HIPAA's Privacy Regulations: Increased Privacy Comes at a Cost

Deeb Salem, MD


September 24, 2003

In This Article

Costs of Compliance

The HIPAA regulations, as emphasized by Boston University health ethicist George Annas, "set a federal minimum, or floor, not ceiling, on protection of privacy," with overlying state regulations adding to the regional complexity and differences in the interpretation of what are already extremely complicated laws.[2] How to correctly interpret and comply with HIPAA regulations has created a vast industry of consultants and technical advisors who have profited from the fears of physicians, medical institutions, and medically related companies and healthcare insurers. A Google search on the term "HIPAA" produces more than 1.3 million "hits," many of which are links to consultants.

Implementation has proven to be as frustrating as many individuals, including Annas, had predicted. Many had predicted that the cost of HIPAA to hospitals alone would be twice the cost of the Y2K conversion, thereby creating an additional and unwelcome stress to already overextended hospital budgets.

In April 2003, medical researcher Peter Kilbridge, MD,[3] reported on the financial cost of HIPAA compliance to hospitals. He cited a study commissioned by the American Hospital Association that estimated the average cost of HIPAA training to be $16 per employee. "Even for a small hospital, just the cost of printing a multi-page HIPAA patient rights form for every patient, at a few cents a piece, is substantial," he noted.

Healthcare organizations must keep a record of which patients have received their HIPAA notices, physicians and clinics must change the behavior of their personnel and often have had to rebuild and redesign waiting rooms and registration areas to ensure greater privacy. Dr. Kilbridge cited data from the Healthcare Information and Management Systems Society and Phoenix Health Systems[3]that estimate the costs of HIPAA to hospitals to be between $100,000 and $500,000 in 19% of even small hospitals (ie, in those with fewer than 100 beds) and more than $1 million in 16% of large hospitals (ie, in those with more than 400 beds).


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.