News Feature | September 16, 2013

Providers Will Spend Nearly 33 Million Hours Complying With HIPAA Rules

Source: Health IT Outcomes
Greg Bengel

By Greg Bengel, contributing writer

A notice released in the Federal Register by HHS’ Office for Civil Rights breaks down how long providers will spend complying with HIPAA security and privacy rules

A notice recently reported in the Federal Register by HHS’ Office for Civil Rights has some news that might turn any provider’s hair gray. It is estimated that the amount of time needed for the U.S. healthcare industry to comply with HIPAA privacy and security rules is 32.8 million hours.

An article on Modernhealthcare.com puts the time frame in perspective quite effectively. “About 3,720 years ago, the Code of Hammurabi and the founding of the Babylonian Empire were already old news, but war chariots were about to become the hottest thing in weapons technology,” it says. “Put another way, that's roughly 32.8 million hours ago.”

According to the notice in the Federal Register, the majority of the 32.8 million hours providers will spend complying with the new HIPAA Omnibus rule will be spent disseminating and acknowledging HIPAA notices of privacy practices, a task estimated to take 30.655 million hours. Modernhealthcare.com elaborates, “But many centuries of time—nearly 35 centuries, in fact, or just short of 30.7 million hours—will be devoted each year by healthcare providers and patients for the dissemination to patients and their acknowledgement of HIPAA notices of privacy practices for protected healthcare information, HHS estimates. Even at just 3 minutes apiece, with 613 million of these routine privacy notices to be delivered, signed and stored, the time adds up.”


FierceHealthIT provides the breakdown as expected by the Office for Civil Rights:

  • “Documentation of security procedures in place: 350,000 hours.
  •  Business associate need to establish or modify BA agreements with subcontractors: 125,000 hours.
  • Revising the language in privacy notices (health plans): 167 hours.
  • Dissemination of notices by paper mail (health plans): 416,667 hours.
  • Dissemination of notices by electronic mail (health plans): 278,333.”

Also, FierceHealthIT says, the notice estimates 619,000 hours will be connected to “new burdens” coming with the rule, and that a lot of the work will have to be repeated year after year.

The final HIPAA omnibus rule went into effect last March. The deadline for covered entities reaching compliance is September 23.