[ Saturday, December 28, 2013 ]


What's a good set of Policies and Procedures worth? I've drafted dozens of them, including the form set currently available from the Texas Medical Association. On average, I've probably charged around $5,000 to $10,000 for a worked-over set of policies (including adaption to the client's specific needs, assisting with risk analysis, adding in forms for BAAs and NoPPs, etc.). That's a lot of money for some clients, and many balk at a price tag that high.

But what is the set worth? If you're Adult & Pediatric Dermatology in Massachusetts, the number is $150,000. APDerm lost a flash drive with PHI on it: as far as anyone knows, nothing happened to the PHI. But, the loss triggered an OCR investigation, which uncovered that APDerm hadn't adopted policies and procedures. That failure triggered a $150,000 fine.

$5,000 sounds pretty cheap.

Of course, if APDerm had policies and procedures, they might've decided to encrypt all flash drives, or not allow them at all, and the breach might not have occurred at all. That, really, is the value of a good set of policies and procedures.

Jeff [8:01 PM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template