Highlights of general cost information related to risk management of HIPAA for an organization

1. ®
“The Cost of Risk Management”

2. There are several components that make up a risk management
program.
Monitor & Audit
Communication & Education
Policy & Procedure Development
Establish Roles &
Responsibilities,
ePHI Boundaries & Inventory
Risk Assessment

3. Types of Tasks Knowledge Base
•Risk Assessment & Gap Analysis
•Risk Management Plan
•Security Policies & Procedures customization
HIPAA Security Rule (45 CFR 164.308)
Policy Design
Control effectiveness, weakness, and vulnerabilities
•Remediation Project Management
•Training Development
Project Management Standard Practices
•Program Monitoring
•Program Reporting
•Ability to translate and provide cogent advice to senior
management regarding the impact of emerging industry
trends in technology, compliance enforcement,
legislation and regulations
•Enforcement
•Auditing & Reassessment of Program Effectiveness
•Working knowledge of management of an effective
risk and compliance program, including conducting and
documenting investigations
•Addressing violations and monitoring corrective
actions

4. Typical compliance manager cost to direct this business function:
•Based on this survey of
risk manager salary
data, a practice could
incur an annual
expense of around
$86,800.00 for a full
time employee to
manage this function.
•This comes out to
roughly $7200.00 a
month, assuming the
industry average of 120
hours of work effort per
month.

5. OCR monetary penalties for breach violations
Unknowable = $100.00 per record
Reasonable Cause = $1,000.00 per record
Willful Neglect - Correct in 30 days = $10,000.00 per record
Willful Neglect – Failure to Correct = $50,000.00 per record
Cost of Staff time to investigate/recover/resolve
Estimated at $50.00 per record
Potential Criminal and Civil penalties
From the 2011 Ponemon Study on average breached firms lost 2.1% of their
market value within two days of the public announcement