How Breaches Add Up to Millions for Failed HIPAA Compliance

How Breaches Add Up to Millions for Failed HIPAA Compliance

by Yenny (SU)

It’s no secret that Health Insurance Portability and Accountability Act (HIPAA) violations cost businesses money – and their reputation – when they’re found to be non-compliant. The guidelines of HIPAA provide strict standards for the electronic exchange of health information for covered entities and business associates.  This is to ensure the security and privacy of patient data. In the event of a data breach that compromises patient privacy, settlements or penalties can add up to millions. This is one instance where an ounce of prevention is worth its weight in gold.

Breach of Protected Health Information

A breach is generally defined as the acquisition or disclosure of protected health information, or PHI, in a manner not expressly permitted by HIPAA. Among the rules governing the administration and protection of patient data are strict guidelines on how and when an entity must inform affected persons of the breach.

During the first few years after HIPAA was enacted in 1996, HIPAA’s governing agency, the Department of Health and Human Services – HHS – focused on calling attention to deficits in security and issuing warnings when a business was found to not be in compliance. This gave practices and other covered entities time to become familiar with and learn how to adhere to the new laws.

What complicates things for most businesses is keeping up with the changes and updates to compliance policy. Many of these changes have to do with the ever-evolving nature of technology. Although the legislators do their best to keep up with these changes, it’s almost inevitable that rules and regulations (which too often are developed only after a need or compromise has been identified) will be behind the curve, especially if the threat is especially egregious or innovative.  Regardless of the inconvenience or the cost of changing software and business practices to conform with the regulations, failing to comply can cost some business millions even more, in the form of these settlements or penalties.

Rules for reporting a breach

In the event of a breach, the covered entity must disclose the extent of the breach, who or what may have been affected, and what data were compromised. The notification must be made without “unreasonable delay” and within 60 days of discovery of the event if the breach affected 500 or more individuals.

There have been cases of practices or business associates who entered into monetary resolution agreements for multiple incidents of severe negligence for failure to follow HIPAA guidelines that led to the breach. And ignorance of a breach doesn’t release the responsible party from disciplinary action by HHS; the amount of the potential fine is based on the entity’s degree of negligence.

As an example, in 2017, the U.S. Department of Health and Human Services, Office for Civil Rights, announced a HIPAA settlement based on the impermissible disclosure of unsecured electronic protected health information.  MAPFRE Life Insurance Company, based in Puerto Rico agreed to settle potential noncompliance with the HIPAA Rules by paying a $2.2 million settlement and implementing a corrective action plan.

The onus is on any organization in the healthcare sector to protect patient data, learn the current HIPAA regulations, and comply.

Help is Available

Medical professionals take an oath to care for and protect their patients. HIPAA laws support that by protecting a patient’s private health data.  That’s why navigating HIPAA laws and being prepared for upcoming changes is best accomplished by relying on compliance professionals. The expert consultants at Colington Consultants will evaluate your business practices and make recommendations to comply with the most current rules of HIPAA. Call (800) 733-6379 today to schedule a free, no-obligation consultation.