Most of us hear about the cost(s) paid to the Office of Civil Rights (OCR) as part of a corrective action plan - and we know the OCR is just the beginning of the financial woes associated with a breach. But we recently read an American Journal of Managed Care article that alleges hospitals spend 64 percent more annually for advertising, following a breach event, presumably to recoup monies lost to legacy patients who take their business elsewhere.
These lost expenses must be made up and ironically it is the patients that will probably make up the difference. Unfortunately, every extra dollar spent counteracting the bad press and loss of reputation following a breach event is a dollar taken away from improving patient care. So when we think of the unintended consequences of failing to run a compliant and secure HIPAA program, we recommend that the healthcare industry reminds itself that ultimately they degrade their ability to deliver on their primary function.
Unnecessary marketing campaigns are a lot more expensive than keeping (e)PHI safe. It is reported that HHS estimates a breached organization works for a full year to rebuild their brand. We wonder why more Covered Entities don't spend a little up front to avoid spending a lot more in arrears.