I really don't think this is true. What cost factors are you thinking of? We host lots of small HIPAA-complying businesses, and in my career I've consulted for many dozens more. As near as I can tell, there's actually not a whole lot to it.
It's 115 pages. Just training the staff to comprehend what's in it is a non-trivial undertaking, assuming people are actually going to comply with it.
It has some fun provisions, like prohibiting disclosure of certain information except where disclosure is mandatory, which means there is no "err on the side of caution" and you need staff to know exactly what the conditions are if you want to avoid breaking the law.
There are various rules about computer systems and access controls that are all reasonable and expected in a large bureaucracy but not anything a small medical practice is going to be familiar with. So they'll have someone host it for them who has lawyers on staff and pay them a premium for it. That makes it "easier" and then the expense gets accounted for as something else. But now we're back to many of these systems being proprietary and miserable, because they're specialized to the limited (and extremely "enterprise") market of customers who need HIPAA compliance, and now small entities have to deal with the daily horrors of using "enterprise software" for their ordinary work.
Compliance costs also often seem low because people aren't actually complying. But then you're creating a competitive disadvantage for companies that actually follow the law.
Yeah, if that's what you mean, this just isn't expensive. If you do a lot of consulting for HIPAA companies, you get HIPAA-trained a bunch (ie: you fast-forward through a lot of videos with an HTML5 video playback speed hack). They're not a big deal; maybe a hundred or two per seat?
It's not my impression that HIPAA is one of the more burdensome regs regimes, and this comment sort of reinforces that belief.
I feel kind of the opposite. Like the way "compliance" works in corporations is everyone has to sit through a boring training video so they can check the box that says "trained staff on regulatory compliance" when the real cost is not just watching the video but actually diligently putting it into practice. Which is pretty cheap for the companies who skip doing that part, admittedly, but if that's expected to be the method of "compliance" then what's the point of the law?
