1-SmileLineNewsSUM2021 - Flipbook - Page 12
HIPAA Compliance: Invest or Roll The Dice?
By Jeff Broudy – CEO, PCIHIPAA
Where Should I Start to Become HIPAA Compliant?
Many believe HIPAA compliance is a “set-it-and-forget-it” exercise. Well, not exactly. HIPAA compliance is an ongoing requirement,
whether you’re a small practice with a limited budget or if you’re
a large office with multiple locations. There is no HIPAA Certification.
HIPAA compliance is environment that you have to show written
proof of upon audit.
Maybe a lack of time, knowledge or resources have impacted your
HIPAA Compliance for your practice. Our goal is to provide you with
information to accurately plan and predict your compliance budget.
First, Some HIPAA Compliance Considerations:
The cost of HIPAA compliance depends on many variables.
We’ve identified some of the key factors to consider:
penalize those who don’t adequately protect patient information.
OCR Director Roger Severino announced during a 2018 HIPAA
“The next round of examinations will be focused on enforcement and the upcoming audits will use harsher investigative
tools to hold bad actors accountable.”
With an increase in Audits, HIPAA compliance is more important
than ever. Protect your practice’s finances and reputation by
becoming HIPAA Compliant.
Estimated Compliance Costs:
Whether you decide to take on HIPAA compliance internally, or
seek a trusted advisor, we’ve outlined some of the material costs
you should expect to incur. Obviously, the key considerations
above will impact your investment decisions.
If you are a private dental practice, annual compliance costs are
outlined below on an a-la-carte basis. There are companies that
combine some or all of these services, however this will give you
a good ideas of the range that you should consider to protect
yourself from the potential losses outlined above:
• Your organization type: Are you a privately-owned dental practice,
multi-location, or DSO? Your organization will have varying
amounts of protected health information (PHI) and risk levels.
• Your organization size: The more employees, programs, computers, PHI, and departments that your practice has will increase
the number of vulnerabilities you might encounter.
• Your organization’s culture: If data security is management’s top
priority, you have most likely invested in a cybersecurity program.
If not, HIPAA Compliance costs will increase due to the additional training and policy requirements for your staff.
• Your organization’s environment: If cybersecurity was considered
when purchasing, implementing, and maintaining devices, the
costs to comply with HIPAA should be lower for your practice.
This includes computers, software, firewalls, servers, and more.
• Your organization’s dedicated HIPAA workforce: A dedicated
HIPAA team or third-party provider will help to determine what
requirements your practice needs. In fact, the American Dental
Association has published guidelines to help dental practices
determine criteria for a 3rd Party Provider.
The Cost of a Data Breach
If Health and Human Service’s estimate of compliance seems
daunting, the costs related to non-compliance are even greater.
For not protecting PHI, a practice can face the following fines
• Health and Human Service’s fines: up to $1.5 million per
violation per year
• Federal Trade Commission fines: $16,000 per violation
• Class action lawsuits: $1,000 per record
• State attorneys general/potential fine assessment:
$150,000 – $6.8 million
• Patient loss/not returning to doctor due to breach: 40%
• Free credit monitoring for affected individuals: $10-$30
• ID theft monitoring: $10-$30 per record
• Lawyer fees: $2,000+
• Breach notification costs: $1,000+
• Business associate changes: $5,000+
• Technology repairs: $2,000+
When you look at the high costs paid by practices found in
violation of HIPAA, it’s obvious the consequences are meant to
www.mbdsdentist.com I MONTEREY BAY SMILELINE – SUMMER 2021
Risk Analysis and Management Plan ~ $1,000 to $2,000
Employee Security and Privacy Training ~ $2,000 to $3,000
Policy Development ~ $1,000 – $2,000
E-mail and Data Backup ~ $500
IP Scanning and PCI Certification ~ $250
Business Association Management and Documentation ~ $500
HIPAA Compliance Documentation and Audit Support ~ $300
Emergency and Incident Response Planning ~ $1,000
Data Breach and Network Security Insurance ~ $2,000
(not required; recommended)
• Additional Technical Safeguards (password management, device
monitoring, firewall and anti-virus updates) ~$1,000 to ~ $2,000
Larger practices with multiple locations and 25+ employees can
expect to pay many multiples above the costs above.
HIPAA is often viewed as a bad word throughout the healthcare
industry. However, protecting the privacy and security of your
PHI is something every dentist should take seriously. OCR is
taking more aggressive steps to police an under compliant industry.
When developing a HIPAA compliance strategy for your office,
you will need to balance the resources you allocate compliance
with your risk tolerance and levels. Now is not the time to ignore
HIPAA law, however with the right strategy and advisors, you
can make progress quickly and easily and prevent the ramifications
of HIPAA non-compliance and/or a data breach. Probably not a
good idea to roll the dice, but you also don’t need to break the bank.
To learn more about PCIHIPAA’s compliance services and
to take advantage of complimentary compliance resources
sponsored by Monterey Bay Dental Society visit