At Datica we’ve been through eleven external audits conducted by a large, national auditing firm. In all cases, I’ve either personally led the efforts from our side or participated in a management capacity, coordinating our internal resources as needed. I wouldn’t call audits a fun process, but they have helped add rigor to our internal security and compliance programs. It validated the hard work we’ve done to build a fully HIPAA compliant platform on the public cloud, and an associated organization that exceeds the HIPAA rules. We’ve also learned what does and does not meet HIPAA standards on the cloud from an external or auditor perspective.
You must pay the price if you wish to secure the blessing. — Andrew Jackson
Cost seems to be one of a few gating factors for companies considering a HIPAA audit. It’s certainly a topic we are asked about constantly. I touched on the cost of audits in another post on proving HIPAA compliance with HITRUST CSF certification. If you look at the cost of a HIPAA audit, it breaks into two broad categories.
- Direct costs
- Indirect costs
Let’s walk through how costs are calculated in both.
Direct costs of a HIPAA audit
The easier bucket to calculate. It begins with the costs for an auditing firm to conduct the audit and deliver a report. Curiously, the auditor’s charge is frequently used by most people use to calculate the overall cost of an audit, which is definitely not accurate. Different types of HIPAA audits exist. The costs are different for each. Datica has completed all of the audits below. These costs are scoped to a small-to-medium sized organization. There is also wide variability in both the cost and quality of auditors.
- HIPAA Gap Assessment. The best starting point. It is meant to identify gaps and remediation plans for those gaps. It’s the cheapest option and least time-consuming. It often does not require an onsite visit from an auditor. A gap assessment often leads to a full HIPAA audit; after the gap assessment, organizations spend time addressing the gaps before beginning a full HIPAA audit. The direct cost is about $20,000-$30,000.
- Full HIPAA Audit. A full HIPAA audit, when applied to technology vendors, assesses an organization against all the requirements in HIPAA Security Rule. It’s a long list. It includes both technical settings and configurations as well as administrative requirements like training and business associate agreements. It will involve an auditor visit and will require documentation to support claims about security and compliance; this can include showing specific technology settings like password rules and guest access. The direct cost is about $20,000-$50,000.
- Validated HITRUST Assessment. HITRUST is a more complete, certifiable framework for HIPAA. It was created by large healthcare enterprises to mirror PCI compliance. It is similar to a full HIPAA audit but goes into much more granular detail about the maturity of controls and compliance programs. There’s now a standard web app that you use to enter information. Those entries are then validated by HITRUST approved assessor. Then HITRUST, the organization, reviews all the entries, typically asks for more evidence, and you hopefully get HITRUST CSF Certified at the end. The direct costs for this include both fees to HITRUST and to your auditor (approved assessor). The direct cost is about $60,000-$120,000(cost can be much higher for larger organizations).
Indirect costs of a HIPAA audit
It’s really clear that the most precious resource we all have is time. - Steve Jobs
Indirect costs are harder to quantify. The biggest factor to consider is time. For each of the types of audit above, the indirect costs increases as you move down the list. For each of our audits, we estimated the total time spent for all employees (we didn’t break it out by each employee so it’s not perfect).
- Gap Assessment: 40 hours.
- Full HIPAA Audit: 100 hours.
- Validated HITRUST Assessment: 400 hours.
Equally hard to estimate was the time spent between each audit to address issues and “harden” our compliance and infosec programs. This time was not captured for any of the specific audits and contributes to the overall cost of compliance.
Total costs of a HIPAA audit
We conservatively estimated the cost of an hour of work to be $100/hour. This is partially due to the loss in the cost of salaries and benefits, and partially due to the loss in the opportunity cost of not doing other things with this time (writing code, customer support, sales, marketing, etc). Based on those numbers, the total cost of the different audits are:
- HIPAA Gap Assessment - $24,000-$34,000.
- Full HIPAA Audit - $30,000-$60,000.
- Validated HITRUST Assessment - $100,000-$160,000.
It’s more than just cost
If you are considering an audit, the cost is only one consideration. Audits are time-consuming and distracting, factors that are hard to quantify. Weigh the audit’s value for your organization. For Datica, it was a no-brainer because our audits are part of our value proposition to customers. We have many customers that effectively scale sales without having done audits themselves, so it’s not essential to closing deals, even very large deals.
It’s also important to understand that the cost of an audit is not simply a cost at one point in time. Audits are typically followed by annual reviews, sort of like miniature audits. These also cost money, eat time, and can be a distraction. We’ve calculated the overall cost of being HIPAA compliant in the Total Cost of Ownership of Compliance Guide, so take a look there also for more cost considerations.