Healthcare practices can easily underestimate the investment required to meet compliance. Thinking compliance is a one-and-done activity that you can navigate with minimal spending only sets you up for unpleasant surprises later on. Compliance can be a long drawn-out process, involving HR, finance, security, leadership, and others. Therefore, it’s important to look at all the costs up front in order to set a realistic budget. Compliance costs should be viewed as a return on investment. Training employees, implementing policies and procedures, assessing risks, managing risks, improving technical infrastructure are all a part of protecting a practice’s brand and reputation.
Let’s begin by breaking down the various types of costs associated with compliance:
Direct Costs: These are expenses related to implementing compliance requirements, including and enterprise-wide HIPAA security risk assessment, auditors, and new technology.
Indirect Costs: These are the intangible costs like time, management, and training.
Opportunity Costs: There are also costs to consider if you don’t meet compliance, such as lost business, penalty fees, and a diminished reputation in the industry.
The actual costs for each of these categories will vary based on:
The industry your organization sits in
How many employees you have
The number of regulations you’re required to adhere to
The amount of sensitive and confidential information you’re required to safeguard
Let’s look at which personnel may be involved in establishing HIPAA compliance for your healthcare practice. Many times, companies only take into account the cost of hiring an outside contractor to help with the compliance process, but you should also take into account which internal team members will be involved. Typically, it’s representatives from IT, legal, security and/or compliance, HR, finance, and accounting.
You should also factor in additional time and resources to implement and maintain compliance processes and technologies across the practice. For some healthcare entities, maintenance alone can take one day a week, if not more, depending on company size. Keep in mind that compliance is never just a one-time thing. As we have written about before, training must occur at the time of hiring new personal a well a annually. Be sure to address this in your budget.
The hard costs are ultimately just half of the compliance equation. What is the cost to you if you decide not to become compliant? You may be looking at hefty fines, loss of customers, reputation damage in the industry, and so on. For many companies, compliance is a necessity to patients and clients.
Roy Snell, CEO of the Health Care Compliance Association, a member-based association for compliance professionals in the healthcare provider field, said, “Organizations that have effective compliance and ethics programs attract and retain good staff and are more trusted by their communities and potential customers. Good compliance and ethics programs have an impact on revenue that must be considered when you calculate cost. Trusted companies get more revenue than companies that can’t be trusted.”
The bottom line is that an entity will pay for compliance one way or the other: either proactively as a part of their business model and assurance to their patients that they will protect the privacy and security of the information we collect on patients, or re-actively – which costs more money, stress, and potential loss of business when regulators become involved because of a bad outcome or violation of rule. At that point, we must spend the money on our compliance programs, on consultants, attorneys, and for fines and penalties that may be assessed for non-compliance.
For a better idea about how to get started on insuring you protect your practice’s HIPAA health and reputation, contact Angela and her team at CentraVance consulting today!