Do you know how much a potential security breach can cost should you violate the HIPAA & HITECH rules? It may be more than you think. Risks are always there, and are constantly changing and that’s why you need to stay in compliance with the current laws and regulations. “The Security Rule applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”).”(1)

In 2009, the introduction of the HITECH act expanded the responsibilities of business associates under the HIPAA Privacy and Security Rules. What is a business associate? It’s anyone that you do business with that may come in contact with your ePHI, such as an accountant, attorney, third party administrator, contract application developers, cloud based service providers,etc. If you are unsure of your Business Associate status, we highly recommend that you consult an attorney to clarify any questions or concerns you may have concerning HIPAA classifications.

In a recent research study conducted by Ponemon in June 2016, “the average total cost of a data breach for the 383 companies participating in this research increased from $3.79 to $4 million2. The average cost paid for each lost or stolen record containing sensitive and confidential information increased from $154 in 2015 to $158 in this year’s study.”

However, healthcare organizations had an average cost of $355 per record breached, which is more than double. The reason for such a high cost per record is due to the damage that can be done with stolen personal health information. If a credit card is breached at a merchant level it’s usually quite easy to track down where it happened.  When dealing with stolen personal health information it becomes trickier due to the massive amount of third parties involved and the hands it passes through. Many are unknown to the patient.

Many times after ePHI has been breached, it ends up on the black market for sale. ePHI information and theft is more valuable because it contains data that can be used continually, unlike a stolen credit card that get’s deactivated once it’s been discovered. You can’t do that with someones personal health information, there’ s no deactivation switch for your social security number, address and other highly sensitive and personally identifiable information. A good example of how it’s sold on the black market is available at Brian Kreb’s site

So what you need to ask yourself is:

Is the cost to mitigate the risk  less than the cost to remediate a breach (355.00)?

1 Information from: https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/
2 Information from: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html