HIPAA Compliance and the Total Cost of Ownership

Healthcare is subject to some stringent regulations when it comes to data security. Between outside threats such as hacking or inside threats (be them malicious or human error), protecting personal health information is a difficult job that must be given the utmost attention. A single issue can cause irreparable harm to your practice. A failure to secure all of your assets can lead to complicated and expensive fees and reparations.

How A Laptop Becomes a Million Dollar Device

Imagine opening your mail and finding an invoice for a laptop. The cost? One million dollars! Is the tech geek side of your brain trying to figure out what sort of bells and whistles that machine must have? Is the practical side trying to determine if there is any way that it could possibly be worth it?

Now, let me complicate things with the details. It is a Lenovo ThinkPad running Windows 7. Did your head explode as the geek brain and the practical brain joined forces in a chorus of NO, I WOULD NOT PAY $1,000,000 FOR THAT MACHINE?

To make matters worse, you cannot even access this laptop. It’s gone, nowhere to be found. Chances are that you would budget under $1,500 for replacement. In theory you might be right. The problem here, and what makes that laptop so valuable, is that you work in healthcare. Moreover, in your industry, you are on the hook for compliance. You are subject to HIPAA (Health Insurance Portability and Accountability Act) regulations. Not taking the technical precautions to protect clients Personal Health Information (PHI) can cause that laptop to skyrocket in its expense structure to your practice. So how are you budgeting for Total Cost of Ownership (TCO)? The way I see it, there are two options: gamble or prepare.

Choose your own Adventure

Gamble:

The gamble is exactly what it sounds like, a roll of the dice. You can choose to believe that an incident will never happen to you, and have the greatest of intentions, but that will not prevent every scenario.

  • What if a staff member’s car is stolen and that laptop happens to be inside?
  • Or a bag?
  • A home?
  • What about a decommissioned laptop that can’t be accounted for?
  • Or where your internal process breaks down and a device isn’t wiped prior to disposal, recycle or repurpose?
  • And what about incidents that do not involve physical loss?

Hacking is a billion dollar industry that shows no signs of slowing down. Though it is a sad state of affairs, it is irresponsible not to plan for a potential breach. Did you know that 66% of healthcare organizations have experienced a ransomware attack in the last year? Perhaps you are relying on your insurance to cover the breach and the associated expenses? Although Cyber Liability riders are a growing trend, claims are never the easiest to file for, or to win. Insurance is a smart choice for your business, but not on its own. The good news is that before they will even sell you a plan, many providers want to know that you already have an infrastructure in place to prevent incidents. Even with insurance, the other side of the TCO equation is how the regulating body, the Department of Health and Human Services (HHS) Office for Civil Rights, will render a punishment. There is a wide range of potential fees that can be administered to the offender. They weigh many factors in making this decision such as: Were the proper steps put in place to prevent the incident? How many clients were affected? Were you aware of the risks? The truth is, if you are not educating your staff and protecting the PHI that is stored on that device, you are taking an unnecessary risk. Your choice effects the future of your practice, both through the financial repercussions as well as those from the damage done to the practice’s reputation. If clients determine that you were callous/careless with their information, the loss of business and referrals could shut your doors. There is no insurance for your publicly facing image.

Prepare:

The other option is to prepare. Healthcare has the highest average cost of any industry experiencing a breach, hovering at around $429 per record. It is required by federal law to report any breach that affects 500 or more records (laws at the state level can be even stricter as in New Jersey and New York with no minimum number). Do the math…even with only these two numbers in consideration, your laptop has ballooned to over $214,500. So what policies and procedures, what safeguards, do you have in place? Encryption (required in NJ for all electronically stored PHI), data access controls, cyber security education, and an asset disposal/repurposing plan are just some of the ways that a practice can illustrate that they are doing their due diligence to protect client information.

Other recommendations include having an anti-virus solution, as well as a properly configured firewall, network monitoring, two factor authentication, and Domain Name System (DNS). Actions such as these are valuable in preventing, and in dealing with the aftermath of, a potential breach. Although penalties from HHS can be as little as $100 per record or violation, if neglect or negligence is determined to be a factor, the price can be up to $50,000 per record or violation. In the event that fees are imposed, they are calculated per violation and compounded daily. Keep in mind the average cost of a healthcare breach in the US for 2018 was $15 million. Although the ultimate goal would be to avoid an incident altogether, a plan for recognizing a breach and resolving that breach becomes vital. This is how a simple laptop can cost you over a million dollars.

Put your Money into your Business, not Fines

Who would you rather pay? In one instance, you can write a blank check to HHS and wait for the trouble to come. When it does, you will need to scramble to make your systems compliant, all while you have lost the trust of your client base….double whammy. On the other hand, you strive for the continued improvement of your practice’s technology environment. You hire a Managed Services Provider, like Infoaxis, an expert who can help navigate the intricacies of HIPAA regulations. Best practices will be in place to limit and mitigate the chances of any potential breach or loss. Your dedication to your clients through technology becomes a competitive advantage. This is a true investment in the future of your practice, and one that could really keep down the cost of that laptop.

Protect PHI and control TCO. Get ahead of the game. Bet on your practice and embrace IT.

For more information call Infoaxis today at 201-236-3000 or click here to engage.