I agree that some folks often exaggerate the danger in HIPAA, especially for someone like OP with a relatively small operation. But, for companies with larger operations and reach it's definitely a non-trivial problem. Our relatively small organization has two people dedicated to compliance (and plenty of ancillary support) and goes through hundreds of audits a year. Not having a locked down well thought out solution, both technical and operational, can really put growth at risk in healthcare. Of course, that's not "HIPAA compliance", but it is "what it takes to reach scale in healthcare".
snuxoll|7 years ago
The more hands you have touching any given system the work required to ensure compliance in any regulated industry increases, that's certainly a given.
Technical compliance is the easy part in all honesty, all of the human elements (policy, procedure) requires constant attention and is the majority of what our compliance and QA teams deal with. This is the hardest thing to deal with, and it's not even just "don't expose PHI" but making sure you have everything just the way a certain insurance company likes things, that a chart has supporting documentation for a specific procedure, etc. Makes me glad I only have to deal with our applications and the systems they run on, props to the compliance team for all the headache they have to deal with.