By: Russ Stay, SecurityMetrics
Let's be straightforward. Doctors, administrators, and office managers are trained to be experts at health care, not Healthcare Insurance Portability and Accountability Act (HIPAA) privacy and security compliance. Even after patient information privacy and security precautions are taken and HIPAA best practices are followed, what happens if certain variables are overlooked and create a vulnerability? What would happen, financially, if your records systems were breached today?
Surprise! You may not be covered
With the new HIPAA Omnibus Rule deadline nearly at hand, now is the time to examine your organization's coverage to determine if you would be protected in the event of a breach. In our experience with HIPAA security violations, many healthcare entities are unprotected or seriously under-covered for security breaches of electronic patient health information (ePHI). If a patient suspects a compromise of their personal information, they can alert the Department of Health and Human Services (HHS) for further investigation and potential litigation. Unfortunately for healthcare organizations, standard crime-coverage or liability insurance fees selected to cover tangible property thefts (e.g., medical equipment) don't typically translate to ePHI theft, and HIPAA privacy/security violations may not be covered under malpractice policies either.1
So what exactly are the comprehensive costs for a HIPAA violation?
The real cost of compromise
Many healthcare organizations don't know the real cost of compromise, with potential expenses such as HHS fines (typically at or above $50,000), onsite forensic investigations (starting at $12,000), credit monitoring ($2-$5 per individual affected), and eventual computer security remediation (seldom less than $5,000).
Many falsely believe the HHS is only concerned with auditing and fining large entities and hospitals for HIPAA compromise. In 2012, Phoenix Cardiac Surgery, P.C., a five-physician practice, became the first small practice to enter into a resolution agreement that included a civil penalty of $100,000 over violations of HIPAA security. In a more recent instance, the HHS announced its first HIPAA breach settlement involving less than 500 patients with the Hospice of North Idaho for $50,000.
Breach coverage - the failsafe
In 2011, U.S. healthcare organizations generated 150 exabytes-that's 150 billion gigabytes-of data.2 According to the HHS, more than half of doctors today are using electronic health records, an increase of more than 200% since 2008. Consequently, there has never been a more opportune time for hackers to challenge healthcare security. In fact, many security professionals state, "It's not a matter of if you're breached, but when."
Numerous reports discuss the increasing occurrence of healthcare data breaches among small and large organizations alike, and it seems impossible to predict and protect against each scenario. For organizations looking to mitigate business risk, breach coverage is no longer optional.
Financial assistance
Breach coverage exists to address the financial hardships your organization may endure in the aftermath of compromise. Most breach coverage programs cover costs relating to a data compromise up to a financial limit (e.g., $100,000). The best breach coverage programs cover any compromise expenses relating to data breach including but not limited to: HHS fines, forensic investigations, and remediation.
Fortunately for medical professionals, the cost of a good breach protection program is much less costly than defending just one medical privacy lawsuit, or dealing with an HHS fine from a HIPAA violation. Breach coverage makes most financial sense when combined with other tools that reduce actual risk, such as strong security practices, policies, and procedures that help prevent patient data loss in the first place.
Security policies
Since the Omnibus Ruling (which deals more specifically with data security) was recently approved, many healthcare organizations are well-trained and prepared in terms of HIPAA policies and procedures concerning HIPAA privacy, but may have not even started on HIPAA security policies, which are vastly different. Organizational security in any industry often fails because entities lack (or refuse to revise) security policies that regulate employee interaction with sensitive data. Accordingly, some breach coverage programs include templates that offer general security guidelines healthcare organizations may use to create customized company policies for employee training to secure ePHI.
Is it worth it?
The cost and amount of breach coverage varies. To illustrate with an example, SecurityMetrics Assurance includes a data discovery tool, data protection policy, security consulting, and reimburses up to $100,000 in the event of a HIPAA breach. It is available at $249 per year.
Reflect on these two factors when considering what coverage plan is right for your office:
- Coverage and cost�How much will a breach coverage program cost you per month/year, and how much coverage does your office need?
- Options�Does your breach coverage include additional risk mitigation tools or discounts for documented HIPAA compliance?
If you handle, process, store, or transmit personally identifiable information within your system or over your network, you are at risk of financially damaging your organization. Healthcare organizations should immediately audit existing coverage to determine the amount needed to cover the cost of fees and penalties associated with HIPAA non-compliance, violations, and/or breaches, and consider purchasing specific HIPAA coverage. To fall back on the overused phrase, it's better to be safe than sorry with compromise.
Russ Stay is VP of Business Operations for SecurityMetrics, a global data security and compliance company. SecurityMetrics offers HIPAA solutions for small covered entities and can be reached at HIPAA@securitymetrics.com or 877.364.9183.
http://health-information.advanceweb.com/Article/The-Forgotten-Piece-of-HIPAA-Insurability.aspx
2011, McKinsey & Co
