HHS settlement amounts dwarfed by total costs of data breaches
A surge in data privacy breaches and the accompanying string of recent HHS enforcement actions should serve as an important reminder to healthcare providers regarding the importance of data privacy protection and the skyrocketing costs of failures to comply. 2011 saw a 97% increase in the number of data breaches, as reported by the Salt Lake Tribune in the context of the massive breach of health information privacy in Utah earlier this month.
At the same time, HHS has stepped up its enforcement actions. Last week, we touched on the $100,000 OCR settlement with a cardiology practice in Arizona. Last month, HHS reached a $1.5 million settlement with Blue Cross Blue Shield of Tennessee (BCBST) for a breach of about 1 million unencrypted patient records which resided on over 50 stolen hard-drives. However, the $1.5 million settlement amount was dwarfed by the $17 million BCBST had to spend on notification and credit monitoring expenses, as well as investigating and correcting the breach.
The BCBST settlement is a good reminder that breaches and noncompliance can be extraordinarily expensive, even without the federal and/or state regulatory fines. A December 2011 Ponemon Institute study found that data security breaches cost the healthcare industry $6.5 billion in the year leading up to that study. Just last month, a medical records company filed for bankruptcy after its offices were burglarized and medical records of over 14,000 people were stolen. The costs and expenses associated with that breach were so high that the firm had no choice but to go out of business.
These cases also demonstrated that OCR will investigate a breach regardless of the organization's size or reach. In fact, smaller practices should pay particular attention to these developments because a recent study showed that smaller healthcare providers are more likely to suffer a breach because their Internet and sharing practices are not likely as secure as those implemented at large healthcare provider organizations.
Basic compliance with HIPAA and the related regulations is, of course, required, but it is not a panacea. A study by the American National Standards Institute found that insufficient funding and lack of managerial support were among the key causes of security breaches of protected health information.
A HIMSS/Kroll study showed that while most of the surveyed healthcare providers are compliant with the applicable laws, regulations, and industry standards, significant security challenges remain. Employees' compliance with the organization's policies was the primary concern, reported by nearly half of all respondents to that survey. Constant evolution of tech devices and the way doctors and patients interact using such devices is another huge challenge, since regulations cannot keep up with the exponential rate of change in this market.
Finally, the HIMSS/Kroll study showed that healthcare providers are also concerned about third parties (e.g., contractors, business associates, et al) who have access to such providers' patient information. As we have written previously, it is absolutely crucial to have the right contractual protections in your license and services agreements with such third parties, including indemnification or cost reimbursement provisions in the applicable Business Associate Agreements. A hacker or an intentional theft or disclosure by an employee may be difficult to control or prevent; but each healthcare provider can protect themselves contractually for the costs associated with a data breach, if such such breach was caused by the negligence of a business associate or a third party contractor.
