While reviewing the 2013 changes to HIPAA, we came upon this interesting bit of economic impact analysis early in the document. A table is presented called “Estimated Costs of the Final Rule”. Within this table, an estimated cost is presented for Security Rule Compliance by Business Associates, expected to apply to between 200,000 and 400,000 business associates of covered entities that were not previously directly liable for HIPAA compliance. The table lists this estimated cost as between $22.6 million and $113 million. I believe this cost is not remotely realistic.
Let’s do a little math to figure out these costs per organization. How about a best case scenario, where we spend the least amount of money getting the largest number of business associates into compliance with the Security Rule. So, $22.6 million divided by 400,000 organizations totals $56.50 per organization. That’s right, for less than the price of one copy of Norton Internet Security for Mac (currently selling at Amazon for $59.99), your organization is expected to come into complete compliance with the Security Rule of the 2013 HIPAA Final Rule.
Or, perhaps a worst case scenario, where we spend the largest amount of money getting the smallest number of business associates into compliance. In this case we divide $113 million by only 200,000 organizations, totaling $565.00 per organization. Searching Amazon, I found the WatchGuard XTM 26 Security Appliance for about that price, which supports up to 40 users.
These numbers seem low, so let’s do another calculation. I read pretty fast, and it took me 30 seconds to read one page of the 563 page final rule without taking notes. So, it should take me a little less than 5 hours to read the whole document if I don’t stop to check my email or write a blog post. Given our best case scenario pricing above, if I work for an organization that now must comply with HIPAA and make more than $11/hour, I won’t even be able to read the document itself for less than the estimated cost provided by the HHS.
Taking a realistic approach, these many organizations will probably spend far, far more than these amounts to bring themselves into compliance with the rule. I would like to see HHS justify the pricing they used for this document. How do they expect these organizations to bring themselves into compliance – let alone spend the time reading and researching to determine exactly what it means to be compliant – for the costs they’ve outlined?
In order to be more proactive about handling security, organizations need to more fully understand both the total risks as well as the total costs they may be subjecting themselves to. This includes budgeting for current and future security needs. By including such unrealistic estimated costs in the 2013 HIPAA Final Rule, the HHS has done organizations a disservice; these numbers do not allow for accurate budgeting of security expenditures related to HIPAA compliance.