Is HIPAA Worth It?

Doctors And Nurses At The Reception Area Of A HospitalHIPAA is yet another government mandate for American healthcare businesses to address.  We all know it's time consuming, requires a lot of effort to learn, stay current on and to implement.  Plus, it's costly.  But, is it worth it?  Does it truly help the covered entity or business associate in the long run.  You might be surprised by the answer.

The simple answer is ABSOLUTELY.

First, let's look at HIPAA goals.

Basic Goals of HIPAA

  1. Portability: To allow patients to transfer their records between doctors.
  2. Privacy: To protect the privacy of the patient.  No one wants the world or nosy neighbor to know about our warts or health issues.
  3. Security: To protect our EXTREMELY valuable PHI from cyber-theft or loss.


Here's a list of benefits and the indirect Return On Investment (ROI), even though it may not be quantifiable and directly traceable to revenue or profit.

Benefits of HIPAA

  1. The Risk Assessment (Security Risk Analysis) helps your business identify issues you need to address to reach the goals listed above.
  2. HIPAA training helps your entire staff to be better at obtaining those goals and not accidentally causing a breach.
  3. The Policies and Procedures help you run a more standard, effective and efficient business operation.  If everyone knows the policies and the procedures to fulfill those policies, work will flow smoother, training new staff will be faster and cheaper, and the chances of a HIPAA violation (loss of PHI) will be reduced.
  4. Cyber security scans and remediation help harden your cyber security and protect your valuable PHI from being stolen or destroyed.
  5. Keeping records of your HIPAA work shows the auditors you're doing what is expected and attempting to meet the goals of HIPAA.  Building a body of evidence is now a requirement of HIPAA auditors.


You might say, "Great this is all good and wonderful, but I'm still out time, effort and money without any financial benefit."  You might want to consider NOT being HIPAA compliant.  Let's assume you are NOT doing anything to be HIPAA compliant.  You get breached and lose 2,500 patient records.  You don't report the breach to the OCR.   One of your patient's identity is stolen, the information is tracked back to your practice, which is fairly easy, and now the OCR audits your practice.  You're staring at a potential $500,000 fine.  A class action lawsuit that could cost well over a million dollars.  Plus, months and months of time to address the audit and reinforcements.  Then you have to implement HIPAA and show every step to the OCR.  Even if you have cyber-theft insurance, it probably won't cover all of the expenses and it may cover none of them because you can't show any proof (body of evidence) that you took steps to secure the patient's data (ePHI).


  1. The potential HHS OCR fines are greatly reduced if not eliminated.
  2. The likelihood of physical PHI and electronic PHI breaches are reduced.
  3. The likelihood of lawsuits from PHI breaches and data loss are reduced.
  4. Your business operates more effectively, providing better care and patient privacy, security and data protection.
  5. Your business operates more efficiently, training new staff faster with less effort.
  6. Your business is a more ethical place of work, working to be a safe place for your patients to come for healthcare.
  7. The negative social media impact is reduced or eliminated.
  8. The likely loss of your livelihood is greatly reduced.

Conclusion on ROI of HIPAA

  1. Do you earn more money by implementing HIPAA?  No.
  2. Do you save money by implementing HIPAA?  Not directly.
  3. Do you reduce your liabilities and likelihood of financial loss by implementing HIPAA?  Absolutely.
  4. Do you do the morally and ethically correct thing and protect your patients personal privacy and financial security by implementing HIPAA?  Absolutely.
  5. If you invest a $1,000 in HIPAA and you save yourself $1.5 million in fines and expenses, it's an extremely cheap investment with many benefits.


Whether you look at HIPAA as an investment or insurance, it's time to invest in a solution that is comprehensive, easy and affordable that will build your body of evidence and help you reach the HIPAA goals. What we at Third Rock refer to as your "Culture of Compliance™". Consider a Managed Compliance Service Provider (MCSP) that provides HIPAA expertise, is your virtual HIPAA team, has an online, easy to use compliance management tool that reduces your learning curve, your effort to implement and your time to become compliant, all at a reasonable price.  That's our goal with Third Rock Assurance™ powered by CompassDB™.

Robert Felps
About the Author

Innovative problem solver. Robert Felps takes a holistic view of the situation, understanding the business objectives, then architects a solution that exceeds the expectations for much less than standard industry solutions would cost.

%d bloggers like this: