Estimated HIPAA compliance time toll a whopping 32.8 million hours

Healthcare organizations will spend 32.8 million hours complying with the modified HIPAA omnibus rule, according to the Department of Health and Human Services' Office for Civil Rights.

The bulk of that time--30.655 million hours--involves the dissemination and acknowledgement of privacy practices at provider offices, a notice published in the Federal Register reveals.

"Much has changed in healthcare since HIPAA was enacted over 15 years ago," HHS Secretary Kathleen Sebelius said in when the new HIPAA  Omnibus rule was unveiled. "The new rule will help protect patient privacy and safeguard patients' health information in an ever expanding digital age."

The notice breaks down the anticipated time spent into functions as follows:

  • Documentation of security procedures in place: 350,000 hours.
  • Business associate need to establish or modify BA agreements with subcontractors: 125,000 hours.
  • Revising the language in privacy notices (health plans): 167 hours.
  • Dissemination of notices by paper mail (health plans): 416,667 hours.
  • Dissemination of notices by electronic mail (health plans): 278,333.

It attributes 619,000 hours to "new burdens" associated with the HIPAA omnibus rule. Much of this work will have to be repeated annually.

The notice was submitted to comply with the Paperwork Reduction Act of 1995 for approval by the Office of Management and Budget.

Though HHS has been conducting audits of compliance with HIPAA regulations, a formal audit program will begin Oct. 1, 2014. Mark Dill, director of information security at Cleveland Clinic, has urged organizations to be prepared for an audit with their documentation collected in a central location.

To learn more:
- read the notice