Also notice that a large part of the cost is poorly accounted for, because the way many of the non-destructed entities comply with it is by adopting cloud-hosted EMR systems that handle a lot of the compliance burden for them. Which aren't exactly cheap, but more than that they're usability fiascos that imperil patient care.
https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/ad...
It's 115 pages. Just training the staff to comprehend what's in it is a non-trivial undertaking, assuming people are actually going to comply with it.
It has some fun provisions, like prohibiting disclosure of certain information except where disclosure is mandatory, which means there is no "err on the side of caution" and you need staff to know exactly what the conditions are if you want to avoid breaking the law.
There are various rules about computer systems and access controls that are all reasonable and expected in a large bureaucracy but not anything a small medical practice is going to be familiar with. So they'll have someone host it for them who has lawyers on staff and pay them a premium for it. That makes it "easier" and then the expense gets accounted for as something else. But now we're back to many of these systems being proprietary and miserable, because they're specialized to the limited (and extremely "enterprise") market of customers who need HIPAA compliance, and now small entities have to deal with the daily horrors of using "enterprise software" for their ordinary work.
Compliance costs also often seem low because people aren't actually complying. But then you're creating a competitive disadvantage for companies that actually follow the law.
It's not my impression that HIPAA is one of the more burdensome regs regimes, and this comment sort of reinforces that belief.
