In my recent article for the Journal of Healthcare Finance, “The Law of Unintended (Financial) Consequences: The Expansion of HIPAA Business Associate Liability,” which is now available for you to read on the Premium Member section of the Veterans Press website, I suggested the adverse unintended financial consequences of this expansion. Those adverse consequences include business associates’ refusal to enter into such contracts, thereby requiring covered entities to bring certain operations, such as an outside transcription service, back in house with the additional expenses of employee benefits and the like. Adverse consequences also include liability for business associate’s breaches, increased fees by business associates that have to recover their HIPAA compliance costs, increased legal fees for the review of business associate contracts, and the need for more liability insurance to cover breaches by business associates.
In my article, I suggested that the Department of Health and Human Services (“DHHS”) estimates of the compliance costs were naive. For example, DHHS apparently assumed that most business associates were currently in compliance with the HIPAA Security Rule’s standards and that the cost for those who were not is annually between $3.7 and $4.5 million. With more than one to two million business associates and a number of subcontractors (that are now also business associates under the Omnibus Rule), this number is laughable. Also, for example, DHHS estimates that lawyers will, on average, charge an hourly rate of $56.21. Good luck finding a competent health care attorney in private practice willing to work for that hourly rate and still expect to keep a law office open.
The naivety of these estimates was apparently recently confirmed by a notice by the DHHS Office for Civil Rights (“OCR”). According to an article in Modern Healthcare’s Healthcare Business Blog, “Vital Signs,” by Joseph Conn, published September 4, 2013, “HHS estimates 32.8 million hours of interaction required to comply with privacy, security rules.” Also quoted on September 5, 2013, in the iHealthBeat blog, a service of the California HealthCare Foundation, the “Vital Signs” article notes that OCR published a notice in the Federal Register that the U.S. health care industry will spend an estimated 32.8 million hours to comply with HIPAA Privacy and Security Rules, including time to comply with the new final Omnibus Rule. Health care providers and patients will spend nearly 30.7 million hours to disseminate and acknowledge HIPAA notices of privacy practices (“NOPPs”) for protected health information (“PHI”). According to the iHealthBeat blog article, “about 619,000 hours reflect ‘new burdens associated with the [Omnibus Rule],’ including 350,000 hours needed for 300,000 health care groups to comply with a security rule for business associates of HIPAA-covered entities.” In case you wonder how long 30.7 million hours is, according to the “Vital Signs” blog article, it’s nearly 35 centuries.
So what is the cost in salary, benefits, wasted time that could be more productively spent on patient care, and the like of almost 31 million man-hours? But then again, maybe it is job security for those of you who are privacy officers, directors of health information management, security officers, and the like. After all, we will need you for much of those 31 million man-hours.
Again, as a reminder, if you bought the HIPAA Compliance Library that includes my 5th edition of the Compliance Guide to HIPAA and the DHHS Regulations, you received with it a one-year free subscription to the Premium Member section. If you need help setting up your account to access the Premium Member section, please call our marketing director, Patrick R. Head II, toll-free at 855-341-8783 or email him at patrick@veteranspress.com.