Where Should I Start to Become HIPAA Compliant?
Many believe HIPAA compliance is a “set-it-and-forget-it” exercise. Well, not exactly. HIPAA compliance is an ongoing requirement, whether you’re a small organization with a limited budget or if you’re a large healthcare provider with multiple locations. There is no HIPAA Certification. HIPAA compliance is environment that you have to show written proof of upon audit. Here is a quick HIPAA Audit Survey you can take to quickly gauge your HIPAA risk level.
Maybe a lack of time, knowledge or resources have impacted your HIPAA Compliance for your practice. Our goal is to provide you with information to accurately plan and predict your compliance budget.
First, Some HIPAA Compliance Considerations:
The cost of HIPAA compliance depends on many variables. We’ve identified some of the key factors to consider:
- Your organization type: Are you a privately-owned healthcare provider, hospital, or business associate? Your organization will have varying amounts of protected health information (PHI) and risk levels.
- Your organization size: The more employees, programs, computers, PHI, and departments that your practice has will increase the number of vulnerabilities you might encounter.
- Your organization’s culture: If data security is management’s top priority, you have most likely invested in a cybersecurity program. If not, HIPAA Compliance costs will increase due to the additional training and policy requirements for your staff.
- Your organization’s environment: If cybersecurity was considered when purchasing, implementing, and maintaining devices, the costs to comply with HIPAA should be lower for your practice. This includes computers, software, firewalls, servers, and more.
- Your organization’s dedicated HIPAA workforce: A dedicated HIPAA team or third-party provider will help to determine what requirements your practice needs. In fact, the American Dental Association has published guidelines to help healthcare providers determine criteria for a 3rd Party Provider.
The Cost of a Data Breach
If Health and Human Service’s estimate of compliance seems daunting, the costs related to non-compliance are even greater. For not protecting PHI, a practice can face the following fines and penalties:
- Health and Human Service’s fines: up to $1.5 million per violation per year
- Federal Trade Commission fines: $16,000 per violation
- Class action lawsuits: $1,000 per record
- State attorneys general/potential fine assessment: $150,000 – $6.8 million
- Patient loss/not returning to doctor due to breach: 40%
- Free credit monitoring for affected individuals: $10-$30 per record
- ID theft monitoring: $10-$30 per record
- Lawyer fees: $2,000+
- Breach notification costs: $1,000+
- Business associate changes: $5,000+
- Technology repairs: $2,000+
When you look at the high costs paid by organizations found in violation of HIPAA, it’s obvious the consequences are meant to penalize those who don’t adequately protect patient information. OCR Director Roger Severino announced during a 2018 HIPAA Security Conference:
“The next round of examinations will be focused on enforcement and the upcoming audits will use harsher investigative tools to hold bad actors accountable.”
With an increase in Audits, HIPAA compliance is more important than ever. Protect your practice’s finances and reputation by becoming HIPAA Compliant.
Estimated Compliance Costs:
Whether you decide to take on HIPAA compliance internally, or seek a trusted advisor, we’ve outlined some of the material costs you should expect to incur. Obviously, the key considerations above will impact your investment decisions.
If you are a private healthcare provider, annual compliance costs are outlined below on an a-la-carte basis. There are companies that combine some or all of these services, however this will give you a good ideas of the range that you should consider to protect yourself from the potential losses outlined above:
- Risk Analysis and Management Plan ~ $1,000 to $2,000
- Employee Security and Privacy Training ~ $2,000 to $3,000
- Policy Development ~ $1,000 – $2,000
- E-mail and Data Backup ~ $500
- IP Scanning and PCI Certification ~ $250
- Business Association Management and Documentation ~ $500
- HIPAA Compliance Documentation and Audit Support ~ $300
- Emergency and Incident Response Planning ~ $1,000
- Data Breach and Network Security Insurance ~ $2,000 (not required; recommended)
- Additional Technical Safeguards (password management, device monitoring, firewall and anti-virus updates) ~$1,000 to ~ $2,000
Larger practices and hospitals can expect to pay many multiples above the costs above.
HIPAA is often viewed as a bad word throughout the healthcare industry. However, protecting the privacy and security of your PHI is something every healthcare provider should take seriously. OCR is taking more aggressive steps to police an under compliant industry. When developing a HIPAA compliance strategy for your office, you will need to balance the resources you allocate compliance with your risk tolerance and levels. Now is not the time to ignore HIPAA law, however with the right strategy and advisors, you can make progress quickly and easily and prevent the ramifications of HIPAA non-compliance and/or a data breach. Probably not a good idea to roll the dice, but you also don’t need to break the bank.