Wednesday, July 31, 2002

Budgeting for HIPAA compliance

With Jim Phillips
Q: I have been reading quite a bit about HIPAA and compliance dates for healthcare providers. We are just starting. Do you have any "rule of thumb(s)" or estimates as to what I should budget for HIPAA compliance expenses in my HME business?

A: A provider's cost to comply with HIPAA is directly related to its type, size, culture, environment and risk tolerance. Some obvious specific variables exist: Are you "high-tech," with a complete in-house management information system? Do you utilize a clearinghouse or billing service? Does a simple PC-based billing/record-keeping program suffice? Paper claims only? For larger, high-tech HME operations, 0.5 to 3 times the Y2K budget is a common, but not necessarily accurate, rule of thumb. As with Y2K, an HME provider would naturally incur some of the costs associated with compliance as normal business costs to keep pace with technology. For all but the smallest HMEs (that may remain paper-based), our surveys indicate a budget averaging $5,000 to $10,000.

The budget for HIPAA can be divided into three general categories: labor, expense and capital. Here's a breakdown of each category:

- Labor - Appoint someone with responsibility for privacy and security.

- Expenses - Consultants or lawyers (to conduct assessments, write new contracts, review policies and procedures), vendors (software, offsite back-up media storage), and increased printing/mailing costs ( patient privacy notices).

- Capital - Because HIPAA is technology-neutral, a provider may spend little or large amounts on capital depending on its current environment. Factors to evaluate include information system upgrades, physical security upgrades, facility remodeling, network upgrades or enhancements, and stronger authentication methods, such as digital signature and PKI.

Jim Phillips is president of VGM Financial Services. He can be reached at 319-235-6727, or