Just How Much Does a Breach Cost?
By Bart Schaefer, CEO of Armored Envoy
Twitter: @ArmoredEnvoy
Health care providers are subject to stringent regulatory requirements around patient privacy, and HIPAA security protocols are designed to protect both patients and providers. “Breach” is a scary word, typically conjuring up visions of malicious individuals hacking into systems and swiping data en masse. However, it’s just as likely that a breach can occur unintentionally through benign neglect.
The digitization of personal health records has proliferated so quickly throughout the industry that health care providers are scrambling to keep up with the HIPAA security implications. While many large-scale providers have a handle on the HIPAA security standards associated with network security and the potential of a wide-scale breach, most don’t have measures in place to address the unintentional, far more prevalent risks associated with the electronic transmission of health records.
One of the key benefits of digital health records is the ability for multiple physicians to access and share a complete medical history for a given patient. With a shared full picture around prescriptions, allergies, conditions and major health events, multiple physicians treating the same patient are in a much better position to offer unified, timely and, therefore, superior care.
The problem, however, is fragmentation – a patient’s team of physicians is very likely not hooked into the same provider network. So how are physicians accessing and sharing patient health care records from different networks? Via email.
Emailing a patient’s records to another physician seems innocuous enough – the perceived risk of breach is exceedingly low, and, for any given email intercepted, only one patient is affected. But here’s the thing about an email breach – it’s typically not isolated, and the damages associated with failure to comply with HIPAA security requirements are significant.
How significant? Well, there are a host of both criminal and civil penalties.
On the criminal side of things, a person that causes a breach unknowingly or with reasonable cause is subject to up to one year of incarceration – and the penalties accelerate from there. Individuals causing breach under false pretenses are subject to five years, and, for those who perpetrated breach for personal gain or malicious reasons, the penalty can be as high as 10 years of incarceration.
On the civil side, a covered entity that did not know an act was a HIPAA violation and did not demonstrate willful neglect can expect a monetary penalty ranging from $100 to $50,000 per incident with an annual maximum of $1.5M per calendar year. And, for uncorrected violations due to willful neglect, the same penalties apply incrementally.
The point here is that all the email transfers that occur between provider networks and individual physicians must be secure and in compliance with HIPAA security requirements. And, if a breach is detected, the penalties are significant.
This is why secure document delivery capabilities are so critically important for health care providers – it’s not just about delivering on patient privacy protection. It’s also about proactively protecting the organization from both civil and criminal legal exposure.
Individuals are subject to criminal prosecution, even if they are unaware of the breach or if the circumstances around the breach amount to benign neglect. The key word here is “benign” – no one meant for anything bad to happen. In fact, in cases regarding physicians sharing medical records via email, it’s because they’re endeavoring to provide a unified health care experience that incorporates the findings and insight of all medical practitioners associated with providing care for any given patient.
This is why it’s critically important to encrypt email attachments containing private personal medical history data- because if it falls into the wrong hands, the implications can be disastrous.
About the Author: Bart Schaefer has more than 15 years of experience as a key architect and senior developer of email systems, having created flexible and scalable solutions with an emphasis on open standards. Prior to co-founding Armored Envoy, Schaefer started Z-Code Software, based on the ground-breaking application, Z-Mail, which won numerous awards, including PC Magazine’s Editor’s Choice Award. Schaefer is actively involved in email standards discussions with The Internet Engineering Task Force and the Anti-SPAM Research Group, and contributes regularly to open software projects such as Spam Assassin.