Healthcare is renowned for being an expensive industry; cutting edge healthcare and world-leading R&D programs are incredibly expensive. It’s estimated that the United States spends 17% of GDP on healthcare. That’s about $12,000 per capita. With these astronomical figures, is it at all possible to be cost-effective within an industry that is as heavily regulated as the United States healthcare system?
Where is HIPPA Applicable?
HIPAA covers privacy and security regulations requiring strict security measures for hospitals, physicians, and other organizations such as health insurance and health maintenance organizations that either store or process private medical information associated with individuals. HIPAA defines the rights of individuals who are the subject of medical records, therefore organizations that maintain such records are required to disclose these rights in writing.
The Health Insurance Portability and Accountability Act (HIPAA) was introduced and signed into law on August 21st, 1996 by President Clinton and became part of the Social Security Act. Its purpose was essentially to uphold the confidentiality of patient data. The financial bite of compliance didn’t start to hurt until 2003 with the introduction of the Privacy Rule amendment, which deals specifically with electronic patient records. For many, there is little doubt that the introduction of that rule and the cost of protecting patients drove up the cost of US Healthcare.
The costs were incurred because healthcare professionals had to hire compliance officers to oversee the correct implementation of the Privacy Rule safeguards. Two further immediate costs needed to be paid as well: firstly, introducing complex technical IT solutions to meet the expected technical safeguards of HIPAA, and secondly, each employee had to embark upon a HIPAA training program to learn about HIPAA compliance.
Naturally, this has added further financial burden on the industry, putting medical professionals under further pressure. However, it is important to stop and think about what the cost might be if the legislation is ignored. In addition to putting their patients’ privacy at risk, real financial costs would likely be much higher if found to be in breach. The price would include enforced penalties introduced in the Final Omnibus Rule of 2013, and the potential of lost business and reputational damage.
The penalties are severe if an organization is found to be in breach, fines handed out range up to $58,490 for minor offenses (per violation), all the way up to $1,785,651 (per violation) for the most serious tier 4 offenses. Healthcare practices must weigh up the costs of implementing HIPAA compliance alongside the potential fines of being in breach. In all situations, paying to professionally implement HIPAA compliance is the cheaper option. (Read also: Data Breach Notification: The Legal and Regulatory Environment.)
Upholding compliance regulations in any industry will require investment, but cost-saving initiatives can drive down expenses without impacting data integrity. Costs will vary depending on whether the organization chooses to implement completely new IT systems and business processes, only the bare minimum requirements, or something in between.
The Costs of HIPAA-Compliant Administration
In 2003, the introduction of the Privacy Rule was met with serious concerns that the cost to implement the law would be excessive, costs that would be passed onto the patient. Some of the requirements demand a larger workforce working solely on compliance.
The required privacy gap analysis and risk assessment are just two of the substantial administrative requirements introduced, each taking months to complete and required bi-annual reviews. Any new processes had to be documented, peer-reviewed and regularly updated, additional policies created and enacted, then training offered to personnel to uphold the privacy rules.
An effective solution to the inevitable costs is to bring on board a specialist HIPAA consultancy firm. The logistics of maintaining a compliant medical practice can make life difficult for busy healthcare providers, outsourcing this responsibility brings professional experience and is often budget-friendly.
Outsource to the Cloud
Some providers have found cost savings by outsourcing core IT infrastructure such as medical applications, databases, and IT systems to the cloud. Healthcare practices that keep IT infrastructure on-premises face the complex and expensive challenge of designing, maintaining, and updating a rapidly evolving computing platform. (Read also: 8 Best Practices for Managing Cloud Applications.)
A cloud-first narrative allows the budget to evolve from capital expenditure (CAPEX) to Operational Expenditure (OPEX) with predictable monthly costs. Plus, there is no additional outlay on expensive storage, network, and server hardware…hardware that will depreciate the moment you unbox it.
Most healthcare businesses have a hybrid-cloud model in place already, core business workloads are processed on-premise, but some services such as telephony, video conferencing, and productivity office suites are SaaS hosted. But to make big savings, some suggest, healthcare needs to move all production workloads into the cloud.
This is a big job that requires careful planning, but don’t have to do all the work yourself. Outsourcing to a managed service provider or HIPAA cloud Hosting specialist can save you time and money. The cost of licensing, power, cooling, and core data center facilities will no longer be your responsibility, eventually allowing you to close expensive onsite computer rooms.
Ultimately, responsibility for the safety of the data remains with the customer and responsibilities for who does what and when are determined by the contracts. However, additional cost-effective managed services can be taken such as a managed backup and disaster recovery solution. A solution that will meet the requirement to archive and maintain necessary patient information, as well as protect personal health information (PHI) data from deletion or amendment by using encrypted backups from an encrypted data source.
Business continuity and disaster recovery services to maintain around the clock access to PHI are hugely expensive. Server hardware, synchronous network, and storage capabilities and licensing costs, colocation facility leasing, and a team to keep the platform operational 24/7 will cost tens of millions of dollars. (Read also: SaaS Security: Pitfalls that are Often Overlooked.)
Save on Technical Engineers
Managing HIPAA compliant infrastructure requires a team of 24/7 front-line personnel, and an extensive team of subject matter experts. IT wages are some of the highest in the workplace, especially if you want to invest in the best employees. Again, by outsourcing this responsibility, your wage bill is slashed dramatically.
Also, you benefit from offloading the day-to-day management and technical support of the entire platform. It becomes the provider’s responsibility to keep everything secure and patched, plus it is the provider’s responsibility (and cost) to absorb expensive hardware refresh programs when infrastructure enters end-of-life support.
Technical Safeguarding
Some of the less obvious technical safeguards that protect your healthcare practice from substantial fines are identity services, user accounts, access control lists, permission management, and multi-factor authentication. Each of these services is expensive to implement, manage, and maintain if done in-house, but from a HIPAA compliance provider, the services can be bolted on with ease.
Taking advantage of the recent relaxation of the enforcement rules, on the 17th March 2020, the Office for Civil Rights (OCR) released a statement advising that “enforcement discretion and waiving penalties for HIPAA violations” were being introduced. Medical professionals were for the first time authorized to use third-party tools for telemedicine appointments, such products such as Let’s Talk, Apple FaceTime, Google Hangouts, Zoom, or Skype. Potentially saving a lot of money in licensing whilst also giving greater choice to the patient. Remember that these rules are temporary.
Conclusion
To summarize, there are going to be inevitable costs in being and staying HIPAA compliant. Unless you are a medical startup, you will most likely already have HIPAA compliant systems in place, the important step is to understand how effective that protection is to your patient’s data, and the total cost of ownership to have that technical solution in place.
Monolithic hosting is so expensive when compared to the cloud. You have all the infrastructure in-house under your control, but huge savings can be made by modernizing the infrastructure. Take your time to shortlist reputable HIPAA-compliant hosting providers, look for the physical, administrative, and technical safeguards that they can bring to the table, and then compare the costs.
It’s not just about finding the cheapest hosting provider, although cost is always a practical consideration. You need to find the right balance of security, functionality, and price. Cloud services can dramatically lower your administrative costs and management burden, increase efficiency with greater scalability, and also give operational flexibility.