In digital healthcare, there are few things more important than protecting patients’ personal health information (PHI). HIPAA breaches devastate patients and healthcare workers, personally and emotionally, and can also have severe monetary consequences for the companies responsible.

For context, the average cost of a healthcare data breach in 2021 rose to $9.42 Million. Even for smaller healthcare companies, costs can be significant, with each HIPAA violation costing between $100-$50,000 per patient record.

While the financial aspect is not the primary goal of avoiding HIPAA breaches, it is noteworthy for the companies that are innovating to improve the healthcare landscape. 

We have compiled some of the HIPAA breaches costs that healthcare companies need to take into consideration. 


Breach Investigation

Once a breach has been reported, an external organization is required to investigate. This is done so the cause can be identified, and to ensure that there is no longer access to Patient Health Information (PHI). 


HIPAA Compliance Remediation 

Under the supervision of the Office for Civil rights, safeguards must be implemented. This entails identifying the highest priority and easiest issues, and scheduling resources to address both longer-term remediation needs and lower priority needs. This can be a lengthy and expensive process, as many companies need to hire specialized external agencies. 

After remediation, verification that the compliance status has been upgraded to acceptable levels is necessary. 


Operational Procedures

There are substantial administrative costs associated with a HIPAA breach. Operational tasks include issuing notices, updating websites and handling customer inquiries.


Breach Notification Letters

Not to be confused with the aforementioned operational procedures, breach notification letters must be mailed to all individuals affected. It is mandatory that these be sent using first class mail. Often, follow-up letters are sent with further information. 


Protection for Victims

HIPAA requires that victims of data breaches are provided with credit and identity theft protection for 1-2 years. 



Regulatory fines can be issued from the Office of Civil Rights, as well as the Attorney General’s Office. Separate fines are issued per violation category from each. 


Lost Business

In the healthcare industry, the trust of customers is paramount. Following a HIPAA breach, it is likely many will be lost and that the reputation of the company will be tarnished. 


Class-Action Lawsuits

Depending on the nature of the data breach, there is a possibility that a class action lawsuit will be filed against the company. If a healthcare provider is associated with exposing PHI, negligence claims can also be filed. 


Website and Helpline for Victims

If a HIPAA breach occurs, it is mandated that information be posted to the company website, and that a free phone number is provided to victims to allow them to ask questions and gain information. 

In order to avoid breaches, MedStack abides by a concept we refer to as the “chain of responsibility”. This means that, unlike many vendors that rely on the “shared responsibility model” wherein vendors take responsibility for only certain aspects of security and compliance, we take compliance guarantees to a much higher level.

Our guarantees apply all the way up to the Docker environment, and also expand to essential elements such as administrative access to the dashboard, logs and security updates. 

To learn more about how our compliance guarantees help protect our clients, contact us today.

Discover what MedStack
can do for you