With retailers destined to stumble from their tightrope walk between privacy and security requirements and the use of new customer information, it is instructive to look at the implications and consequences of HIPAA privacy and EHR mandates and incentives in healthcare.
Healthcareitnews.com is a veritable legal blog documenting various costs for transgressions by healthcare IT buyers and vendors alike:
- A lost thumb drive was the cause of $150,000 fine at a dermatology office for breach of HIPAA privacy requirements.
- A small Montana hospital has taken NextGen Healthcare to court, alleging that the EHR provider is responsible for the hospital’s failure to meet a federal deadline for implementation.
“HIPAA covered entities and, more recently, business associates can be slapped with up to $50,000 fines per HIPAA violation due to willful neglect that goes uncorrected. Entities could face $10,000 per violation due to willful neglect when the violation is properly addressed.”
Further, the costs of meeting the regulations and requirements can be steep when an implementation simply goes awry, rather than sparking fines or a liability suit. The Maine Medical Center slipped into the red when its Epic EHR implementation went over budget, with nearly $55 million in its latest additional spending required for staff training alone.
Retailers are forced to traffic in sensitive customer data by dictate of the market; healthcare organizations, by the government. But it is likely that laws will be passed to enforce greater penalties for retail transgressions than are paid presently. Both industries will need to further ruggedize systems handling new levels of private customer data.