The introduction of new, tougher HIPAA Rules coupled with increased enforcement against HIPAA violators means the price of HIPAA non-compliance is now far greater than the cost of HIPAA-compliance. Unfortunately, many HIPAA-covered entities discover this too late, once an avoidable data breach has been suffered.
In recent months there have been numerous examples of healthcare providers, Business Associates and health plans that have discovered the cost implementing a full data breach response can be astronomical. Data breach lawsuits even more so.
One of the best examples comes from the recent data breach settlement reached between a Florida-based health insurer, AvMed, and class-action lawyers representing the breach victims. The company decided to pay a data breach settlement of $3 million, which it could have avoided by implementing some much cheaper data protections systems back in 2009.
Data breach litigation is best avoided, but in this case it was inevitable. The health insurer had two laptop computers stolen which were used to store the records of 1.2 million plan members. The company did not encrypt the data, even though the devices were portable and easily stolen.
The data on the laptops included Social Security numbers and health information along with personal identifiers. While liability for the data breach was not accepted, AvMed did agree to settle the class-action lawsuit and end the lengthy and expensive court case.
Non-Compliance Can Result in Huge Costs
Under the settlement agreement, in addition to the $3 data breach settlement, AvMed must put a number of protections in place to prevent further breaches. Had those protections been put in place before the breach, the costly data breach litigation could have been avoided.
The settlement does not end there. AvMed was deemed to have charged its members for data protections that were not put in place, and these “premium overpayments” must be returned. They amount to $10 per person, a sizeable refund to pay on a database containing 1.2 million plan members. AvMed must also cover the cost of actual losses suffered as a result of identity theft.
And those costs are just for the data breach class-action settlement. State attorney generals can make company’s pay for a lax attitude to data security that leads to a breach being suffered, and even bigger fines can be issued by the Department of Health and Human Services’ Office for Civil Rights. Those costs could be yet to come.
The final cost of HIPAA non-compliance will not be known for a number of years, but AvMed will certainly now think it would have been far easier and cheaper to have paid for data encryption on the laptops. With data encryption, the theft would not have resulted in a data breach and HIPAA Rules would not have been violated.