Bob ChaputMost revenue cycle management initiatives are designed to provide steady-yet-significant improvements that bolster an organization’s bottom line. Yet all those gains can be wiped out with one data breach and its related costs.

If you visit HHS’s so-called “Wall of Shame,” you’ll find the names of many well-known healthcare organizations. The common denominator: Most of them never bothered to conduct a rigorous HIPAA security risk analysis – and they got burned.

Healthcare data breaches seldom make the national news, like the one that occurred recently at Target. But they carry some serious costs that can run into the millions when you add up forensics/notification costs, legal/regulatory penalties, class-action lawsuits, and lost business due to reputational damage. And it’s important to note that regulatory fines are on the rise. A single HIPAA violation involving willful neglect used to carry a maximum fine of $25,000. Now, for each violation, it’s a whopping $1.5 million. Any single data breach usually involves several specific HIPAA violations.

Many healthcare organizations approach the problem with misguided technological zeal. They think that Russian hackers pose the biggest threat, yet only 8 percent of the data breaches listed on the HHS Wall of Shame are due to hacking. Theft or loss of everyday items like a laptop computer account for nearly two-thirds of the data breaches.

Your friends, not your enemies, are more likely to be involved in inadvertent data breaches. HIPAA’s expanded privacy, security, and data breach notification rules now apply to a healthcare organization’s business associates—all of the vendors and service providers that could potentially compromise patient data. Last year, business associates were responsible for disclosing nearly 13 million patient records. So here’s the main take-away: All of your annual revenue cycle savings can easily go down the drain with just a single data breach. Let’s do the math:

  • The average cost of a data breach is now about $200 per patient. If you lose a laptop containing 5,000 patient records, that’s a cool million right there.
  • A class-action lawsuit can be crippling. A recent Temple University study found that the average settlement award in a data breach class-action suit is $2,500 per plaintiff, with attorney fees just north of $1 million.
  • Cyber-liability insurance is often prohibitively expensive. For a typical healthcare organization, cyber-liability insurance carries annual premiums in the $200,000 range and deductibles as high as $500,000. Most organizations can avoid that huge up-front cost with an overhaul of their data security policies and procedures.

Before you panic, there’s an unbiased way to determine your organization’s risk exposure. The American National Standards Institute (ANSI) offers a free publication online called The Financial Impact of Breached Protected Health Information. This paper provides an excellent overview of data breach issues and includes tools for calculating the cost of a breach in your organization.

No healthcare organization wants to see its revenue cycle improvements disappear due to a preventable data breach. There are many practical steps you can take to avoid that outcome, including completing the rigorous risk analysis that’s now required by the HIPAA Security Rule. Don’t add your name to the Wall of Shame.


Bob Chaput, CISSP, HCISPP, CIPP/US, is CEO of Clearwater Compliance, Brentwood, Tenn.

Publication Date: Friday, April 18, 2014