If you are a health organization–or work with third parties who work within the health space–then you need to pay close attention to HIPAA.
For companies in the healthcare business, as well as third parties working in the field, patient data offers particularly substantial privacy and security issues. To avoid data breaches or leaks of personal information, patient data must be processed, stored, and transported securely.
Companies have been required to protect data in compliance with the requirements set forth in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) since its inception in 1996, at the nexus of information technology breakthroughs and the movement of patient information to digital form. HIPAA is overseen by the US Department of Health and Human Services (HHS). It was established to secure protected health information (PHI), often known as patient health information.
So as a B2B company working hand-in-hand with health organizations, how much budget should you be setting aside for HIPAA compliance?
What HHS Says It’s Going To Cost You
HIPAA compliance is rarely given the attention it deserves. This tendency isn’t restricted to small businesses with minimal security budgets. Risk and compliance officers at health companies of all sizes are plagued by a lack of funds.
Shortly after the HIPAA Final Rule was announced in 2013, the HHS provided an intriguing estimate of how much HIPAA compliance may cost.
They calculated the following per organization:
- A revised Notice of Privacy Practices costs $80.
- Updates to the breach notification requirements cost $763.
- Updates to business associate agreements cost $84 each.
- Compliance with security rules costs $113.
Total for each organization: $1,040
However, it’s best to take these numbers with a grain of salt. You see, this HHS estimate is likely to be off-track, especially given the Security Rule’s complications. The Security Rule was established in 2003 with 75 additional standards and 254 points for enterprises to validate against, the majority of which are extremely technical. More technical = more complex to manage = more costly.
Variables that affect HIPAA Compliance Cost
Like many things in life, one size doesn’t fit all. The cost of HIPAA compliance varies depending on your company. Here are a few factors that will affect the overall cost of your compliance.
Your company’s type: Are you a hospital, a business associate, a health information exchange (HIE), a healthcare clearinghouse, or another type of healthcare organization? Each one will have a different amount of PHI and a different level of risk.
Size of your company: The larger an organization becomes, the more weaknesses it has. More employees, programs, processes, computers, PHI, and departments all add up to more HIPAA costs.
The culture of your company: If data security is a high priority for upper management, you’ve most likely already invested in a cybersecurity program. If management has been reticent to devote resources to security, HIPAA compliance will cost more since there will be more ground to cover.
Your organization’s environment: The type of medical devices, the brand of computers, the type of firewalls, the model of backend servers, and other factors can all affect the cost of HIPAA compliance. The costs of complying with HIPAA will be lower if cybersecurity was considered when procuring, implementing, and maintaining these devices. If security isn’t taken into account, the cost of complying with HIPAA will be higher. Starting from scratch will always cost more.
HIPAA-certified employees at your company: You might not realize how close you are to closing the HIPAA gap if you don’t have a dedicated HIPAA team. Even if they have a dedicated HIPAA team, most businesses will need outside help or consultancy to meet HIPAA regulations.
How Much Does A Breach Cost?
The costs of a HIPAA program may appear intimidating, but they pale in comparison to the costs of not protecting PHI. Here are some charges, fines, and penalties associated with data breaches that you may not have considered.
- Fines from the Department of Health and Human Services: up to $1.5 million per violation every year
- Fines from the Federal Trade Commission: $16,000 per violation
- $1,000 per record in class action litigation
- $150,000 – $6.8 million for state attorneys general
- 40 percent of patients are lost.
- Free credit monitoring for those who have been affected: $10-$30 per record
- Monitoring for identity fraud costs $10-$30 per record.
- Fees for a lawyer: $2,000+
- Costs of breach notification: $1,000+
- Changes in business associates: $5,000+
- Repairs to technology cost $2,000 or more.
Those are some serious fines. So the bottom line is that while HIPAA compliance may cost your business, it’s worth investing.
The Real Numbers (Ballpark)
Taking all of the above into account, and keeping in mind that this estimate is based on a variety of circumstances and unique attributes of your company, here’s how much HIPAA compliance might cost you:
Cost if you’re a small covered entity
$2,000 for a risk analysis and management plan
$1,000 – $8,000 for remediation
$1,000-2,000 for policy formulation and training
Total cost: $4,000 – $12,000
Cost if you’re a medium/large covered entity
$40,000+ for an onsite audit
$20,000+ Risk Analysis and Management Plan
$800 for vulnerability scans
Penetration testing costs $5,000 or more.
Remediation varies depending on the entity’s compliance and security status.
$5,000+ in training and policy development
Total cost: $50,000 or more, depending on the entity’s existing situation.
We understand how vital compliance is to healthcare providers and other covered organizations at Managed Services Group. We want to help you comply with HIPAA in a way that is specific to your company’s needs and resources. Furthermore, whether it’s putting in place a fundamental security architecture or more advanced security measures like threat management or penetration testing, our skilled staff is happy to help you with all areas of your cybersecurity.
Do you have any reservations about your efforts to comply with HIPAA or other healthcare regulations? Do you have no idea where to start? That’s something we can assist you with! Give us a call and we’ll talk about your IT requirements.