Could budgeting for an independent HIPAA audit be well worth the investment for business associates? In the event of a HIPAA violation, the numbers for federal penalties, legal and security fees and resulting lawsuits add up to a significant sum that has a serious impact on the bottom line. The annual investment is often worth it – especially since current statistics show business associate-related breaches were responsible for 62 percent of the total number of patient records breached (HHS.gov).
Business associates (BAs) don’t always have the mindset that an independent HIPAA audit in advance of a problem is worth budgeting for. And it might be that covered entities (CEs) aren’t ready to insist that BAs undergo a HIPAA audit in prevention of a future breach. Yet, more patient records are affected by data breaches that involve BAs than those that don’t, according to current statistics.
Even though BAs were only involved in 19% of the total breaches, BA-related HIPAA breaches were responsible for 62% of the total number of patient records breached, or 4.4 million or more patient records breached than those that only involved a CE (from the HHS wall of shame).
With penalty fees averaging $1000/patient record, most BAs would be put out of business for a breach of several hundred records. For example, NYTimes.com wrote about a nonprofit health consultant who has already spent $300,000 in legal and security fees following the theft of an employee’s laptop that contained 13,687 patient records. Additionally, his company had to deal with the aftermath of notifying and compensating affected patients with free credit monitoring. A separate incident with Sutter Health, a nonprofit health system based in California, is now facing two class-action suits, each seeking $1,000 for each patient record breached.
As the number of reported breaches rise, independent audits are becoming more of a necessity to protect businesses from the growing costs of a breach. According to the Poneman Institute, the number of reported data breaches is up 32 percent this year from last year, costing the healthcare industry an estimated $6.5 billion in 2011.
An audit and an initial risk assessment can help your business pinpoint any areas of weakness in security and privacy policies, practices and procedures. Working with the experts to remedy any issues can make your company more resilient and prepared when it comes to protecting sensitive data and avoiding legal and security fees.
For more on HIPAA violations, business associates and how to stay compliant, watch our webinar on HIPAA, HITECH, BAAs and the Law: Concerns and Best Practices.