7.7 IDENTIFYING THE COST OF DOING NOTHING

This is one of the most important parts of getting your HIPAA compliance plan approved. If you are unable to identify what it would cost to not do anything, then the people approving your project are unlikely to see the financial benefit. When it comes to HIPAA, you can easily point out the legal ramifications of not complying , but the cost of non-compliance can include many more details. Use the following questions to help determine the expected risk and the financial impact associated with failing to implement your HIPAA compliance plan:

If a breach occurs, how much money in fines does HIPAA require?
What is the likelihood of a breach occurring if the plan is not implemented?
How much business would be lost if the breach occurred in terms of dollars?

The answer to the first question was explained in the previous chapter. The answers to the next two questions require a considerable amount of thought. The best guidance I can give on these questions is to remember the first rule to work by, be realistic. The following formula is a useful tool in determining the financial risk: (Question 2 as a percentage) * (Question 1 answer+Question 2 answer)=Financial Risk.

If you analyze the financial risk and find that the cost of a particular task in your implementation plan greatly exceeds it, then there's likely a problem. Either the most expensive solution was chosen and a less costly option has a better cost-benefit trade-off or you need to reevaluate your need to solve the goal identified earlier. Believe it or not, HIPAA was not written to require organizations to spend millions of dollars unnecessarily. The lawmakers who put this piece of legislation together clearly understood that it was going to cost a great deal of money to comply , but their intent is that it should be a good cost-benefit trade-off. To ignore this analysis is to ignore the intent of the lawmakers. This issue is primarily a concern where the HIPAA Security regulations identify certain implementation aspects to be optional. If reasonable consideration has been given to complying with an optional implementation requirement, and the cost-benefit analysis shows the implementation to be a bad business decision, then HIPAA only requires and organization to document their risk acceptance and move on. If you don't weed out the optional tasks that probably aren't required prior to going to the decision makers with your plan, then you're likely to find a lot of resistance. I prefer to separate the 'must do's' from the 'should do's' and allow the decision makers to make an informed decision about how much risk acceptance they are willing to take. The added benefit of this approach is that the 'must do's' aren't delayed while the 'should do's' are being considered .