This article is part 3 of our 3-part Privacy Training Series: Financial Impacts & Consequences of a Privacy Breach.
In our 3 part series on privacy in healthcare we reviewed several issues around motivations that drive privacy breaches and a specific example with a pharmacist who breached multiple patients’ healthcare records including her own without any authorized purpose over a 20-month period. Now in the final part of the series, we explore the monetary price that a privacy breach can cost.
Penalties and Fines
The easiest to measure cost comes in the form of penalties and fines. Depending on the jurisdiction, there is a range of monetary sanctions that can be placed depending on the severity of the breach and the intent. Frequently these penalties are levied against an individual professional who has committed the breach, however a clinic or organization can also be subject to fines. For example in January of 2021 a pharmacist in Edmonton was fined a total of $6,000 for intentionally breaching the privacy of a patient.
Reputational and Patient Loss
Health related privacy breaches are news stories that always end up on the 6 o’clock news. Online, that story never goes away and is perpetually discoverable by current and future patients and partners. Studies have shown that patients are more reluctant to visit practices where privacy breaches have occurred. For clinics, having a reduction in patients on a regular basis affects the financial health of the operation and future growth potential.
There is always the risk of future litigation when privacy breaches occur. Patients expect, and governments regulate, a high standard of care with private information. When those standards are not met and individuals suffer harm from the accidental release of their information, it creates a fertile environment for legal action seeking compensation. Defending against legal action not only requires significant financial resources, it is a massive drain on time for the management team and privacy officers. Preparing documents, reviewing information and meeting with lawyers require unanticipated time and resources.
Operational and IT Upgrades
Depending on the type of privacy breach, there may be additional costs related to IT discovery and infrastructure. Investigations with consultants or internal IT staff are often required to determine where a breach occurred and to define new policy to prevent further incidents . Time is spent on these activities that could have been directed to more productive tasks.
Normally when invasive breaches occur for purposes outside of any medical benefit, the individual committing the offence can face severe personal consequences. Many recent judgements go beyond monetary fines for the individual; loss of employment is a real consequence. For the employer, this means significant disruption as the person is no longer available to work and the process of hiring a replacement begins.
Dealing with issues such as privacy breaches consumes a lot of time, energy and financial resources. The financial consequences can come from a variety of directions and can be severe. The best strategy is to be proactive with privacy and ensure your entire organization understands their roles in protecting patient confidentiality and their personal liabilities if they fail in their obligations. An effective training program has been shown to be the best defense against major disruptions and financial costs. Best practices mentioned by the College include educational training to ensure members are familiar with up-to-date health information policies and procedures.
Privacy Best Practices Starts with Education & Annual Training
Since privacy breaches start with people, it is important to identify ways to improve your privacy best practices before your office becomes tomorrow’s headlines. The best medicine, as mandated by many governing tribunals, starts with education and annual privacy training. Efficient online training where progress is tracked and audited, with frequent refresher courses has been proven to work. A proactive training strategy keeps employees up-to-date on privacy obligations and reminds them of the serious consequences a privacy breach brings. The cost to employers and employees of proper education is substantially less than the alternative!