HIPAA privacy and security compliance costs

The following is an excerpt from The Practical Guide to HIPAA Privacy and Security Compliance, written by Kevin Beaver and Rebecca Herold; published by Auerbach Publications. Read the chapter below to learn about HIPAA privacy and security compliance costs, or download a free .pdf of the chapter: "HIPAA privacy and security compliance costs."

Security Implementation Costs

If you do not have thousands of dollars to completely harden your information systems, fear not. There are plenty of things you can do to secure your PHI that will not break the bank or your budget. Remember, there is no such thing as 100-percent information security and there will always be residual risks. You can, however, implement certain measures to reduce your exposure. The risks identified during your security risk analysis combined with security measures that are already in place will help you determine how much money will be spent on Security Rule compliance. Sure, HIPAA is a set of laws that must be adhered to, but the costs associated with protecting information (i.e., time, effort, and money) cannot exceed the value of the information or the consequences if the information is compromised. Your goal should be to align what is needed to reasonably protect PHI with your overall business objectives.

More HIPAA and security compliance resources GRC tools for business intelligence security Corporate compliance tutorial HIPAA definition

Do not worry about return on investment (ROI) on technology infrastructure and security spending. You have got to spend money on HIPAA compliance anyway, right? True; just make sure you are spending it wisely. Besides, it is difficult changing the lens through which executives see IT and security investments. They need to see money spent on information security as a business expense or investment -- not just another IT expenditure. Why? Because it is a business expense -- it is the cost of federal compliance, the cost of reasonably protecting confidential health information, the cost of demonstrating due diligence, and the cost of embracing IT to streamline operations and provider higher-quality healthcare.

As discussed in the final Security Rule, HHS utilized Gartner Group to study the impact changes in the healthcare industry might have on the expected impact of the final Security Rule. Gartner estimated that the cost of implementing the Security Rule standards in 2002 is less than 10 percent higher than it would have been in 1998. They go on to say that the preparation for the Security Rule that many CEs have begun offsets this cost difference, making it essentially the same now as it was in 1998. Gartner also determined that compliance with the Privacy Rule may even slightly reduce the overall cost impact of the Security Rule.

A really positive aspect of the Security Rule is its flexibility regarding costs. There are many security standards that are "addressable," meaning that CEs have some flexibility, depending on their specific situation. In addition, there are several information security best practices that can be put in place with relatively little or no cost at all, such as:

Visit The Practical Guide to HIPAA Privacy and Security Compliance website.

Rate this Tip To rate tips, you must be a member of SearchDataManagement.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Healthcare data management Data governance software has unexpected benefits for LTC Partners Business intelligence in healthcare: Special report What industries are using enterprise information management (EIM)? Top 13 master data management (MDM) buzzwords and definitions New data analysis apps part of IBM's industry-specific BI vision Data destruction requires more than just encryption Customer data integration and data warehouses for the healthcare sector Business intelligence in healthcare demands a balance between privacy and insight Data mining in the healthcare industry Spotlight on regulatory compliance Security / compliance DB2 security: The starting point Information security: A strategic approach Critical infrastructure protection in homeland security: Defending a networked nation Information security advice, from a hacker Security controls for Sarbanes-Oxley section 404 IT compliance Data loss, data protection and information lifecycle management Cryptography in the database: The last line of defense RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary HIPAA  (SearchDataManagement.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.