The Cost of Compliance – and Why Organizations Neglect It


By Tim Mullahy
Liberty Center One

Given how sensitive healthcare data can be, you’d expect hospitals and similar organizations to place the utmost importance on keeping it safe. So why does it seem like so many slack off?

Healthcare organizations know a lot about us, sometimes more than we know about ourselves. And when that information falls into the wrong hands, it can be devastating – it gives a criminal everything they need to commit medical identity theft. Not surprisingly, there are some pretty strict rules and regulations around the protection of that data, known as Protected Health Information (PHI).

In the United States, that set of guidelines is known as HIPAA. Similar rules exist in Australia, the United Kingdom, and the European Union. The one thing they all share in common aside from the data they protect?

A startling number of businesses – healthcare organizations and otherwise – are noncompliant.

That can be costly. In addition to opening up an organization to penalties of up to $50,000 per compromised record in the event of a breach (under HIPAA), failure to adequately protect healthcare data can also lead to even costlier lawsuits. And that’s without even accounting for the reputational damage.

In short, HIPAA compliance is in every organization’s best interest if they even tangentially work with health data. So why do so many businesses neglect it? In my experience, there are two overarching reasons.  

They Lack The Resources

Healthcare IT isn’t known for being well-funded. Quite the contrary – administrators in the health industry are often regularly forced to do more with less, constantly trying to make ends meet with an understaffed, under-utilized IT department. Factor in how hodgepodge the tech tends to be in many hospitals, and it isn’t hard to see why some organizations simply sweep HIPAA under the rug and hope no one notices.  

They Simply Don’t Know Any Better

There are more ways to violate HIPAA than improper storage of healthcare data – something many organizations don’t seem to realize. If, for example, you’re using an email provider within your organization, you need to ensure they’re HIPAA compliant. Unencrypted text messages are also a definite thing to avoid, as is sharing login information between multiple users.

Even an organization’s website can cause it to run afoul of HIPAA if it uses a web submission form that isn’t up to the regulation’s standards.

And – here’s the big one that a lot of third-party organizations especially seem to fall behind on – training. If a healthcare organization or third party vendor doesn’t provide regular training sessions for its employees, they are noncompliant. And it doesn’t matter if said organization is doing so because they aren’t aware of these regulations – ignorance of the law is no excuse, after all.

So what can you do to reduce the cost of compliance? How can you ensure that your organization stays within HIPAA’s regulatory guidelines, and that you or your employees aren’t unknowingly violating it? It all starts with proper data hygiene. Beyond that…

  • Invest in an endpoint management solution that allows your IT department to easily control and monitor systems across your organization.
  • Understand that your IT department is a critical cog in your organization – and that your staff needs funding to keep your organization compliant.
  • Train your staff regularly, and ensure that any organizations you do business with are fully-schooled in their duties under HIPAA.
  • Perform regular risk assessments. Bring in an outside compliance expert if necessary.
  • Choose a HIPAA-compliant host for your web presence and hosting services.

HIPAA can be difficult to comply with, but it’s a necessity if you work with PHI. Under the law, it doesn’t matter if you lack resources or knowledge. Noncompliance is noncompliance – bear that in mind.


Comments are closed.