Healthcare Organizations And HIPAA – The Cost Of Non-Compliance

0

Courtesy of Convergepoint

When stories break in the media of medical files with patient information found in dumpsters, or laptops with unencrypted data left in cabs or stolen from offices, one element that is often overlooked is that the medical offices in question are usually in possession of full HIPAA Compliance certification. All the necessary ‘I’’s have been dotted and ‘t’’s crossed to ensure that the office stays in the good graces of the HIPAA auditor, and everyone goes about their business assuming all is good.

The critical mistake here is that the company is paying more attention to the certificate than to the compliance process that the certification is supposed to validate. Once the certificate is achieved or renewed, compliance is often relegated in favor of the next crisis or executive project until the date of the next inspection rolls around. The rationalization is that compliance is expensive, time consuming, and adds an inconvenient administrative burden on personnel who are being asked to focus on patient satisfaction above all else.

While there is no doubt that compliance can be time consuming, patient satisfaction, from the patient’s perspective, includes reassurance that their personal information is secure at all times, and as for expensive, the cost of non-compliance is increasingly making any operational compliance costs look like a bargain.

A study by the Ponemon Institute, “The True Cost of Compliance,” examined average compliance costs across 46 organizations with compliance budgets ranging from $446,000 to over $16 million. Averaged by organizational headcount, the per capita compliance cost came out as $222 per employee. When non-compliance costs resulting from fines and penalties, policy enforcement, data protection, staff training, and system improvements were calculated across the same organizational headcount, the average cost was $820 per employee.

HIPAA violations would no doubt exceed that average by a large margin. Calculating amounts per individual violation that increase on a scale from “Did Not Know” ($100) to “Willful Neglect – Not Corrected” ($50,000), the maximum penalty per year of $1.5 million can be achieved very quickly. One State’s DHSS, for example, was fined $1.7 million as a result of the theft of one unencrypted USB hard drive. Of greater concern, however, is that the “Willful Neglect” violations carry criminal penalties that can result in jail time.

As the term implies, “Willful Neglect” indicates a conscious choice, budget-driven or otherwise, not to treat compliance with the degree of importance it so clearly demands. Evidence of a lack of training, inconsistent policy development, poor policy enforcement, and the absence of internal audits can all undermine attempts to minimize the financial damage and possible jail time for senior executives who were so committed to the lowest possible operating costs in the name of maximum shareholder value.

Treating compliance costs like your fleet vehicle or property maintenance expenses and trying to squeeze one more year of deferred expense out of that line item can prove to be a misguided and potentially catastrophic decision. Without clear evidence of policies, procedures and processes that are proactively committed to compliance, any audit places the company on the defensive. A comprehensive software solution that tightly controls access to limit personnel error and documents in detail the comprehension of every employee of the significance of compliance to all relevant rules and regulations, represents your best option for a compliance department that stands behind the certificate you so proudly display to your patients.

Customer comments

No comments were found for Healthcare Organizations And HIPAA – The Cost Of Non-Compliance. Be the first to comment!