined for this situation is $50,000 for each violation, up to a limit of $1.5 million. If it is a reasonable cause incident, the lowest that you can be penalized is $1000 for each violation, up to a total yearly fine of $100,000. The most you can be fined is $50,000 for a single violation, also up to a limit of $1.5 million. If it is a corrected incident of willful neglect, the least that a fine can be in this case is $10,000 each, up to a yearly limit of $250,000. If it is an uncorrected event of willful neglect, the lowest that a penalty can be in this category is $50,000 each, up to $1.5 million per year. The most it can be is $50,000 for one violation, again up to a yearly total of $1.5 million. Criminal investigations are managed by the Department of Justice. Someone who knowingly disregards the Administrative Simplification Rule can personally be fined as much as $50,000 and be sentenced to up to a year in prison. If the violation involves false pretenses, the person may have to pay as much as $100,000 and be sentenced to up to 5 years in prison. If there is established intent to use electronic protected health information (ePHI) for commercial or personal gain, the fine can be as high as $250,000, with jail time of up to 10 years.

More Read

Physician Websites: Five Good Ways to Connect With Patients
5 Values You Should Prize in Physician Compensation Models
Articles about Disclosure in Online Communities
Complementary Care Adds a Touch of Fun
Q and A, Part Two: Addressing an Enormous Public Health Problem with a Simple Technology Solution

Additional costs of HIPAA non-compliance

To be clear, the reason that healthcare data breaches are so expensive goes far beyond the fines. The reason for their high costs is because of other expenses. A study by TransUnion found that patient and health plan clients may switch to a difference provider following a hack. 65% of people who took part in their poll said that they would “consider making the change after a data breach exposed their confidential records,” noted HIPAA Journal. The total cost of an event, on average, is $5.9 million, according to this analysis (a higher total than that indicated in the Ponemon research above). Incidentally, the average number of records exposed within this same data is 29,087. The elements of that $5.8 million total include breach notifications ($1.6 million); detection and escalation ($417,000); lost business ($3.2 million); and additional costs and losses ($415,000). Note that those above figures do not reflect the additional 15% customer turnover that will typically occur as a result of these events.

Taking action to avoid HIPAA non-compliance

Whether the Ponemon analysis or the one by TransUnion is closer to the correct total average, the average cost of a healthcare violation is certainly in the millions. To accomplish consistent compliance, you need a provider that understands and implements the proper safeguards ? as seen through the experience of individual clients.

TAGGED:HIPAA complianceHIPAA web hostingHITECH Compliance
Share This Article
Facebook Copy Link Print
Share
By Adnan Raja
Follow:
With over 10 years of experience in marketing and business strategy, Adnan has successfully branded and launched products from concept to marketing to profitable campaigns. He is always looking for innovative, pioneering strategies to grow the business via partnerships and revenue opportunities.

Stay Connected

1.5kFollowersLike
4.5kFollowersFollow
2.8kFollowersPin
136kSubscribersSubscribe

Latest News

Clinical Expertise
Building Smarter Care Teams: Aligning Roles, Structure, and Clinical Expertise
Health care
May 18, 2025
Grounded Healing: A Natural Ally for Sustainable Healthcare Systems
Grounded Healing: A Natural Ally for Sustainable Healthcare Systems
Health
May 15, 2025
Learn how to Renew your Medical Card in West Virginia
Learn how to Renew your Medical Card in West Virginia
Health
May 15, 2025
Dr. Klaus Rentrop Shares Acute Myocardial Infarction heart treatment
Dr. Klaus Rentrop Shares Acute Myocardial Infarction
Cardiology
May 13, 2025

You Might also Like

Stem Cells Cure Rats With Diabetes

October 10, 2011

“Choosing Wisely” Brings a New Care Conversation to the Table

April 14, 2012

California Law Prevents Price-Gouging of the Uninsured

January 9, 2015

New Research Shows Surgery is Best Solution for Treating Type 2 Diabetes

August 12, 2015
Subscribe
Subscribe to our newsletter to get our newest articles instantly!
Follow US
© 2008-2025 HealthWorks Collective. All Rights Reserved.
  • About
  • Contact
  • Privacy
Welcome Back!

Sign in to your account

Username or Email Address
Password

Lost your password?