HIPAA and the risks of a data breach

Are you HIPAA compliant? Do you need to be? And what potential risks are you facing if you’re not?

The Health Insurance Portability and Accountability ACT – HIPAA – is United States legislation that provides data privacy and security provisions for protecting the confidentiality of medical and healthcare information shared with service providers.

According to HIPAA, if you belong to the category of “covered entities” or “business associates,” and you handle “protected health information (PHI),” you and your business are required to be HIPAA-compliant. Ergo, if your spa or wellness business is collecting health information and identifying information from guests, you might have to be HIPAA compliant. Whether it is necessary depends on whether you fall into the category of “covered entities” which might require some research on your part.

Violations can take many forms, as data can be collected, stored and shared in a variety of ways, including verbally, on paper, and electronically.

What are the risks? Let’s take a look.

A data breach.

In reality, this should be your top concern. Fines and penalties aside, your number one priority is, of course, keeping your client health and personal information safe. A breach would be disastrous for you and for them.

Loss of data, and the price of getting it back.

If you’re hacked, the cost can be enormous. “There’s a lot of hacking going on right now,” Jason Karn, Chief Compliance Officer for Total HIPAA Compliance, tells us. “There is a lot of malware and ransomware out there. Ransomware cost organizations $209 billion in the first quarter of 2016 alone. It’s a multi-billion dollar industry at this point. They say that it costs $380.00 per record to try to mitigate it a breach.” That adds up fast.

Federal fines and penalties.

The federal penalties for non-compliance can be big.

The penalties for noncompliance are based on the level of negligence and can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for violations of an identical provision. Violations can also carry criminal charges that can result in jail time.”

Civil suits.

And the repercussions could extend beyond federal fines and jail time.

“Four Supreme Courts in America have upheld HIPAA as a standard of care,” says Karn, “and that means a non-compliant practitioner could face a malpractice suit accusing them of willfully neglecting to protect information.

“So, you could be opening yourself up to a civil liability suit, which can be incredibly expensive. Say your practitioner went down the hall and said, ‘You’re never going to believe it. Bob is HIV positive,’ and this information comes out, you’ve got a real issue on your hands. You have potentially a very large liability issue.”

And it is really as easy as that.

Karn says, “Yesterday, I was at the massage therapist and I heard an employee talking with a client, asking her about any physical or pre-existing conditions right there in the reception room, which is very poor form.”

What are the top risks for a breach?

Employee negligence or employee error, is one of the biggest, says Karn. “Employees emailing information to the wrong place or not encrypting emails. Or people just talking about their clients in the back or in open areas,” It doesn’t have to be malicious, he points out. “You may be just discussing a new technique or something like that, but people should be very careful about not mentioning names or identifying information, and making sure you’re not overheard by other clients or practitioners when speaking with clients.”

Lack of proper security protocols, is another, including access levels. Karn says, “Sometimes people are accessing records they’re not supposed to be accessing. One hospital recently found out that over a five-year period, a nurse had accessed over 11,000 records that they weren’t supposed to be accessing.”

From an electronic standpoint, this means only granting access to the right people, so that administrators or managers have access to all the records, but the practitioners only have access to the records of the client with whom they’re working.

When it comes to where to store your electronic data, Karn says, “I’m a big proponent of the Cloud. A lot of times the Cloud has gone through better security scrutiny, and they have better scalability. They’re more cognizant of security than you probably are.”

You can decrease the risk dramatically by working with an expert and ensuring that all your data is stored in a HIPAA compliant manner.


Your data security is a top concern at Book4Time, so we created Guest Intake to help the industry become paperless and to facilitate HIPAA compliance. With Book4Time, you can rest assured that your data is stored securely and privately, and that someone is always on duty, looking out for your best interests. To find out more at Book4Time.com.


Share this post

Request a personalized demo today!

Request a personalized demo today!

Tell us a bit about your goals, and we’ll be in touch to schedule a demo.

We use cookies to ensure that we give you the best experience possible on our website. To review our policy, click "MORE INFO".