Given the high rate of IT Security incidents, it has become imperative for “covered entities” in the healthcare industry to strive towards Health Insurance Portability and Accountability Act (HIPAA) Compliance. The repercussions and risks for non-compliance are too large to ignore. HIPAA is a US Federal government mandate requiring all healthcare providers to protect the security and privacy of all Personal Health Information (PHI). Covered entities under HIPAA are individuals or entities that transmit protected health information for transactions for which the U.S. Department of Health and Human Services has adopted standards (see 45 CFR 160.103). This includes entities covering health plans, healthcare providers, and healthcare clearinghouses.
According to a July 2021 report from the HIPAA Journal titled “July 2021 Healthcare Data Breach Report“, there is a growing trend of data breaches at U.S. Healthcare entities that involves 500 or more patient data records. From a low of 32 reported incidents in January 2021 to 70 in June 2021, these breaches are growing, impacting over 5.5M records in July 2021.
The top three reasons that covered entities must be HIPAA compliant are:
- Reputational Risks
- Financial Risks
- Reduced Cyber Security Exposure
1. Reputational Risks: Reputational risks due to cybersecurity incidents pose a threat to covered entities as it can destroy goodwill in the blink of an eye thereby reducing the public’s trust in an entity. Furthermore, the covered entities’ affiliations, mergers, integration and corporate alliances can be negatively impacted due to data breaches.
2. Financial Risks: Beyond the direct cost of remediating a cyberattack and the indirect cost of damaged brand reputation, financial costs are direct and measured. For example, data breaches often lead to penalties from enforcement agencies such as the HHS OCR, legal fees, Third party fees, and victim restitution fees. OCR’s maximum penalty for a data breach is $1.5M plus progressive disciplinary actions for repeated failures. In a 2020 IBM Security report, the healthcare industry incurred the highest average cost of data breaches which amounted to approximately $7.1M per incident. While cybersecurity insurance may offset some of these financial costs, it’s generally in the best interest of covered entities to avoid the need to file such claims.
3. Reduced Cyber Security Exposure: By Being HIPAA complaint, covered entities reduce their security gaps. HIPAA compliance includes reduction of exposure to Technical, Administrative, and Physical safeguards and compliance with NIST standards such as:
- 800-122 – Guide to Protecting the Confidentiality of Personal Identifiable Information (PII),
- 800-111 – Guide to Storage Encryption, Technologies for End User Devices,
- 800-66 Rev. 1 – Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, and
- 800-88 – Guidelines for Media Sanitization.
DelNovak recommends a HIPAA security risk assessment to ensure that covered entities are following HIPAA rules and are in compliance. In cases where there are gaps in HIPAA compliance, DelNovak works with covered entities to develop and implement remediation plans.
Contact us to discuss how we may be of service.