More on Risk Management

Massachusetts HIPAA fine shows the financial risk in healthcare breaches

Beyond potential fines are the price of making sure the hospital is in compliance and the unquantifiable cost of the loss of reputation and trust.

Susan Morse, Managing Editor

Photo of St. Elizabeth Medical Center from Wikipedia.

Recent high profile alleged HIPAA violations are a shot across the bow to providers on the financial risk of security breaches.

This month, a Massachusetts hospital settled a HIPAA complaint by agreeing to pay $218,000 for permitting employees to use a Web-based file-sharing application to store patients' protected health information, according to the Department of Health and Human Services.

Beyond the cost of the fine to St. Elizabeth's Medical Center in Brighton, Massachusetts is the price of making sure the hospital is in compliance and the unquantifiable cost of the loss of reputation and trust, according to Attorney Matt Fisher, who specializes in HIPAA as co-chairman of Mirick O'Connell's Health Law Group in Worcester, Mass.

"The other side that's hard to quantify, is what is the financial hit towards reputation and trust?" Fisher said. "I always see figures that say 30 percent of patients say they would switch providers if their provider suffers a breach."

[Also: Anthem hit with huge data breach]

However, the biggest single factor he sees in HIPAA violations is insider snooping.

"Insider snooping is recognized as the largest cause of celebrity breaches," Fisher said.

This goes to another well-publicized case, that of an ESPN reporter tweeting the medical records of NFL player Jason Pierre-Paul.

The photo of the medical record showed the right index finger had been amputated. This was after it was reported the player had been injured in a fireworks accident over July 4th.

[Also: Fines are few, but healthcare data breaches aren't]

Jackson Memorial Hospital in Miami, where the surgery took place, announced it would aggressively investigate whether an employee leaked the medical chart, according to The Daily News.

While the employee could be subject to criminal liability, the hospital could also be held responsible, according to Fisher. There's the threat of a potential lawsuit, as well as a HIPAA violation.

The amount of such a fine in a HIPAA case would be hard to estimate, he said.

"Really, there's no rhyme or reason to the fines imposed by Office of Civil Rights," he said. "The best guess is looking at the size of the organization and how much of a financial hit that financial organization can absorb. I've seen fines of $125,000 up to multi-millions."

In another insider snooping case, in July 2011, the University of California at Los Angeles Health System agreed to settle an alleged HIPAA violation at a cost of $865,500. Two celebrities had filed separate complaints saying employees of the health system repeatedly and without medical reason looked at their health information, according to a published source.

The largest settlement to date has been a whopping $4.8 million fine paid by New York-Presbyterian Hospital and Columbia University Medical Center, after a single physician accidentally deactivated an entire computer server, resulting in electronic patent health information being posted on Internet search engines, according to Healthcare IT News.

The fine settled allegations of HIPAA violations for the information of 6,800 patients winding up online in 2010. The data was so widely accessible that the entities learned of the breach after receiving a complaint by an individual who saw the information online.

Like Healthcare Finance on Facebook

The fines send a clear message by the Department of Health and Human Services for providers to secure their records.

"It's cheaper to figure out what to do to become compliant," Fisher said, though added some hospitals may be reluctant to make that investment.

"It's always tough to spend resources where they don't see a return on the investment," Fisher said. "Putting money (into compliance) saves money in the future."

He recommends facilities monitor and audit access to electronic records to make sure hospital and staff are in good compliance with security rules.

Violations can be levied even in instances, such as with the recent St. Elizabeth Medical Center case, there is no indication that patient data has been viewed or misused.

Getting into compliance is a matter of following rules and regulations that should already be in place, said Fisher, who writes a blog on these issue.

"Putting compliance in place shouldn't be hundreds of thousands of dollars," Fisher said. "Yet resolving the complaint is coming at a cost beyond the fine. The financial impact goes beyond any fine imposed by the government."

Twitter: @SusanMorseHFN