The fact that people are the weakest link in compliance is a truism in the privacy and security world. But just how weak is this link, and how likely is it that workers would violate HIPAA? Pretty likely, it turns out, even if they (mistakenly) think they’ll probably get caught.
A new study found only 14% of more than 500 people surveyed wouldn’t improperly acquire or share patient information for money under five hypothetical scenarios.[1] “Our results suggest that there is a high probability that compromises can occur when employees are presented with monetary incentives, given the right context. These results have serious implications because many security breaches are from insiders,” wrote G. Lawrence Sanders, a professor in the School of Management at the State University of New York (SUNY) at Buffalo, and his co-authors.
In an interview with RPP, Sanders warned that the pandemic has escalated financial pressure on many workers, perhaps heightening their risk of falling prey to a hacker or unethical media outlet, and he stressed that a combination of strategies is essential to thwart HIPAA violators and help ensure patient privacy and security.
A “combination of enforcement, education and technology” is needed, Sanders said, to overcome what he and his co-authors called the “unexpected … magnitude of the number of individuals who would receive monetary incentives” to violate HIPAA.[2]
Sanders was joined on the paper by Joana Gaia, also with SUNY Buffalo, Xunyi Wang of Baylor University, and Chul Woo Yoo of Florida Atlantic University. Their research explored in-depth the concept that people will commit a crime if they perceive the “cost” of the crime to be less than any expected benefit, Sanders explained, and figuring out the cost is based on the probability of being caught and what the consequences might be.
