An article by DataBreaches.net in collaboration with North Country Communications, LLC
On December 15, North Country Communications launched as a consultancy dedicated to helping small and mid-sized HIPAA-regulated entities comply with HIPAA’s privacy, security, and breach notification requirements. DataBreaches took the opportunity to interview its founder, Rachel Klugman Seeger, about the services she provides to clients through on-site or virtual consultations and the advice she offers to small and mid-sized regulated entities. The interview covered common issues related to Business Associates, the need to review websites for compliance, awareness of state laws, and common mistakes entities make when complying with HIPAA’s privacy, security, and breach notification regulations. The interview also included the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) investigations and what may be the latest trend in enforcement.
From the Q&A:
Q: Investing in security is crucial, but also fraught with difficult decisions. Where should SMBs invest if resources are limited?
A: The following investments deliver a high return:
- Enterprise-wide risk analysis: Know your vulnerabilities.
- Policies and procedures: OCR will be looking for these if your organization is ever audited or investigated, and they make good business sense.
- Incident response planning and routine monitoring: Be as prepared as possible if and when a breach occurs.
- Workforce training: Ensure your entire operation is knowledgeable and on board with your compliance efforts.
Q: In the spirit of keeping it real, do you have any figures or estimates as to what each of the above might cost an SMB?
A: There’s no universal price tag for HIPAA compliance, but SMBs can expect costs to fall into predictable ranges. The biggest drivers are the size of the organization, the complexity of their systems, and whether they already have basic security infrastructure in place.
In the spirit of transparency, I would break it down as follows:
- Enterprise-wide Risk Analysis: I’ve seen analyses typically run between $5,000–$20,000, depending on the scope of an organization and whether technical testing is included.
- Security Rule Remediation (policies, configurations, MFA, logging, backups): This is the widest range, anywhere from $10,000 to $100,000+, depending on the size and scope of a covered entity, and how much needs to be built from scratch. Policies and procedures are the backbone of your compliance program, and one of the areas that OCR will look with the most rigor in their investigations, in tandem with the risk analysis. You simply cannot phone it in.
- Incident Response Planning / Tabletop Exercises: Often $3,000–$15,000 depending on depth and customization. I really love self-audits, and routine incident response planning is an incredibly effective tool for examining compliance programs and identifying areas that need attention.
- Annual Training: Usually $20–$50 per employee, or $1,000–$5,000 for a tailored session. Without sounding trite, annual training is something to approach with a spoonful of sugar. Employees should feel engaged, rather than feeling that training is a burden.
For most SMBs, basic HIPAA compliance start-up work lands in the low five figures, while a single breach can easily cost ten times that. It is a business expense, comparable to insurance.
Q: For an SMB, what percent of their budget do you think should be spent on compliance with the Security Rule and HITECH?
A: There’s no official or industry‑standard percentage of budget that SMBs “should” spend on HIPAA compliance. Neither HHS OCR nor any federal guidance sets a benchmark. That said, most SMB healthcare organizations end up devoting roughly 3–7% of their operating budget to Security Rule and HITECH requirements — and more if they’re modernizing systems or recovering from past gaps.
Read more of the article at DataBreaches.net or download a copy of the interview (.pdf)
