Playing it Safe: The Compelling Business Case for Enhancing PHI Security
We all know safeguarding Protected Health Information isn’t just a good idea; it’s the law and the right thing to do. Yet many organizations continue to put themselves at great financial and reputational risk when it comes to the privacy and security of the data they hold. But why?
Sometimes senior execs just don’t understand the potential impact of a major breach, and as a result, haven’t appropriately funded HIPAA-HITECH compliance initiatives. Other times, it’s simply a lack of awareness about the probability of a breach and realization of these impacts. At Clearwater, we regularly encounter organizations facing far more security risk exposure than they realize.
As co-founders and strong supporters of the PHI Protection Network (PPN), Clearwater is banding with other industry leaders to increase awareness and address these issues.
Leading the Charge
PPN was actually an outgrowth of a collaboration among industry leaders to publish a white paper for ANSI to help organizations better understand what’s at stake, The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security. (Mary Chaput, one of Clearwater’s founders and principals, was one of the co-authors.) This report called for enhanced security to safeguard protected health information and spurred the founding of PPN to pursue this goal.
As an interactive group of senior privacy, compliance, and security officers, PPN gathers annually to share best practices and insights and develop tangible, actionable takeaways readily implemented inside attendees’ respective healthcare organizations.
The next PPN Conference is Thursday, April 10, 2014, in Anaheim, California. This event is a powerful forum for organizations truly interested in doing more to strengthen data protection programs. If you’re interested in attending the conference, register here.
Quantifying Risk Exposure
The average cost of a data breach is about $200 per patient, translating into costs that can easily top $2 million for a lost laptop with 10,000 patient records. This does not include the harder-to-calculate costs of lost business or lost productivity.
And have you considered class-action lawsuits? Patients with compromised health records often band together to seek damages. A study by Temple University’s Beasley School of Law found the average settlement award in data breach class-action suits is $2,500 per plaintiff, with typical attorney fees of $1.2 million. The $1 billion lawsuit filed in 2011 against Sutter Health proves the costs can be far higher.
No matter how large your organization, that’s REAL money.
Don’t Be a Target
When discussing issues like the budget deficit, politicians are fond of saying “If you’re not worried yet, you’re just not paying attention.” That expression certainly applies to data breaches, like the recent one at Target which affected millions of customers.
As 2014 promises to be a year of increased enforcement by the Office for Civil Rights, this is clearly not the time to rely on half-measures that don’t fully address your risk profile. Check out the resources available at PPN and double check your current efforts to understand and manage your risk/exposure. The business case for playing it safe is extremely compelling.
Latest posts by Bob Chaput (see all)
- HIPAA Risk Analysis Tip – What Level of Detail is Adequate? - April 29, 2017
- HIPAA Risk Analysis Tip – How Comprehensive Must Your HIPAA Security Risk Analysis Be? - April 25, 2017
- HIPAA Risk Analysis Tip – Does OCR really use the “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”? - April 23, 2017