You must pay the price if you wish to secure the blessing. — Andrew Jackson
At Datica we’ve been through three external audits conducted by a large, national auditing firm. In all three cases, I’ve personally led the efforts from our side, coordinating our internal resources as needed. I wouldn’t call it a fun process, but it has helped add rigor to our internal security and compliance programs. It validated the hard work we’ve done to build a fully HIPAA compliant platform, and associated organization, that exceeds the HIPAA rules. We’ve also learned what does and does not meet HIPAA standards from an external or auditor perspective.
Cost seems to be one of a few gating factors for companies considering a HIPAA audit. It’s certainly a topic we are asked about constantly. I touched on the cost of audits in my last post on proving HIPAA compliance. If you look at the cost of a HIPAA audit, it breaks into two broad categories.
- Direct costs
- Indirect costs.
Let’s walk through how costs are calculated in both.
Direct Costs of a HIPAA Audit
The easier bucket to calculate. It begins with the costs for an auditing firm to conduct the audit and deliver a report. Curiously, the auditor’s charge is frequently used by most people use to calculate the overall cost of an audit, which is definitely not accurate. Different types of HIPAA audits exist. The costs are different for each. Datica has completed all of the audits below.
- HIPAA Gap Assessment. The best starting point. It is meant to identify gaps and remediation plans for those gaps. It’s the cheapest option and least time consuming. It often does not require an onsite visit from an auditor. A gap assessment leads to a full HIPAA audit; after the gap assessment, organizations spend time addressing the gaps before beginning a full HIPAA audit. The direct cost is about $15,000-$20,000.
- Full HIPAA Audit. A full HIPAA audit, when applied to technology vendors, assesses an organization against all the requirements in HIPAA Security Rule. It’s a long list. It includes both technical settings and configurations as well as administrative requirements like training and business associate agreements. It will involve an auditor visit and will require documentation to support claims about security and compliance; this can include showing specific technology settings like password rules and guest access. The direct cost is about $20,000-$25,000.
- Validated HITRUST Assessment. HITRUST is a more complete, certifiable version of HIPAA. It was created by large healthcare enterprises to mirror PCI compliance. It is similar to a full HIPAA audit but goes into much more granular detail about the maturity of controls and compliance programs. There’s now a standard web app that you use to enter information. Those entries are then validated by HITRUST approved assessor. Then HITRUST, the organization, reviews all the entries, typically asks for more evidence, and you hopefully get HITRUST CSF Certified at the end. The direct costs for this include both fees to HITRUST and to your auditor (approved assessor). The direct cost is about $30,000-$45,000 (cost can be much higher for larger organizations).
Indirect Costs of a HIPAA Audit
It’s really clear that the most precious resource we all have is time. - Steve Jobs
Indirect costs are harder to quantify. The biggest factor to consider is time. For each of the types of audit above, the indirect costs increases as you move down the list. For each of our audits, we estimated the total time spent for all employees (we didn’t break it out by each employee so it’s not perfect).
- Gap Assessment: 40 hours.
- Full HIPAA Audit: 100 hours.
- Validated HITRUST Assessment: 200 hours.
Equally hard to estimate was the time spent between each audit to address issues and “harden” our compliance and info sec programs. This time was not captured for any of the specific audits and contributes to the overall cost of compliance.
Total Costs of a HIPAA Audit
We conservatively estimated the cost of an hour of work to be $100/hour. This is partially loss for the cost of salaries + benefits and partially loss from opportunity cost of not doing other things with this time (writing code, customer support, sales, marketing, etc). Based on those numbers, the total cost of the different audits are:
- HIPAA Gap Assessment - $17,800-$22,800.
- Full HIPAA Audit - $27,000-$32,000.
- Validated HITRUST Assessment - $44,000-$59,000.
It’s more than cost
If you are considering an audit, cost is only one consideration. Audits are time consuming and distracting, factors that are hard to quantify. Weigh the audit’s value for your organization. For us, it was a nobrainer because our audits are part of our value proposition to customers. We have many customers that effectively scale sales without having done audits themselves, so it’s not essential to closing deals, even very large deals.
It’s also important to understand that the cost of an audit is not simply a cost at one point in time. Audits are typically followed by annual reviews, sort of like miniature audits. These too cost money, eat time, and can be a distraction. We’re working on calculating the overall cost of being HIPAA compliant so stay tuned for more soon. Also, if you have audit insights you can share, we’d love to hear them.