The Cost of Outsourcing Saves Millions in Fines

One of the main reasons why healthcare organizations and legal entities do not outsource record storage and retrieval is the cost. It is felt that the cost of outsourcing is an unnecessary or frivolous expense for very little administrative gain. Neither belief is true, least of all, the myth about administration. Few factor in the costs of fines from data breaches. Can you afford the following for even minor breaches?

 

New York Presbyterian Hospital

In one of the biggest cases of its kind, NYPH received a fine of $2.2m in April 2016. They allowed filming of a TV show but failed to prevent several data breaches. A dying patient was filmed without consent of the patient or his family. In other cases, film crews were permitted to enter areas where patient data was easily accessible. The hospital was put on an observation order for the next 2 years.

 

Oregon Health and Science University

OHSU received a $2.7m fine over two separate incidents of breaching PHI (Protected Health Information). They were subject to a corrective action plan lasting three years. In one case a laptop was stolen. In the second case, a third party accessed Cloud services without prior agreement. Despite that no patient came to harm, the fine and special measures were levied anyway.

 

New York Presbyterian Hospital (Again)

If you thought their April 2016 fine was large enough, consider the reasons why, in 2014, they were fined double that amount. A physician from Columbia University deactivated a personal computer that he had connected to the server. A lack of proper security measures meant that patient details became widely available on Google. They became aware when a patient found the details of a deceased partner freely through the search engine.

 

CVS Pharmacy

In 2009, OCR concluded an investigation that resulted in a $2.25m fine for the pharmacy giant. They were accused of disposing of expired records against all protocols. Health professionals know how they should dispose of expired documents, but putting them in a public dumpster is not one of them. Several stores were found to be at fault and that CVS had no clear protocol for file destruction.

 

Can You Afford Not To?

As you can see, the potential areas for data breach – and the scope that HIPAA covers – means that even with all the best intentions in the world, your organization can still find itself subject to massive fines. It doesn’t matter whether patients are affected, your organization could still be fined millions.