The cost of HIPAA compliance

How Much Does an Internal HIPAA Audit Cost: Direct and Indirect Costs

Kyle Morris

Senior Compliance Success Manager

Linkedin

You know the saying “let sleeping dogs lie”? Well, that doesn’t apply to HIPAA compliance. Nap time’s over for this puppy. 

Suppose your organization is subject to The Privacy Rule (which means you’re either a covered entity or a business associate). In that case, HIPAA compliance is always in the back of your mind and forefront of your priority list (or at least it should be). With the Healthcare sector accounting for 79% of all reported breaches and these data breaches continuously increase by 25% year over year, organizations can no longer afford to be non-compliant. But – can they afford to get compliant in the first place? 

We’re looking at the cost of compliance and the price you’ll pay without it. 

HIPAA self-audits: What is it and why does it matter?

HIPAA is a federal law. If you’d like to bookmark this tab and take a quick refresher on the HIPAA basics and what it means for your business, here’s your shot. But if you’re familiar with the concept, let’s keep going. 

Although the fact that it’s a law may seem straightforward, in some ways, it can complicate the process. The simplicity of the matter is that you either abide by a law or not. There’s no in-between.

Similarly, organizations cannot be ‘somewhat’ or ‘fully’ HIPAA compliant. Either you’re compliant, or you’re not. However, the tricky thing is that compliance has an intricate web of dos and don’ts, what-ifs, and assumptions, which is not ideal when you’re just trying to follow the law. 

What complicates matters even further is that no governing body will certify you as HIPAA compliant. It’s each organization’s responsibility to comply with HIPAA laws and regulations, and no – there is no round of applause from The HHS or the OCR for being compliant. So, how do companies gauge whether or not anything is slipping through the cracks?

Although the OCR can conduct official audits, they generally only come knocking on your proverbial door when there’s suspicion of a violation or breach. The idea is to get (and stay) compliant before this happens. That’s where HIPAA compliance internal audits come in and ease the burden. 

HIPAA compliance audits are an organization’s way to protect themselves from a breach, mitigate any internal or external risks or gaps that could expose them to non-compliance and importantly, ensure that they comply with HIPAA. As there is no certification body and there is no ‘official’ audit, like in SOC 2, it’s also an organization’s only way to gauge compliance before it’s too late. 

But something so critical surely comes at a cost. Here’s what to expect in terms of budget.

The cost of HIPAA compliance

For organizations to establish a ballpark figure of how much HIPAA compliance will ultimately cost your business, it’s essential first to break down the various costs associated with compliance. 

There are three general costs associated with HIPAA compliance.

Direct costs: These costs include out-of-pocket expenses and the costs of implementing compliance requirements. This covers internal audits, assessments, personnel, and any new systems or technology to meet security standards. 

Indirect costs: These are the costs that aren’t measurable or tangible. This includes time, management, training, onboarding, and other factors that are resource intensive to stay compliant. 

Opportunity costs: These are the costs associated with what could happen if your organization is non-compliant. Opportunity costs include a loss of business, penalty fees, reputation loss, and possible criminal charges. 

HIPAA pricing is subjective and depends on key factors

There’s a common misconception that HIPAA only applies to healthcare organizations. However, as established by The Privacy Rule in 2013, a myriad of organizations, vendors, and businesses are subject to mandatory compliance

However, it’s only fair that compliance costs vary between entities to accommodate their budgets. Unfortunately, HIPAA compliance, in general, is still overlooked in the budgeting process, and many organizations need to allocate adequate funds and resources to cover everything required for compliance. To weave through the varying costs and expenses and to reach a common ground between covered entities and business associates, a few elements can influence the overall costs of a HIPAA audit and compliance. This includes the following; 

  • Your type of business or the industry.
  • The number of employees you have.
  • The number of regulations that you’re subject to.
  • The amount of PHI and data you are required to safeguard.
  • Whether or not you’d like to establish a designated compliance department.
  • If you choose to use a consultant or any third-party vendor for advisory

HIPAA internal audit: The direct costs

When talking about money, it’s crucial to take all calculations with a pinch of salt until you receive a detailed quote based on your specific requirements and business. 

To provide some context, one of HIPAA’s four rules includes The Security Rule. This rule was established in 2003 and had 75 standards and 254 points for organizations to test against. These security standards can be challenging and highly technical to validate. Depending on these technical safeguards, your price may either increase or decrease. 

But let’s get to the nitty gritty. 

In 2013, after the final release of HIPAA compliance rules, statistics provided by the HHS stated that the current cost of compliance stands at $1,040 for pre-organization. However, this was nearly a decade ago and did not account for the increasingly complex technical requirements and growing data risks. 

More recent statistics show that the direct costs of a HIPAA audit generally start with a HIPAA gap assessment. This is the first step, highlighting any critical gaps that need attention to ensure you’re fully prepared for an audit. Full audits can cost between $20,000 and $50,000, depending on the company’s size. 

HIPAA internal audit: The indirect costs

Unfortunately, it’s not a once-off payment, and you’re compliant. The indirect costs also need to be considered. The indirect costs, if done manually, include time spent on implementing new systems, making modifications, and undergoing the actual compliance process. 

Another indirect cost (which leads to more direct costs) is the need for regular security awareness training programs. The more employees, the more training, the more time, the more money. 

Although the costs may feel daunting, it’s crucial to look at the bigger picture, as the cost of compliance pales compared to the price you’ll pay without it. 

Opportunity costs: The cost of non-compliance

Let’s crunch the numbers. During 2020 – 2022 alone, the healthcare sector lost $25 billion due to cyberattacks. In 2021, the cost of business due to data breaches resulted in roughly $1.6 million. The loss of business costs includes reputational loss, revenue loss due to system downtime, lost clients, and more. 

Understandably, the damage is brutal, and consequently, so are the penalties and fines associated with non-compliance. To put the severity into perspective, the OCR totaled 110 cases and $131,563,132.00 as of April 2022. 

Financial penalties due to non-compliance, violations, and breaches vary but carry significant consequences nonetheless. The harshest penalty/fee is a deliberate intent to misuse or sell PHI or e-PHI for personal profit or gain. The penalty can result in up to $250,000 or 10 years imprisonment. 

Avoid high HIPAA compliance costs

Don’t spend money you don’t need to. Sure, compliance is critical; but did you know that 94% of healthcare organizations fail their audit due to an ineffective compliance program? At Scytale, we cover HIPAA in one fell swoop so that when you’re compliant, you stay compliant. The best part? No need to run after admin and cry over HIPAA workloads when you can automate the entire process.

Share this article

A CTO’s Roadmap to Security Compliance: Your Go-To Handbook for Attaining SOC 2 and ISO 27001

Security Compliance for CTOs