When I have conversations with hospitals and other organizations subject to HIPAA, one of the first questions asked is “if I have a data breach, will OCR fine me, and if so, how much?” Many organizations decide to gamble: they opt to save time and money by not implementing a robust information risk and compliance program on the chance that the Office for Civil Rights (OCR) won’t fine them in the event of a breach. Although the OCR is the regulatory agency that enforces HIPAA, their fines are only one potential expense an organization incurs for a data breach.
For example, a breach may cause damage to an organization’s reputation due to the perception that the organization did not properly protect data. Repairing a reputation costs money. In a recent study published in The American Journal of Managed Care, it was found that “a hospital data breach was associated with a 64% increase in annual advertising expenditures.” The study included a sampling of Medicare hospitals and the data breaches involved included theft, loss, unauthorized access/disclosure, improper disposal, and hacking.
Of the study’s control group of 3,421 hospitals, 75 hospitals were breached. According to the study, “breached hospitals spent nearly three times more on advertising than the control hospitals (approximately $688,000 vs $238,000 for annual spending; $1,713,000 vs $551,000 for two-year spending).”
Some obvious risks of a data breach are the impact of the loss of patient data, regulatory fines, potential class-action lawsuits, and increased legal and consultative costs; however, a sometimes-overlooked cost is how a data breach affects a hospital’s competitive advantage in the marketplace.
Implementing an effective security program that assists in minimizing data breaches, or the damaging effects of data breaches, begins with the basics of information security and governance. Some examples include:
- Identify your sensitive data and know where that data lives
- Conduct regular risk assessments
- Create a culture of security awareness
- Document an enterprise-wide security program
- Have a good incident response plan in place, including training and testing of the incident response plan
- Continuously monitor your security program and update as needed
- Understand contractual requirements for breach notification
A mature information security and compliance program goes beyond the fear of OCR fines and penalties. It includes understanding the potential adverse effects of a breach and proactively implementing a program that safeguards patient data, assists in minimizing patient harm, and ultimately reduces your advertising budget. A strong security and compliance program keeps your organization viable in the ever-changing competitive landscape of providing healthcare to consumers.