Let’s start with what happens if you are not compliant: $1.5 million could be just the start of your costs. That is what the civil monetary penalties can be up to for settlements with the U.S. Department of Health and Human Services (HHS) for HIPAA breaches.
If you are not in compliance, you must also factor in the costs associated with making patient notifications to those whose health records were compromised.
Then there is always potential for class action lawsuits by patients who band together seeking substantial compensation for their loss of protected health information.
According to HHS HIPAA compliance guidelines, cost cannot be used as an excuse for failing to implement and maintain proper security safeguards. Regardless of the size of a small practice, HIPAA security compliance requirements must be met if utilizing electronic health records.
Whether you conduct the necessary HIPAA Risk Assessment internally yourself, use practice staff or follow any guidance provided by the vendor of your EHR platform, getting on track with compliance efforts does not have to be a costly production. However, properly conducting the required assessment, determining vulnerabilities and threats and then taking appropriate steps to mitigate those vulnerabilities and threats can be time consuming.
In March, HHS rolled out a HIPAA Risk Assessment Tool that consists of 156 questions. Although using this tool is a good way to help you start to determine all areas that need to be assessed, it is not the same as having the required HIPAA Risk Assessment. Then, it’s important to remember, the assessment is only the first step in the process; compliance regulations require a HIPAA Risk Management Plan be in place, too.
Do you have the time and expertise to complete all the necessary requirements? If you do, that is outstanding. But what I see is a lot of confusion with small providers not knowing exactly what they need or not having the necessary in-house resources to complete all the compliance requirements. For those practices, the answer is clearly “no.”
From a cost standpoint, you will need to factor in your current in-house personnel man-hours to meet all those HIPAA requirements and their level of security expertise. What will be your actual cost in dedicated hours to complete all the requirements yourself? Bottom line is your bottom line.
For a small healthcare practice, the time management factor must be included into the overall cost of ensuring compliance. Getting all the requirements in place without outside assistance can be a time consuming and stressful process that really never ends and must regularly be updated.
A consultant can take this complicated compliance burden off your practice’s plate and allow staff to do what they do best — provide required healthcare and associated services.
It may be worthwhile for your practice to get a quote from a consultant for HIPAA security services. In the end, letting an expert handle the HIPAA requirements could actually lower your costs…as well as your aggravation levels.
Author: Jay Hodes is the President of Colington Security Consulting LLC and the former Assistant Inspector General for Investigations at the U.S. Department of Health and Human Services, Office of Inspector General. In that position he supervised over 200 Special Agents and professional support staff responsible for health care fraud and medical identity theft investigations throughout the eastern United States.
His company provides assistance with HIPAA Security Rule compliance by conducting risk assessments and writing practice specific risk management plans. The assessments identify vulnerabilities and risks; determine the potential impact and provide a gap analysis action plan to prevent unauthorized access, tampering and theft.
Sign up for our HELP with HIPAA Monthly Newsletter: Sign Me Up