It never ceases to amaze me how many people don’t understand HIPAA and the risks associated with not complying with HIPAA. If you’re a patient, I can understand not fully understanding the laws. However, I’m talking about those working at hospitals, health systems, medical practices, and health IT vendors. I think most have a general understanding of HIPAA, but it’s shocking to see some of the things these organizations do that are definitely putting them at risk when it comes to HIPAA and related privacy and security rules.
To help healthcare organizations better understand some of the HIPAA risks they face and how they can address them, Colin Hung from Healthcare IT Today collaborated with the team at Liquid Web, a HIPAA hosting provider, to create an eBook titled “Eliminate 7 HIPAA Risks with One Simple Decision.” (Full Disclosure: Healthcare IT Today is hosted on Liquid Web)
As I looked through the list, there were a couple HIPAA risks that really stood out to me. The first were related to the financial and reputational risk to healthcare organizations. The second relates to as organizations scale, they don’t scale their HIPAA compliance efforts to match.
As is highlighted in the HIPAA Risks eBook, the financial damages that come from a HIPAA violation can really add up. Sure, people generally know about the fines associated with a HIPAA violation, but there are so many other costs. Here’s a look at just a few of the various costs associated with a HIPAA breach:
Along with the financial costs, breaches almost always come with major reputational damage. While leaders would probably love to keep a breach private, there are literally laws that require a healthcare organization to share when a breach occurs with HHS and patients. HHS then shares that info on what has become known as the HHS wall of shame (Officially the HIPAA Breach Report).
You can’t hide a breach or a HIPAA violation and thus are subject to that reputational damage. This has important business ramifications, but it also harms the patients’ trust in your organization. Do patients want to go to an organization that doesn’t protect their data? Will the patient share their health information with you if they don’t trust that you’re going to keep it private and secure? This damage to your reputation is real and happens when you are not compliant with HIPAA and protect patients’ data.
The other HIPAA risk that stood out to me in the eBook was how as organizations scale, HIPAA compliance often doesn’t scale with them. I think this is true as medical practices and health systems scale by acquiring each other, but it is also true as healthcare organizations scale their use of IT.
We all know how much consolidation has happened in healthcare. As medical practices merge, you have a merging of technology and HIPAA practices. Needless to say and unfortunately, maintaining HIPAA compliance and security of patients information isn’t often part of the M&A due diligence process. Those doing the deals make the deal happen and then deal with the HIPAA compliance later (if they ever get to it). This is problematic since it often leaves orphan systems that become a HIPAA compliance risk and old processes that create HIPAA compliance issues.
HIPAA risks pop up as healthcare organizations scale as well. As the eBook notes, if you have’t built your organizatoin on a solid HIPAA compliant hosting foundation that can scale, this becomes really problematic as more systems, features, and enhanced digital experiences are implemented. That’s a HIPAA risk that no one wants, but many forget about it as they scale.
That’s just a few of the HIPAA risks that stood out to me. Be sure to download the free eBook “Eliminate 7 HIPAA Risks with One Simple Decision” to see all of the other risks that every medical practice, hospital, and health IT company should be aware of so they can avoid those problems.
The good news for all these risks is that there is a solution. In most cases, that starts with choosing good partners who understand HIPAA compliance, are willing to sign a BAA (Business Associate Agreement), and are able to scale to whatever your technology needs may be.
This is particularly true for your web hosting provider. There are a lot of web hosting providers out there that can cheaply host your organization’s webpage, but they aren’t HIPAA compliant. Plus, cheap web hosting doesn’t scale to the HIPAA hosting needs of healthcare organizations.
What HIPAA risks do you see in healthcare? What are you doing at your healthcare organization to avoid HIPAA related fines, penalties, and reputational damage? We’d love to hear your thoughts on this important topic on social media.
Liquid Web is a proud sponsor of Healthcare Scene.
