Realistic HIPAA security budgets vs. wishful thinking.

Jen Stone
HIPAA compliance is rarely allocated the resources it requires. And this trend extends beyond just small organizations with limited security budgets. Lack of budget is a plague that affects risk and compliance officers at health organizations of all sizes. 

This post will give you the information you need to more accurately plan your HIPAA budget.

SEE ALSO: Five Things to Consider When Making a HIPAA Security Budget

What does the HHS think HIPAA compliance costs?

The HHS gave an interesting estimation (see Table 1) of how much HIPAA compliance might cost, shortly after they released the HIPAA Final Rule in 2013.

Per organization, they estimated:
  • $80 for an updated Notice of Privacy Practices
  • $763 for breach notification requirement updates
  • $84 for business associate agreement updates
  • $113 for security rule compliance
Grand total per organization: $1,040

This estimate is likely inaccurate, especially when considering the complexities of the Security Rule. When the Security Rule was added back in 2003, it included 75 new requirements and 254 points for organizations to validate to, most of which are quite technical.

The following is an example of a "validation point:"

164.308 – Acquire IT Systems and Services (1 requirement)
Based on the OCR audit protocol, here are the validation points:
  • Interview management to verify that Policy and Procedures exist (P&P)
  • Determine if the P&P are approved and updated on a periodic basis
  • Obtain and review the documented policy (what is required) and procedure (how we are supposed to accomplish the task)
    • Where are P&P stored? 
How is it disseminated to staff?
    • How do we document staff have read, understand and agree to abide by the policy?
  • Determine if the P&P are approved and updated on a periodic basis
In this one example you can see that this single requirement (1 of 75) has three core validation points (3 of 254) with several more minor validation points.

Looking at the math, and the HHS’ estimated $113 allotted to the security rule, that means only $4 is allowed per requirement. It would be a stretch for healthcare entities to accurately validate each new security point for only $4 worth of labor, technology, and implementation. That’s not even taking into account that you will likely need to add (or, at the very least, upgrade) hardware and applications.

Variables that affect HIPAA compliance cost

The cost of HIPAA compliance depends on your organization. Here are a few variables that will factor into the cost of your overall compliance.

  • Your organization type: Are you a hospital, business associate, HIE, healthcare clearinghouse, or another type of healthcare provider? Each will have varying amounts of protected health information (PHI) and risk levels.
  • Your organization size: Typically, the larger the organization, the more vulnerabilities it has. More workforce members, more programs, more processes, more computers, more PHI, and more departments add up to more HIPAA cost.
  • Your organization’s culture: If data security is one of upper management’s top priorities, you have probably already invested in a cybersecurity program. If management has been hesitant to dedicate budget to security, compliance with HIPAA will cost more because you will have more distance to make up.
  • Your organization’s environment: The type of medical devices, the brand of computers, the kind of firewalls, the model of backend servers, etc. can all affect HIPAA compliance cost. If cybersecurity was considered when purchasing, implementing and maintaining these devices, the costs to comply with HIPAA at this point will be lower. If security was not considered, costs to get in line with HIPAA will be greater.
  • Your organization’s dedicated HIPAA workforce: Without a dedicated HIPAA team, you might not know how far you are from closing the HIPAA gap. Even with a dedicated HIPAA team, organizations usually require outside assistance or consulting to help them meet HIPAA requirements.

The cost of a data breach

Costs related to a HIPAA program can seem daunting, but they are small in comparison with not protecting PHI. Here are a few data breach costs, fines, and penalties you may not have considered. 
  • HHS fines: up to $1.5 million/violation/year
  • FTC fines: $16,000/violation
  • Class action lawsuits: $1,000/record
  • State attorneys general: $150,000 – $6.8 million
  • Patient loss: 40%
  • Free credit monitoring for affected individuals: $10-$30/record
  • ID theft monitoring: $10-$30/record
  • Lawyer fees: $2,000+
  • Breach notification costs: $1,000+
  • Business associate changes: $5,000+
  • Technology repairs: $2,000+
SEE ALSO: How Much Does a Data Breach Cost Your Organization?

When you look at the high costs paid by organizations found in violation of HIPAA, it’s obvious the consequences are meant to penalize those who don’t adequately protect patient information.

So, how much does HIPAA compliance cost?
If you are a large provider, you’ll probably benefit most from an onsite HIPAA compliance audit. Security experts examine your organization for security risks, provide guidance as you remediate any problems, and consult on the implementation of any outstanding HIPAA requirements.

Your onsite auditor should work with you to complete both your HIPAA risk analysis and risk management plan. Learn the pros and cons of a HIPAA audit here.

If you don’t have the budget for an onsite audit, you’ll need to find a HIPAA expert to help you get through the risk analysis and risk management plan process. Look for an expert who offers technical support when you have questions. Experts will likely recommend you receive external vulnerability scans to find weaknesses in your systems, and hire penetration testers (ethical hackers) to test your system. If you haven’t already, you’ll likely need to purchase HIPAA policy templates and start your employee training.

Taking all the above into consideration, and remembering that this estimate depends on various factors at your organization, here’s how much HIPAA compliance might cost you:

If you are a small covered entity, HIPAA should cost:

  • Risk Analysis and Management Plan ~$2,000
  • Remediation ~ $1,000 - $8,000
  • Training and policy development ~ $1,000-2,000
Total: $4,000 - $12,000

If you are a medium/large covered entity, HIPAA should cost:

  • Onsite audit ~ $40,000+
  • Risk Analysis and Management Plan ~ $20,000+
  • Vulnerability scans ~ $800
  • Penetration testing ~ $5,000+
  • Remediation ~ Varies based on where entity stands in compliance and security
  • Training and policy development ~ $5,000+
Total: $50,000+, depending on the entity’s current environment

Jen Stone (MSCIS, CISSP, QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.