Dr. Slater,I think what's most overlooked in this mania (which still goes on, so the appelation as the y2k that doesn't end is still appropriate) is that HIPAA ends up as a regulatory affair, with all the apparatus and behavior of regulated industry!
.... Specifically, everyone is now going crazy implementing their systems and changing business processes to get compliant.
......
Having said that I do think some organizations are adopting the buy-a-cheap-system-and-call-it-due-diligence approach, which IMHO is dubious.
Regulations have rules and implementations which get monitored by oversight bodies. The interface for oversight is classically administrative reporting, augmented by occasional investigation and even more occasional penalties.
JCAHO could turn the occasional investigation into basically a frequent and mandatory investigation either de jure or de facto. We will have to wait and see.
But the primary on-going cost is the adminstrative record keeping and reporting. (In one sense the implementation can be minimal as long as the reporting is adequate, so the smart money will wait and see what this reporting ends up consisting of and what the likelyhood of penalities and recourse via appeal might be, although the smart money will never admit such!)
I find it ironic in a current federal adminstration that has decided to 'streamline' environmental regulation and I presume others such that the cost's of compliance do not hinder business as much as they have in the last decades, that a new business cost of compliance would be rigourlessly adhered to in the one industry in which cost containment is out of control and has become a serious political issue!
Wait and see might very well be the best course of action for the smaller players.
