• E-mail
• Print
• RSS

HIPAA happenings: HIPAA, HITECH fines are the tip of the iceberg

HIM-HIPAA Insider, August 4, 2014

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

When you think about a data breach, you probably think about things like maximum fines and penalties of $1.5 million, willful neglect, corrective action plans, and so forth, right? Well, think again. When a breach occurs, HIPAA and HITECH are not the only laws covered entities (CE) and business associates (BA) are up against. Further, the fines and penalties associated with breaches under HIPAA and HITECH are only the tip of the iceberg.

A CE and BA may face many more liabilities than those that might be imposed by OCR for breaches under HIPAA and HITECH. These additional liabilities, or exposures, are of two types. The first is internal exposure, which disrupts the organization's operations. The second is external exposure, which comes from additional regulatory agencies and from laws outside HIPAA and HITECH. Although CEs and BAs may be aware that additional liabilities exist, the impact they may have on an organization's operations and its ability to conduct business may be less understood.

Once a breach occurs, various actions must follow. The most obvious is the need to assess the suspected breach, and if necessary report the breach to the relevant parties, including OCR. The timing of this reporting is contingent on the size of the breach. Organizations must report large breaches (those affecting 500 or more individuals) within 60 days of discovery. Small breaches (those affecting less than 500 individuals) must be reported within 60 days of the end of the calendar year. In addition to a breach assessment, additional actions must be taken to address the security of ePHI. These steps may have an enormous impact on an organization.

In its study The True Cost of Compliance: A Benchmark Study of Multinational Organizations, the Ponemon Institute analyzed the costs associated with a breach and assigned them to four categories:

• Business disruptions
• Business productivity losses
• Lost revenues
• Fines, penalties, and other settlement costs

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

• E-mail to a Colleague
• Print
• RSS
• Archive