[ Monday, January 21, 2013 ]
Nugget 12: The Numbers are Whack: I'm not going to waste a lot of time digging through the numbers and expected costs included in the regulatory analysis, because ultimately it doesn't matter. But HHS severely underestimates the amount of time and costs associated with compliance with HIPAA generally and these regs specifically. For example, HHS assumes that half of the breach notification letters will actually be sent by email rather than snail mail. That might be the case for non-healthcare businesses. But because of HIPAA itself, hospitals and physicians don't do email that much. Some may use email for a thin sliver of their patient population, but nowhere near half. And of those that do, the vast majority use some portal or secure email system; most providers would not count on the patient coming to the portal or utilizing the secure email system, and would send a hard-copy breach letter just to make sure the communication was received.
Jeff [1:48 PM]
Most of the staff time calculations include no down-time. For example, for manning the toll-free phone, the expectation is that the staff person will average 5 minutes per call and take 12 calls per hour. You think all of the calls will come in back-to-back like that? There won't be times when nobody is calling, but the covered entity needs the staffer available in case someone does?
There's lots more like that. Like the $50/hour lawyers. Really?
Blogger: HIPAA Blog - Edit your Template