Another week, another HIPAA data breach. On September 10th, healthcare behemoth Kaiser Permanente sent out a letter to 670 patients, notifying them that their PHI had been impermissibly emailed out of network. But in light of all these recent data breaches and security failures, one might ask, “who cares?” If fixing the issue is as simple as writing an apology letter like Kaiser did, why go through all the hoops of encryption and access control and HIPAA compliance? After all, HHS still has the ultimate discretion of whether to assess penalties, right?
Well, if the only cost was paying a fee to HHS, this analysis would be correct. Unfortunately for providers, the true cost of a HIPAA data breach typically dwarfs any sort of HIPAA or regulatory fine.
In a white paper put out earlier this year by tech company Symantec, a global analysis yielded that the average cost of a US data breach fell just a shade under $200 per record compromised, which aligns with other studies done on the subject. If this number seems high, it’s because it is. The $200/record figure takes into account the cost of notifying individuals, providing credit monitoring services to them for the next decade or two, and various other costs associated with remedying the event.
Think about that number again. $200 per person! That means that for each of the four laptops that were stolen from Advocate earlier this summer – with their one million of patient records stored on each – each mobile device represented, on average, about $200 million in potential liability to the health system. This number is truly astounding. Put another way, the liability risk for each laptop more or less equated to the asset price of the hospital building they walked out of.
To make matters worse, some could argue that $200/person mark represents a low estimate of the true total cost of a data breach. If an entity was particularly negligent, it could invite a class action lawsuit where the plaintiffs can and have asked for upwards of $1,000/record. Moreover, the $200/record figure doesn’t take into account the negative publicity and the effect that this could have on a publically traded healthcare company. Just ask CVS.
The scariest part of all of this is that many providers don’t understand the magnitude of the risks they are taking by skipping some of the HIPAA regulations. Sure, you could get caught by HHS under HIPAA and get penalized for not using secured email or secure text messaging, and you might have to pay a hefty fine as a result. However, the much bigger risk is having an IT failure and letting thousands of records walk out of your facility in a heartbeat. The real cost of that sort of an event will blow the regulatory fine away.
With over two decades of technology entrepreneurship background, Krishna Kurapati started QliqSOFT with the strong desire to solve clinical collaboration and workflow challenges in US Healthcare. During the late 90s, Krishna co-founded IPCell to build the first Cable IP Telephony switch, eventually selling the company to Cisco Systems. In 2003, he started Sipera (acquired by Avaya Systems) to solve security issues for Unified Communications' and raised over $30MM in venture funding. Additionally, he has been actively involved in the early-stage financing of startups in both the US and India.
Engaging Patients and Connecting Care Teams Through Interactive Digital ConversationsLearn More
Prior to the pandemic, telehealth visits ─ delivering patient-provider visits virtually ─ was an afterthought in the care continuum — ill-regarded and little-used beyond patients in rural areas who had few care choices. Virtual visits comprised less than 1% of all outpatient visits. Private insurers generally follow guidelines from the Centers for Medicare & Medicaid Services (CMS), which allowed telehealth in only limited circumstances and paid at 30% below in-office reimbursement rates.