Your business development team identifies a new opportunity and it’s in the healthcare industry. The return on investment looks good, and then you are informed that your company is now defined as a “Cover Entity” under HIPAA, which essentially means that you now have to be HIPAA compliant. Immediately, you are wondering how much will it cost your company to become HIPAA complaint. It is a question that I am frequently asked, as a consultant, by businesses looking at new opportunities in the healthcare space. My answer is always – It depends.
Your company may already have a compliance program purporting to address HIPAA risks. You heard about some well-publicized breaches and some “example making fines”. So, you are now wondering “is our program good enough to keep us out of trouble?” Again, my answer is – It depends.
If you are looking to enter a new engagement or new line of business requiring you to become HIPAA compliant you should weigh the cost of compliance against the value of the new opportunity. While it is critical that Covered Entities have properly functioning and effective HIPAA compliance programs to reduce legal and regulatory exposure, The resources you dedicate to your HIPAA compliance program depends on your business, and your company’s risk tolerance.
HIPAA regulations are prescriptive about what has to be done, but the regulations are considered technology-neutral. An organization may spend based upon the environment, size, and level of risks. The cost of HIPAA compliance is usually directly related to the type of business, size of the business, corporate culture, and risk tolerance.
It may be difficult for anyone to provide you with the cost of becoming HIPAA compliant without first collaborating with you on your operations, and without understanding your company’s tolerance level for risks. So my answer to the question, “how much will it cost us to becomes HIPAA compliant”, remains the same – It depends.
The Risk Assessment
Since Spring 2014, there is clearly an intensified regulatory focus on HIPAA; there are initiatives being undertaken by the Health and Human Services (HHS), Office of Civil Rights (OCR) that include increased HIPAA enforcement activity, and larger penalties for HIPAA violations, which were authorized by Health Information Technology for Economic and Clinical Health (HITECH) Act. Because of this intensified regulatory focus on HIPAA, there is an increased need for newbie and veteran organizations to assess the key risk areas based upon the audit protocols identified by HHS. In allocating resources for an effective HIPAA compliance program, your company should most definitely take into consider the current regulatory enforcement environment.
When attempting to estimate the price of becoming HIPAA compliant you should think through expenses that fall into three different categories – one-time expenses, recurring expenses, and capital expenses.
- Consultants and Lawyers—To prepare readiness assessments; implementation plans; draft new agreements; draft and review policies and procedures, and other required forms and documentations.
- IT Professionals—To test network vulnerabilities and create network security and disaster recovery plans.
- Full Time Employee(s) whose job function it is to handle privacy and security issues.
- A shredder company to manage confidential trash.
- Disaster recovery services and/or off-site storage for backup media.
- Printing and mailing of Notice of Practices.
- Privacy screens for computer workstation monitors.
- Training and awareness items (i.e. posters and give-away).
- Compliance program management application for maintaining compliance records and managing compliance activities.
- Information system upgrades for processing standard transactions, and audit trails and flags for when clients choose to exercise their privacy rights.
- Physical security upgrades such as electronic “door locks” (ciphers – encryption or decryption), surveillance equipment, facility upgrades, shredders and backup generators.
- Secure fax machines or fax servers.
- Network upgrades or enhancements, including intrusion-detection systems, virtual private networks (VPNs), encryption software, and enhanced authentication methods.
Getting “HIPAA ready” can be costly, but the cost of non-compliance can be even greater. Ask yourself “what is the likelihood of the risk occurring”, taking into consideration the possibility of breaches and governments enforcement activity, as well as reputational harm. Then ask “what will be the impact (the cost) if a breach does occur”. For that answer, you may want to look at fines recently imposed for breaches. Generally, when imposing fines regulators will take into consideration compliance efforts, mitigation steps, and level of cooperation in investigations. The greater your compliance and mitigation efforts, and the greater the level of cooperation, the better your chances of getting penalties at the bottom of the range of possible penalties that could be imposed. “How much could a HIPAA violation cost us?” – Again It depends!
Put the best compliance program in place that you can afford. Remember how much you spend on your compliance program should have a direct correlation to the type of business and size of the business. Regulators will not look favorably on a high revenue earning company that have large marketing budgets, and pays executive handsomely, but is “cost conscious” when it comes to its compliance.