January 23, 2019

What is the cost of a HIPAA audit?

Travis Good, MD
Travis Good, MD

Datica Alumni — Former Co-founder & Chief Technology Officer

At Datica we’ve been through eleven external audits conducted by a large, national auditing firm. In all cases, I’ve either personally led the efforts from our side or participated in a management capacity, coordinating our internal resources as needed. I wouldn’t call audits a fun process, but they have helped add rigor to our internal security and compliance programs. It validated the hard work we’ve done to build a fully HIPAA compliant platform on the public cloud, and an associated organization that exceeds the HIPAA rules. We’ve also learned what does and does not meet HIPAA standards on the cloud from an external or auditor perspective.

You must pay the price if you wish to secure the blessing. — Andrew Jackson

Cost seems to be one of a few gating factors for companies considering a HIPAA audit. It’s certainly a topic we are asked about constantly. I touched on the cost of audits in another post on proving HIPAA compliance with HITRUST CSF certification. If you look at the cost of a HIPAA audit, it breaks into two broad categories.

  1. Direct costs
  2. Indirect costs

Let’s walk through how costs are calculated in both.

Direct costs of a HIPAA audit

The easier bucket to calculate. It begins with the costs for an auditing firm to conduct the audit and deliver a report. Curiously, the auditor’s charge is frequently used by most people use to calculate the overall cost of an audit, which is definitely not accurate. Different types of HIPAA audits exist. The costs are different for each. Datica has completed all of the audits below. These costs are scoped to a small-to-medium sized organization. There is also wide variability in both the cost and quality of auditors.

  • HIPAA Gap Assessment. The best starting point. It is meant to identify gaps and remediation plans for those gaps. It’s the cheapest option and least time-consuming. It often does not require an onsite visit from an auditor. A gap assessment often leads to a full HIPAA audit; after the gap assessment, organizations spend time addressing the gaps before beginning a full HIPAA audit. The direct cost is about $20,000-$30,000.
  • Full HIPAA Audit. A full HIPAA audit, when applied to technology vendors, assesses an organization against all the requirements in HIPAA Security Rule. It’s a long list. It includes both technical settings and configurations as well as administrative requirements like training and business associate agreements. It will involve an auditor visit and will require documentation to support claims about security and compliance; this can include showing specific technology settings like password rules and guest access. The direct cost is about $20,000-$50,000.
  • Validated HITRUST Assessment. HITRUST is a more complete, certifiable framework for HIPAA. It was created by large healthcare enterprises to mirror PCI compliance. It is similar to a full HIPAA audit but goes into much more granular detail about the maturity of controls and compliance programs. There’s now a standard web app that you use to enter information. Those entries are then validated by HITRUST approved assessor. Then HITRUST, the organization, reviews all the entries, typically asks for more evidence, and you hopefully get HITRUST CSF Certified at the end. The direct costs for this include both fees to HITRUST and to your auditor (approved assessor). The direct cost is about $60,000-$120,000(cost can be much higher for larger organizations).

Indirect costs of a HIPAA audit

It’s really clear that the most precious resource we all have is time. - Steve Jobs

Indirect costs are harder to quantify. The biggest factor to consider is time. For each of the types of audit above, the indirect costs increases as you move down the list. For each of our audits, we estimated the total time spent for all employees (we didn’t break it out by each employee so it’s not perfect).

  • Gap Assessment: 40 hours.
  • Full HIPAA Audit: 100 hours.
  • Validated HITRUST Assessment: 400 hours.

Equally hard to estimate was the time spent between each audit to address issues and “harden” our compliance and infosec programs. This time was not captured for any of the specific audits and contributes to the overall cost of compliance.

Total costs of a HIPAA audit

We conservatively estimated the cost of an hour of work to be $100/hour. This is partially due to the loss in the cost of salaries and benefits, and partially due to the loss in the opportunity cost of not doing other things with this time (writing code, customer support, sales, marketing, etc). Based on those numbers, the total cost of the different audits are:

  • HIPAA Gap Assessment - $24,000-$34,000.
  • Full HIPAA Audit - $30,000-$60,000.
  • Validated HITRUST Assessment - $100,000-$160,000.

It’s more than just cost

If you are considering an audit, the cost is only one consideration. Audits are time-consuming and distracting, factors that are hard to quantify. Weigh the audit’s value for your organization. For Datica, it was a no-brainer because our audits are part of our value proposition to customers. We have many customers that effectively scale sales without having done audits themselves, so it’s not essential to closing deals, even very large deals.

It’s also important to understand that the cost of an audit is not simply a cost at one point in time. Audits are typically followed by annual reviews, sort of like miniature audits. These also cost money, eat time, and can be a distraction. We’ve calculated the overall cost of being HIPAA compliant in the Total Cost of Ownership of Compliance Guide, so take a look there also for more cost considerations.

tag HITRUST HIPAA Compliance


What is the Cost of HITRUST CSF Certification in 2019?

Travis Good, MD

Co-founder & Chief Technology Officer

The costs for a HITRUST Certification in 2019 have gone up as the HITRUST CSF has evolved and become more complex.

event-note January 23, 2019

The HITRUST RightStart Program: An Accelerated Path for Startups to Prove Compliance

Laleh Hassibi

Vice President of Marketing

A review of the HITRUST RightStart Program that's specifically built to make it easier and more economical for startups to achieve HITRUST CSF certification.

event-note October 17, 2018

Configuring Popular Managed Database Services To Comply with HITRUST CSF

Ryan Rich

Chief Product Officer and Chief Security Officer

Whether you’re a Datica customer or not, you can take these new configuration guides, implement them across your fleet of cloud services, and have an audit-ready environment without paying a dime.

event-note October 4, 2018

5 Steps to HITRUST CSF Certification

Laleh Hassibi

Vice President of Marketing

Complying with HIPAA and proving it are two very different things. Let us show you the 5 Steps to HITRUST CSF Certification.

event-note June 29, 2017