Security Compliance by HIPAA Business Associates May be Unexpectedly Costly

A recently published article by Modern Healthcare noted the extraordinary level of time and effort that it is estimated that our healthcare system will need to expend in order to comply with the new HIPAA privacy and security rules. The U.S. Department of Health and Human Services (HHS) has estimated that each year, it takes in aggregate around 32 million person-hours.

So what does that mean for each HIPAA business associate, who as of September 23^rd, 2013, is now obligated to meet effectively the same rules as hospitals and insurers? How big will their effort be? As it turns out, it isn’t as easy to answer that question as one might presume.

HHS estimates in a document published in the Federal Register that there are between 300,000 and 400,000 HIPAA business associates. Each of these organizations will have what I think of as “start-up costs” associated with becoming and demonstrating HIPAA security rule compliance. And then they will also have “on-going annual costs” for maintaining their security compliance posture. I focus on the security rule since the burdens of the privacy rule are “mostly” borne by HIPAA covered entities.

So how much are these costs for the “average” business associate? It is exceedingly difficult to tell. The HHS document speaks solely to the “burden” defined in this context as:

“… the time expended by persons to generate, maintain, retain, disclose, or provide the information requested.”

So in this case, they note that the average business associate will have a new burden from the Final Omnibus Rule of 1.17 hours, for “documentation of security rule policies and procedures and administrative safeguards.” But this is a very deceptively small number compared to the overall level of effort that most business associates will require.

A Wall Street Journal article titled “HIPAA Compliance Burden Grows with New Rule” delves into the costs associated with HIPAA compliance under the Omnibus Rule. While the article notes that the total cost to all entities of compliance would be no more than $225.4 million, according to HHS, it doesn’t help inform the question as to what the cost would be for the newly obligated business associates.

In this article, Brian Beard, director of compliance and ethics at McKesson Specialty Health notes that “it will be tougher for the smaller [business associate] shops to be able to afford to be in the health care business” as a result of their obligations under the new regulations. And this point is reinforced by HHS.

Leon Rodriguez, Director of the Office for Civil Rights of HHS in an interview with Risk & Compliance Journal suggested to business associates “the first step for companies should be an inventory to identify what protected health information [PHI] they have, and then a risk analysis. ‘Both in the audit pilot we did and in our enforcement work failed to do a risk analysis is a frequent deficiency,’ he said.”

So as we look at the “startup costs” to business associates, these would include doing an exhaustive inventory of the nature and extent of the PHI that they receive from their covered entity clients, and/or share with their subcontractors, as well as doing a security risk analysis. Both of these efforts are substantial, and the latter is required in order to be in compliance with the HIPAA security rule.

And so this starts to lay the foundation for the earlier comment as to how some smaller business associates may find it unaffordable to remain in the health care business. While professional services prices for a security risk analysis and a PHI inventory can vary substantially, it is easy to imagine that these two combined could cost a business associate between $50,000 and $100,000 or more, depending on the size and scope of the business associate’s enterprise and data management.

Based on this, it is easy to see why business associates may be “dragging their feet” in terms of understanding and addressing their obligations under the Omnibus Rule. The costs, however you calculate them, are non-trivial. However, the exposure of not dealing with security rule compliance could be catastrophic.

In the same Wall Street Journal article, an HHS spokesman “pointed to a resolution agreement last year in which BlueCross BlueShield of Tennessee agreed to pay the HHS $1.5 million to settle a case involving theft of hard drives left in a network data closet after the insurer had moved its staff out of an office complex. Under the new rule, the spokesman said, the property manager–a business associate — could also be liable for similar enforcement action.”

So business associates should be able to see the writing on the wall. They invest upwards of $100,000 or more to demonstrate compliance with the HIPAA security rule. Or, starting September 23, 2013, they are liable for penalties that can run in the millions of dollars if HHS takes an interest in their security posture.

So as Director Rodriguez has suggested, you would be well advised to 1) do a rigorous PHI inventory for your organization so that you know what you have and how sensitive it is, and 2) do a security risk analysis (or more often likely find an experienced HIPAA professional services firm to do this for you) and clearly document its recommendations and the actions you took to address the most severe risk factors. And if I were you, I’d get these going in the next couple of weeks.