NCPA submitted comments to the Department of Health and Human Services Office of Civil Rights (HHS OCR) on its proposed HIPAA Security Rule. If finalized, the proposed rule would revise existing standards to better protect the confidentiality, integrity, and availability of electronic protected health information. HHS OCR estimated the compliance cost impact to a small business regulated entity to meet the new requirements to be $1,235 per year, with the majority of IT services estimated to cost $119.94 per hour.
In its comments, NCPA stated that it understands and supports the need to strengthen health care cybersecurity but believes that HHS OCR must consider the costs and benefits of the proposed changes to the HIPAA Security Rule. NCPA asserted that HHS OCR grossly underestimated the compliance costs to implement the proposed requirements to small providers, and that pharmacies, already on the verge of closure because of unfair reimbursement, cannot afford to absorb further costs to comply with the proposed rule’s requirements. NCPA advocated that HHS OCR should consider providing incentives or covering costs for small providers to meet the proposed requirements or exempt them from the rule.
