With HIPAA, Training Doesn’t Cost. It Pays.
The number of data breaches per year is the highest it has ever been. So is the average cost of those breaches, particularly in the healthcare sector. According to IBM’s SecurityIntelligence, the mean cost of healthcare data breaches is now more than $10 million, making them more expensive than those of any other industry. In fact, this is more than double the average cost of breaches across all sectors. Mega healthcare data breaches, which involve the breach of more than 50 million records, average $401 million per incident, according to HIPAA Journal.
A health or healthcare data breach nearly always involves the unauthorized disclosure of protected health information (PHI). PHI is protected under the Health Insurance Portability and Accountability Act of 1996, or HIPAA.
The US Department of Health and Human Services (HHS) defines a breach as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the PHI.” The Privacy Rule is one of the three pillars of HIPAA. The Breach Notification Rule is another of those three pillars. This rule lays out the requirements organizations must follow if there is a suspected breach of PHI.
Although there are numerous ways a health or healthcare data breach can happen, the majority are due to hacking or an information technology (IT) incident. Practice Resources reported a breach of almost one million people’s PHI this month. That number was eclipsed a week previously by a breach at OneTouchPoint, according to the HHS breach report portal.
In a recent letter to HHS, US Senator Angus King and Representative Mike Gallagher stated, “With cyber threats growing exponentially, we must prioritize addressing the healthcare sector’s cybersecurity gaps.” King and Gallagher are co-chairs of the Cyberspace Solarium Commission. They are among the many experts sounding the alarm on a rapidly growing problem.
Healthcare clinics and hospitals increasingly link their systems through platforms that facilitate the electronic transfer of data. However, the needed security measures are not always in place, making them a lucrative target. Other factors that drive up the number of breaches include the increased number of remote workers and a greater prevalence of mobile devices, particularly personal devices used for work.
With healthcare systems and their business partners and associates continuously sharing data with one another, the situation is ripe for hackers to tap into this treasure trove of valuable data. The hackers can sell the obtained names, addresses, social security numbers, birthdates, and other identifiers, as well as usernames and passwords, on the dark web.
To help combat these risks, periodic HIPAA training is critical. Syntrio’s HIPAA training includes best practices for avoiding and reporting data breaches. HIPAA training for new hires and recurring refresher training for others is a legal requirement for certain roles and industries. While HHS does not specify how often HIPAA training should be completed, it does require ongoing education to keep HIPAA requirements top of mind.
With breaches, the incurred legal fees, bad publicity, reduced business, lost employee hours, damaged trust with customers and business partners, expensive fines, and most of all, the emotional distress of the victims vastly dwarf the cost of HIPAA training. Ongoing education to help prevent breaches results in an immense cost savings.
Syntrio provides the ideal solution with two engaging series of modules. The HIPAA and Patient Care series is for those who work directly with patients, while HIPAA Essentials is for people who do not directly interact with patients but do handle PHI. Both series explain the reason for HIPAA, the three rules that comprise it, and suggestions to help avert costly breaches.
Syntrio’s just-released training, created in collaboration with subject matter experts, contains the latest guidance from HHS and the National Institute of Standards and Technology (NIST) Cybersecurity Framework. The training employs realistic scenarios, interactive features for increased engagement and learning retention, meaningful situation-based exercises, and frequent knowledge checks. It includes best practices for mobile device and social media use and for administrative, physical, and technical safeguards of electronic PHI (ePHI).
We welcome the opportunity to discuss how our training can provide your workforce with the knowledge needed to help protect your organization and those it serves from PHI misuse and loss.