Organizations that are handling health data and require compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) understand the importance of protecting health data. While the costs of protecting patient information may seem high, not doing so will result in even higher costs – especially given how tantalizing this highly valued data is to hackers. In terms of HIPAA, the Security Rule puts the rights that are granted by the Privacy Rule, related to protected health information (PHI), into action within digital settings. Beyond the specifics of HIPAA, PCI, the GDPR, and similar mechanisms, the concern with compliance at any organization extends to all external and internal rules that determine how data is handled.
Even among the most prestigious institutions in health care, noncompliance issues are cropping up. Just recently, the federal Department of Health and Human Services' Office for Civil Rights announced that it has reached separate settlements with Boston Medical Center, Brigham and Women's Hospital, and Massachusetts General Hospital for compromising the privacy of patients' protected health information by inviting film crews on premises to film "Boston Med," an ABC television network documentary series, without first obtaining authorization from patients.
Altogether, Boston Medical Center, Brigham and Women’s Hospital, and Massachusetts General Hospital paid $999,000 to settle potential violations of HIPAA. It’s the second HIPAA case involving an ABC medical documentary series. In 2016, federal officials settled with New York-Presbyterian Hospital over possible privacy violations during the filming of ‘NY Med.'”
Despite the cost of noncompliance, research shows many organizations are not yet fully compliant.
The second phase of the HIPAA compliance audits by the Department of Health and Human Services’ (HHS's) Office for Civil Rights (OCR) started with desk audits in 2016 – a series on health care covered entities followed by one on business associates. Released by the OCR in September 2017, the results of the desk audits showed that nearly all companies had risk management plans that were noncompliant (94%), while the vast majority did not give patients sufficient personal health data access (89%) or conduct fully compliant risk analyses (83%).
These high numbers of noncompliance may seem to suggest that compliance is optional or is not that serious of a concern. The reason why high noncompliance numbers are alarming is that it often means some aspect of best practices is not being followed, and often that best practice is related to information security handling. Noncompliance represents risk. Risk is expensive and must be mitigated.
Compliance costs less than non-compliance and is critical given health data value
While the cost associated with it may serve as a barrier to compliance, the Ponemon Institute compared the costs of compliance against the costs of noncompliance and found compelling cost-related reasons to comply. Reflecting interviews with 237 executives at 53 multinational organizations headquartered in the U.S., the December 2017 report determined that 14.3 percent of IT spending was going toward compliance, an average of $5.47 million per company. Over the same twelve months, the analysts found that the average cost for noncompliance was $14.82 million, as outlined in the report. Those are rounded figures, but they showed that noncompliance is approximately 2.71 times costlier than compliance.
An average of $2 million was spent on data security, making it the largest average expense (with nearly two-thirds of that spending, 63 percent, going toward security technologies). Meanwhile, policy was the lowest cost category at slightly below $400,000.
While compliance is a core issue throughout business, the value of health data is rising in particular, as is the cost of safeguarding it. The electronic protected health information (ePHI) handled by organizations that require HIPAA compliance makes them a key target for attackers.
The Ponemon's Cost of a Data Breach Studies from the past three years indicated that health care data is worth more than the data from any other sector. In two of those three studies, health care data was more than double the worldwide average. Worldwide average per stolen record was as follows generally and for ePHI:
- 2017 – overall $141 vs. health care $380;
- 2016 – overall $158 vs. health care $355;
- 2015 – overall $217 vs. health care $363.
The good news is there are several methods organizations can use to slash compliance costs.
Cutting costs with audits & governance
Across industry, fines, penalties, settlements, productivity losses, and business disruption are typical noncompliance costs.
Take the case of UMass Memorial, whose health care entities have agreed to pay $230,000 to the state of Massachusetts to resolve claims that two separate health care data breaches exposed PHI of more than 15,000 state residents.
The lawsuit by the Massachusetts Attorney General (AG) alleged that health care facilities received complaints about two employees accessing patients PHI to open cell phone and credit card accounts. However, the they did not investigate the complaints, discipline the employees involved in a timely manner, or take other steps to safeguard the information. The data breaches exposed patient information including names, addresses, Social Security numbers, clinical information, and health insurance information.
Better governance allows organizations to know where their ePHI or other key data is located. Knowing this becomes more important with the data security and response time parameters of the PCI DSS, the GDPR, HIPAA, and similar laws.
A final option to improve compliance is to work with third parties that are highly familiar with compliance parameters – especially for organizations handling ePHI. Compliance continues to evolve and it’s important for health services researchers and other data users to consider ways that industry partners can help support the data and research lifecycle by staying up-to-date on changes.
By already having the key elements of governance and auditing in place, and through systemic adoption of the technical, administrative, and physical safeguards required by the Security Rule, organizations can more fully maximize the value and use of their data to improve health and health care.
The opinions expressed in this blog post are the author's own and do not necessarily reflect the view of AcademyHealth.
Organizational Affiliates are a critical link in AcademyHealth’s ability to effectively advocate for the field, and support the future field of health services researchers. Organizational Affiliates gain visibility among AcademyHealth membership, enjoy unique networking opportunities, and benefit from event discounts. Click here to learn more.