Filefax Inc., which went out of business long ago, is still paying HIPAA fines to the HHS through liquidation of their business assets. Could the same happen to you?
Today’s healthcare industry has to constantly adapt and change to meet the stringent guidelines of HIPAA regulations. Refusing to comply – or trying to comply and failing – triggers an investigation, fines, and further vague costs, but the number has never been entirely clear.
So, what is the cost of HIPAA compliance?
The Department of Health and Human services cites the following numbers, per organization:
- $80 for an updated Notice of Privacy Practices
- $763 for breach notification requirement updates
- $84 for Business Associate agreement updates
- $113 for security rule compliance
This comes out to a total of $1,040 per business, but the reality is that this number is far too low, especially when accounting for the Security Rule’s 75 requirements and 254 points of validation that a given organization must follow. When you do the math, that means that the HHS’ $113 estimate for security rule compliance leaves just $4 per individual requirement – does this sound realistic to you?
Think of it another way; the numbers may be a bit hard to really get a feel for, so why not consider a true story – Filefax Inc.
Two years ago, Filefax Inc. was caught impermissibly disclosing the protected health information (PHI) of more than 2,000 patients. The business provided storage, maintenance, and delivery of medical records for covered entities. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) was informed that an individual had transported medical records obtained from Filefax to a shredding and recycling facility. They later confirmed that an individual had left medical records of approximately 2,150 patients at the facility, which wasn’t compliant with HIPAA standards.
Here’s the really interesting part though – during the course of the OCR investigation, Filefax went out of business. You would think they’re off the hook for the HIPAA fines, right?
Wrong – following the investigation, the court appointed a receiver to liquidate its assets and pay $100,000 out of the receivership estate to the HHS. Even after a noncompliant company has gone out of business, they still have to pay their fines.
“The careless handling of PHI is never acceptable,” said OCR Director Roger Severino of the Filefax investigation. “Covered Entities and Business Associates need to be aware that OCR is committed to enforcing HIPAA regardless of whether a Covered Entity is opening its doors or closing them. HIPAA still applies.”
So what’s the best way to narrow the cost down? Start by considering the variables:
- Your organization type: Whether your organization is a hospital, Business Associate, HIE, health care clearinghouse, or another type of healthcare provider, each will store and utilize varying amounts of protected health information (PHI) and have varying risk levels.
- Your organization size: As a rule of thumb, keep in mind that the larger the organization and more complex its systems, the more vulnerable it will be, which in turn means greater HIPAA costs.
- Your organization’s culture: If data security isn’t a priority, it can be difficult to convince management to budget appropriately for HIPAA.
- Your organization’s environment: Even minor IT details, like the varieties of medical devices in place, the brands of computers used, etc., can affect the cost of HIPAA compliance.
- Your organization’s dedicated HIPAA workforce: Even if you already have a dedicated HIPAA team, your organization will likely still require third-party services and consultation in order to maintain HIPAA compliance.
So, when asking the question, “What is the cost of compliance?”, you should really be thinking: “What small price for compliance do I need to pay?” The reality is that the cost of being compliant is far exceeded by that of being noncompliance, and consequently being on the hook for a HIPAA or PCI non-compliance violation. Just look at what a data breach could cost you:
- HHS fines: as much as $1.5 million/violation/year
- Federal Trade Commission fines: $16,000/violation
- Class action lawsuits: $1,000/record
- State Attorney Generals: $150,000 – $6.8 million
- Patient loss: 40%
- Free credit monitoring for affected individuals: $10-$30/record
- ID theft monitoring: $10-$30/record
- Lawyer fees: $2,000+
- Breach notification costs: $1,000+
- Business associate changes: $5,000+
- Technology repairs: $2,000+
What is the real cost of HIPAA compliance?
Beyond the lowball estimates, the potential consequences of a data breach, and other considerations, the actual price for HIPAA compliance for a small Covered Entity is as follows:
- Risk Analysis and Management Plan: ~$2,000
- Remediation: ~ $1,000 – $8,000
- Training and policy development: ~ $1,000-2,000
Grand total: $4,000 – $12,000
For a medium-large Covered Entity, the costs are:
- Onsite audit: ~ $40,000+
- Risk Analysis and Management Plan: ~ $20,000+
- Vulnerability scans: ~ $800
- Penetration testing: ~ $5,000+
- Remediation: ~ Varies depending on where the Entity is currently in relation to compliance and security
- Training and policy development: ~ $5,000+
Total: $50,000+, depending on the Entity’s current environment
Keep in mind: larger organizations, whose costs are much greater, would benefit most from outsourced services and an onsite HIPAA compliance audit to ensure that everything is being handled correctly. Those without the budget for an audit still need expert consultation in order to assist with your internal risk analysis and the development of your risk management plan.
The good news is that you don’t have to handle HIPAA compliance on your own.
As important as it is to invest in confident HIPAA compliance, there’s still the matter of making sure it’s done right. That’s where a trusted partner in IT support can be so helpful. By having an expert team of healthcare IT professionals manage your compliance, you can ensure that your PHI is secure without having to see to it yourself.
The Veltec Networks team understands that many organizations like yours are often unknowingly operating without total HIPAA compliance. Our team will assess your entire environment to identify any opportunities for improvement so that you can enjoy a genuine peace of mind when it comes to protecting your patients’ sensitive information.
HIPAA compliance is not something that your healthcare practice can afford to overlook – you need a professional healthcare IT team on your side. Get in touch with us right away at (408) 849-4441 or info@veltecnetworks.com to get started.