The Practical Guide to HIPAA Privacy and Security Compliance

This excerpt is from Chapter 3, HIPAA Cost Considerations from The Practical Guide to HIPAA Privacy and Security Compliance, written by Kevin Beaver and Rebecca Herold, and published by Auerbach Publications. Download this entire chapter for free here.

Security Implementation Costs

If you do not have thousands of dollars to completely harden your information systems, fear not. There are plenty of things you can do to secure your PHI that will not break the bank or your budget. Remember, there is no such thing as 100-percent information security and there will always be residual risks. You can, however, implement certain measures to reduce your exposure. The risks identified during your security risk analysis combined with security measures that are already in place will help you determine how much money will be spent on Security Rule compliance. Sure, HIPAA is a set of laws that must be adhered to, but the costs associated with protecting information (i.e., time, effort, and money) cannot exceed the value of the information or the consequences if the information is compromised. Your goal should be to align what is needed to reasonably protect PHI with your overall business objectives.

Do not worry about return on investment (ROI) on technology infrastructure and security spending. You have got to spend money on HIPAA compliance anyway, right? True; just make sure you are spending it wisely. Besides, it is difficult changing the lens through which executives see IT and security investments. They need to see money spent on information security as a business expense or investment -- not just another IT expenditure. Why? Because it is a business expense -- it is the cost of federal compliance, the cost of reasonably protecting confidential health information, the cost of demonstrating due diligence, and the cost of embracing IT to streamline operations and provider higher-quality healthcare.

As discussed in the final Security Rule, HHS utilized Gartner Group to study the impact changes in the healthcare industry might have on the expected impact of the final Security Rule. Gartner estimated that the cost of implementing the Security Rule standards in 2002 is less than 10 percent higher than it would have been in 1998. They go on to say that the preparation for the Security Rule that many CEs have begun offsets this cost difference, making it essentially the same now as it was in 1998. Gartner also determined that compliance with the Privacy Rule may even slightly reduce the overall cost impact of the Security Rule.

A really positive aspect of the Security Rule is its flexibility regarding costs. There are many security standards that are "addressable," meaning that CEs have some flexibility, depending on their specific situation. In addition, there are several information security best practices that can be put in place with relatively little or no cost at all, such as: