Healthcare Compliance: Costly, but Ultimately Good Medicine
The Cost of Compliance Is Staggering
Across industries, organizations face increasing and ever-changing compliance requirements and data privacy laws. The cost of attaining compliance has steadily grown with some heavily regulated industries, like healthcare, carrying large portions of this burden. While achieving regulation compliance can be complicated and expensive, the alternative is likely more costly, with hefty fines, immeasurable tolls taken around customer trust, remediation, legal fees, and more.
In August 2020, and article by Hyperproof detailed just a few of these gasp-inducing costs.
- An average business in the U.S. spent $10,00 per employee on regulatory costs
- The estimate for regulatory compliance and ensuing economic effects come sin at $1.9 trillion annually. The article goes on to point out that if this costs were a country, it would be the 9th largest, just behind India and slightly ahead of Canada. Ouch!
- Across all industries worldwide, the average compliance cost is $5.47 million.
- Specialized technology to address compliance regulations is the line item companies spent the most on, with incident response and audits/assessments coming in close behind.
What about Healthcare Compliance?
For healthcare, the Health Insurance Portability and Accountability Act (HIPAA) has been one of the most impactful and familiar regulations. According to a 2017 report by GlobalScape and the Ponemon Institute, is among the top-five most difficult compliances to achieve. HIPAA was created in 1996 and requires regulations to protect the privacy and security of certain health information. Is this now 25- year-old regulation still a factor in compliance costs? The answer is yes, but its effect has evolved.
The growing presence of technology in healthcare contributes greatly to rising compliance costs. Year after year, technology becomes more pervasive. From wearable heart monitors and patient portals to mobile clinics and virtual doctor’s visits, healthcare—and protected health information (PHI)—, are continually merging with technology. Because of this, new privacy and HIPAA-related challenges crop up every day.
Like many regulations, HIPAA compliance is not a one-and-done event. It is an ongoing process. The regulations created by HIPAA remain relevant today and continue to evolve with the passage of time, including the HIPAA Security Rule. In addition, the Privacy Rule within HIPAA is designed to protect patients’ Protected Health Information (PHI), which covers any information regarding “health status, provision of healthcare, or healthcare payment.” The manifestations and opportunities for HIPAA compliance multiply as healthcare technology expands.
Securely Accessible Data
To remain compliant, healthcare companies must not only work to protect PHI, but also be able to prove that they are doing so. Additionally, the healthcare industry walks a tightrope of sorts, as it tries to balance the need to share patient data for better quality of care, with the need to ensure data privacy and security.
PHI, like all data, is highly valuable to hackers, as PHI and the personally identifiable information (PII) associated with it can be grabbed to gain access to prescription drugs, make false insurance claims and form the basis of a healthcare-related scam. For these reasons and more, busy healthcare organizations need to keep a targeted focus on security to avoid cyberbreaches.
When data breaches make the news, its often related to healthcare. According to the 2020 SecurityMetrics Guide to HIPAA Compliance, healthcare organizations accounted for more nearly 36% of data breaches in 2020. The pressure is on for healthcare companies to ramp up data security while keeping data appropriately accessible. For many organizations, this means significant system replacements or upgrades, a ramp up in training, and substantial investment in critical software solutions.
Resistance to Compliance Measures is Futile and Costly
Some companies delay compliance efforts because of the associated costs. In doing so, they risk large fines and the loss of patient trust in their effort to save on compliance-related expenditures. This is a short-sighted, high-risk strategy that will likely cost these organizations money rather than save it. While the price of implementing compliance measures for medium- to large-size healthcare organizations averages $80,000, that’s a far cry from the $180,000 to $8.3 million needed to cough up should a data breach occur, according to SecurityMetrics data.
Non-compliance can cost companies in the following ways:
- Business disruption: Total economic loss that results from non-compliance events or incidents such as the cancellation of contracts, business process changes imposed by regulators, shutdowns of business operations, and others.
- Productivity losses: Lost time and related expenses associated with the downtime of systems and other critical processes, thus preventing employees from accomplishing their work-related responsibilities.
- Fines and penalties: Monetary and business penalties levied against an organization by regulatory enforcement entities.
- Settlement costs: Legal or non-legal settlements associated with data protection non-compliance issues. This includes expenditures for legal defense and other experts engaged to help resolve issues associated with compliance infractions and data breach.
Healthcare organizations that adopt a wait-and-see attitude toward compliance stand to lose a great deal due to their procrastination. From a business perspective, the ramifications of non-compliance and a potential data breach are far pricier than the cost of compliance. Additionally, there are losses that go beyond monetary value, such as the loss of patient or partner trust. These are intangibles that not only cost your business but can be very elusive to regain.
View Webinar: Top Four Ways that MFT Benefits a Healthcare Organization
White paper: How to Enhance a Data Protection Strategy for Healthcare