For most people, losing a laptop is a setback of a few hundred dollars or a couple grand. You might lose some pictures, some music, or some important work. It’s not a happy event by any means.
But for healthcare professionals who store patients' health information on their devices, a lost laptop could end costing so much more. Such is the severity of HIPAA fines and the importance of safe digital storage. Need persuading?
Listen well to this tale of cyber security woe and you’ll see just how seriously the US Department of Health and Human Services (HHS) treats HIPAA violations in the digital age. According to insurance analytics and research firm Advisen, the medical group Cancer Care Group recently agreed to pay HHS $750,000 to settle claims that it violated HIPAA regulations. (Need a quick refresher on HIPAA? Read our intro to HIPAA and HITECH rules.)
What caused this massive payment? The report states in 2012, Cancer Care Group discovered that a laptop and unencrypted backup tapes had been stolen from an employee's vehicle. The laptop contained the unencrypted electronic protected health information (ePHI) of approximately 55,000 individuals, exposing their…
- Social Security numbers.
- Insurance information.
- And more.
Although the group didn’t admit liability for the occurrence, it did agree to pay the mentioned settlement and develop better risk management plans to protect its patients' information. Let its loss be your lesson not to make the same mistakes.
3 Ways to Avoid Hefty HIPAA Violations
You didn't get this far in your field without learning about HIPAA compliance, but Cancer Care Group's mistakes can still be a teaching moment for your practice. Specifically, the medical group may have avoided some of its troubles if it had done three things differently in handling its ePHI and responding to the breach.
- Speedy response time. According to the report, the medical group didn't conduct an analysis of the potential risks of its lost ePHI until three months after the laptop had been stolen. This no doubt contributed to the sizeable fine levied against the practice. Make sure your practice has a plan in place so it can quickly respond to lost or exposed ePHI.
- Train employees. The medical group didn’t have complete policies or training in place for minimizing data breaches and complying with HIPAA until the year after the laptop was stolen. Are you beginning to see a pattern of poor preparedness here? Risk prevention starts with well-trained employees. They're at the front line of cyber security, in a way, because they access and handle ePHI daily. Make sure they understand the importance of encryption, authorized access, and safe storage. Check out our article "Making Sure Your Practice is Compliant with HIPAA Security Standards" for more pointers.
- Secure all devices. It wasn’t some massive heist or complicated hack into a network that caused the group's breach. The $750k settlement is a direct result of one incident involving a single laptop. And the main reason? Patient data was stored unencrypted, available for anyone to access and use. It's easy to forget the magnitude of the issue when gigabytes of information can be carried away on a flash drive. But that's all the more reason to invest in quality training and security procedures.
It’s important to note, too, that this $750k figure includes only the fine for violating HIPAA. The group might face other costs, such as identity theft monitoring expenses and patient liability claims, too.
Smaller practices don't deal with as much data, so the potential cost for many practices might be smaller. Still HIPAA fines are nothing to sneeze at. Just look at this chart of HIPAA fines; a single violation could conceivably cost you $50,000.
How Cyber Liability Insurance Handles HIPAA Fines
For practices that want to cover all their bases, Cyber Liability Insurance is essential. This liability coverage is designed to address data breach expenses, including…
- Patient notification costs.
- Forensic investigation expenses.
- Credit monitoring costs.
- PR expenses.
Some Cyber Liability policies also offer coverage for HIPAA fines. It’s a last resort for when your risk prevention measures have failed, but the extra coverage may be the difference between staying in business and closing up shop. Ask your insurance agent about this coverage to learn more.