Three universities recently conducted a joint study of participants that aimed to explore their likelihood of being monetarily incentivized to violate HIPAA regulations.

The pilot study involved medical residents or individuals in an executive MBA program, with some of those participants already in health care executive roles.  Of the 64 medical students and 32 executive MBA candidates, only 6% would give in and take the money – which means they’d give in to the violation as well.  The dollar amount that they’d be tempted by ranged from $50,000 to $1 billion USD.

The main study was a refined questionnaire given to 574 undergrads who were in an information technology course. As these students were not directly in healthcare, they were business IT majors, and could potentially have a big impact on data breaches in the future.  They were NOT aware of HIPAA compliance regulations so that may be a reason to pause when assessing the results, but not entirely to be overlooked.  The results were surprising and indicated that at 46%, close to half of them would violate federal law for money.  As the perception of getting caught increased, participants were less likely to release the information.

Five Scenarios 

There were five scenarios presented to the students, each with a different way of viewing the situation.  Was a family member in need of medical treatment?  How much was being offered?  What was the information requested?  While at first, the numbers are a bit hard to digest, there is a way of looking at this that is less frightening.  The people who are informed about HIPAA and currently in healthcare are less likely to violate the policies.  The participants who presented a higher likelihood are students and while they indicated that they were aware of HIPAA rules and regulations since this is not their field of study or current job, they may not be as informed as they indicated.

At first glance, we should be concerned that “people can be bought”, but this isn’t a new concept.  What we have to continue to do is educate our employees on the importance of the HIPAA Rules, and strong cybersecurity behaviors.  Make sure that they understand how one small action can lead to catastrophic results that affect not just their job, but many individuals and the future of the business altogether.

While comprehension of HIPAA is important, equally important is understanding that being careless with everyday actions on our devices can lead to a joint breach of data as well as the federal violation.  Having trustworthy employees is just the tip of the iceberg and you will always run the risk of having ‘one bad apple’.  But if a strong security awareness training program is a priority within your organization, which includes checks and balances and ongoing training, you are more likely to survive an attack whether it be externally or caused by internal factors.