Given the right tools, a fair amount of time and the budget to make it happen, I certainly believe it is reasonable to accomplish this internally. Keep in mind that not *all* outside consultants are expensive. You should be able to find some in your area that can do the work for a reasonable fixed cost so you don't have to worry about it getting out of control financially. Long term, given employee training, books and other tools that you will end up needing to purchase, not to mention pulling employees away from what they normally do on a full-time basis, it could very well be cheaper to outsource. At a minimum, you should consider getting legal counsel to review your HIPAA-mandated privacy and security policies to ensure they are reasonable and enforceable.
For more information on this topic, visit these other SearchSecurity.com resources:
Featured Topic: HIPAA update
Commentary: HIPAA compliance doesn't come in a box
Best Web Links: Securing Health Care/Health Services
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.