Unsecure HIPAA Data Expenses in WooCommerce

Understanding HIPAA Compliance Requirements

Since its first appearance in 1996, HIPAA (Health Insurance Portability and Accountability Act) has been trying to ensure that healthcare-related businesses respect the imposed rules regarding the security and privacy of protected health information (PHI, or ePHI in electronic form) handled by patients and healthcare providers.

The list of HIPAA compliance requirements is long, and its implementation towards the goal of a HIPAA compliant website can be challenging, if not daunting, usually involving heavy fund allocation. However, how much would be the cost of insecure ePHI? This article will shed some light on the usually hidden cost of HIPAA data.

HIPAA Compliance Issues in WooCommerce ePlatforms

Understanding the importance of ePHI privacy and security is one thing, implementing measures to actually safeguard ePHI is another. There are several factors to be taken into consideration in order to create a HIPAA compliant WooCommerce website.

• Secure hosting: WordPress (and WooCommerce) is one of the popular solutions for websites and eCommerce platforms. In order for a website to be HIPAA compliant, HIPAA-compliant hosting and every other business associate should be also following the HIPAA compliance requirements. This is an issue often encountered in WooCommerce, as it does not follow some of the basic HIPAA rules, making businesses using this host for their eCommerce liable to HIPAA breaches.
• HIPAA compliant app development: There are ways to counteract compliance issues with WordPress and WooCommerce, using apps, plugins, APIs, or other solutions. These options can ensure that ePHI submitted by end-users either is not handled through WooCommerce (for example using WooCommerce ERP integration to bypass WooCommerce altogether), or is handled in an unrecognizable form (through encryption or tokenization).
• HIPAA compliance maintenance: Ideally, there should be a HIPAA compliance team operating in every healthcare-related business. Maintenance of HIPAA compliance, once it is achieved, includes monitoring the website and eCommerce platform for intrusion attempts, unauthorized users, or potential of ePHI exposure, maintaining and updating of the apps, plugins, and other solutions used, and communicating any arising issues timely and appropriately.

How Much does HIPAA Compliance Cost?

HIPAA compliance is not cheap. Considering all actions needed to achieve compliance, the time and resources spent towards this goal, the constant need for maintenance (and the level of it), and the possible business culture changes involved, the total cost will not be negligible. Cost estimation for the healthcare sector upon initial implementation of HIPAA revealed a $113 million figure, with added costs of up to $14.5 million for annual maintenance. However these figures were soon proven an underestimation, as the real HIPAA compliance cost was shown to be in the billions range ($8.3 billion), with the annual cost for compliance status maintenance ranging from up to $12,000 to up to $50,000, for smaller or larger business sizes respectively. Ironically, the estimation of HIPAA compliance per business by HHS (Department of Health and Human Services) was about $1,000, indicating the complete underestimation of upfront and associated costs. Besides the size of a business, other factors affecting the cost of following HIPAA compliance requirements are the type and culture of business, and the investment the business is doing towards WooCommerce HIPAA compliance (choice of environment, solutions used for HIPAA data storage and handling, level of maintenance, hiring a HIPAA compliance team).

How Much does Insecure HIPAA Data Cost?

Sure, HIPAA compliance is not cheap, proven by the high cost figures. However, how much would HIPAA non-compliance cost? Before answering this question, we will elaborate on the “non-compliance” term. Non-compliance can refer to anything from a simple breach, to important data being exposed, or even to not having implemented HIPAA at all. Of course, the monetary answer to each occasion will be different and an exact estimation of a breach cost in each occasion is difficult, but there are some figures available in this literature to give an idea. There are four tiers of HIPAA violation fines, depending on the importance of the breach, starting from $100 (breach unawareness and absence of control), and moving up to $50,000 (willingly neglect HIPAA rules) per violation, with a maximum cost of up to $1.5. million and several years in prison. Data of 2019 reveal that the average cost of HIPAA data breach was almost $6.5 million, with the average number of patient records breached being just over 25,000.

Rumor has it that medical records have triple worth than financial records in the black market, making healthcare businesses “great” hacking candidates. HIPAA data exposure can be caused by physical causes (stolen storage hardware, office break-in), administrative causes (accidental exposure of ePHI to the wrong patient, unprofessional discussion of ePHI, non-compliance of a business associate), or electronic causes (malware incidents, hacking, breach of electronic heath records). Data breach due to malicious attacks are the most common of HIPAA non-compliance cases, accounting for more than half of all incidents. In the case of eCommerce managed by WooCommerce which has a low security level, electronic data breaches can be highly likable, leading to HIPAA breach fines, unless actions such as WooCommerce HIPAA compliant app development, data encryption or tokenization, or others are taken to reinforce the security

Despite the hefty fine imposed after HIPAA data exposure, associated costs do not stop there, as there can be a clientele loss suffered due to the incident (which has to be publicized), loss of reputation, and potentially, loss of the business itself. According to a study conducted by IBM, 67% of the total cost due to data breach was realized during the first year after breach, 22% was “felt” during the second year and 11% during the third, with data breaches related to healthcare sector trailing costs for longer.