The ticking PHI breach bomb
When organizations don’t have the right Protected Health Information (PHI) disclosure policies, procedures and infrastructure in place, it can be like they’re sitting on a ticking breach time bomb.
With more than 100 error types found across Release of Information (ROI) authorizations, each request has the potential to result in a PHI breach. That is just one of the many risks detailed in MRO’s new white paper, “Mitigate Breach Risk in an Era of Expanding PHI Disclosure Points And Requests For Health Information.” We also describe industry trends, gaps within the ROI process and other factors that make healthcare organizations vulnerable to breach risk.
The white paper also discusses the most recent findings of the Ponemon Institute, which reported in May 2015 that 91 percent of healthcare organizations had suffered a PHI breach, and 40 percent had more than five data breaches over the past two years. The financial impacts of these breaches are real, including the HIPAA penalties, which can reach as much as $50,000 per breach with a maximum of $1.5 million annually for repeated occurrences.
The good news is that organizations can protect themselves from breaches through the combination of highly trained, knowledgeable staff and state-of-the-art technology, which can improve PHI disclosure accuracy rates to 99.99 percent. In our white paper, we describe how improved Quality Assurance procedures and technology could enable an example 300-bed hospital, with approximately 33,000 ROI requests per year, to avoid 231 potential breaches annually.
Beyond the steep HIPAA penalties and settlement agreement fines described above, organizations also face $8,000 to $300,000 in costs from a reported improper PHI disclosure, according to an estimate from the American National Standards Institute, who surveyed healthcare organizations affected by a breach. These costs include credit or identity theft monitoring for breach victims, forensic and legal fees, and loss of goodwill and of business. The reputational damage of a breach causes an incalculable financial impact in terms of loss of current and/or new patients, as well as physicians or business partners who leave the organization because they don’t want to be associated with the institution.
Additionally adding to the high cost of breach, healthcare organizations can now be sued for negligence and other damages based on improper PHI disclosure. In these cases, courts in at least 10 states have ruled that HIPAA does not supersede their state laws, but rather, the statute represents the relevant standard of care.
Although popular perception is that the vast majority of these breaches are caused only by a cyberattack or stolen laptop, nearly 40 percent are caused by “unintentional employee action,” not including lost or stolen devices containing PHI.
Right people and right technology
Defusing this ticking time bomb can be as simple as partnering with an experienced and knowledgeable PHI disclosure management partner, such as MRO, where employees undergo specialized training on the most up-to-date HIPAA regulations and PHI disclosure requirements at the federal, state and facility level.
We also utilize technology to identify errors at every step of the ROI process, including optical character recognition (OCR) technology, to ensure there are no comingled records before release. All of the above can result in our high disclosure accuracy rate and an alleviated operational burden from hospital HIM departments and physician practices.
What risk does your organization face from this ticking time bomb? Find out by using our Breach Risk Calculator, which is based on our industry research and in-depth analysis of thousands of ROI transactions. You may be surprised by the results.