A summary of the settlement can be found here. You can rest assured that although this is the first settlement under the HITECH Act, you can expect to see many more over the coming months and years, if we can believe the data that indicates that a PHI data breach occurs on average every other day.
We have often argued that Breach Notification is the 800 pound gorilla of the HITECH Act. We believe that the data will continue to show that a covered entity or business associate is far more likely to get fined/sued as a result of a data breach than a random audit.
So what are the takeaways from BCBST?
- Compliance is a process. BCBST should have performed another security evaluation as a result of operational changes (i.e. moving).
- Compared to the fine and the cost of breach notification, an investment in encryption technologies would have likely been far less expensive (not to mention the compliance ROI going forward).
- The fine from OCR was dwarfed by the cost of Breach Notification, a data point that has been validated over and over with respect to other breaches.
- For the sake of argument, let's assume it was exactly 1 million patient records that were breached. We will use a conservative estimate of notification cost per record of $200 (according the Ponemon Institute the average cost is higher). Doing the math we estimate the the cost of Breach Notification would have been $200M, a staggering number. The actual cost was $17M according to various reports. Now $17M is STILL an order of magnitude greater than the OCR fine of $1.5M, but nowhere near $200M. There is something wrong with this picture. We have long suspected that $200 per record was grossly over stated. At these numbers even a relatively small breach could bankrupt some providers. More work needs to be done in this area to better under the underlying cost factors of notification.
Looking for best of breed HIPAA Training?
To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.