HIPAA Audits: Direct & Indirect Costs
From connecting with friends and family more easily (no matter the distance) to revolutionizing how businesses interact with customers, digital transformation has significantly altered the ways that we communicate with one another. And though advancements in technology have drastically enhanced efficiencies in procedures and processes for businesses across every industry, they also come with consequences.
Of course, as the amount of information existing in the cloud increases, so does the threat of cyberattacks. Advanced technology comes with a massive increase in the amount of data that lives in the cloud — making it susceptible to theft in the event of a data breach. In fact, a study performed by Juniper Research last year reports an estimated 33 billion records will be stolen by cybercriminals in 2023. And what’s more, the same study expects that more than half of all global data breaches will occur in the United States by that same time.
Why Does a HIPAA Audit Matter?
Healthcare organizations are uniquely positioned for an even larger risk of cyberattack because of the nature of cloud-based patient information. Vendors providing services to healthcare systems are also at risk of data being stolen and now face the need to secure their own services. So, what should healthcare organizations be doing to protect themselves and their customers from a data breach? One of the most common steps that healthcare systems and vendors in the industry are taking to secure patient data is undergoing a HIPAA audit.
The Health Insurance Portability and Accountability Act of 1996, otherwise known as HIPAA, was enacted to ensure that patient medical data is safe and secure. Since it’s no surprise that the technology surrounding healthcare looks quite a bit different today than it did when HIPAA was first put into effect, healthcare organizations and their vendors/business associates (BAs) that handle sensitive patient data have stringent rules and regulations they must follow to be HIPAA compliant. Today, many of these businesses are choosing to undergo a HIPAA audit to ensure compliance with the law. They are also receiving peace of mind knowing their patients and customers are protected to the highest degree possible.
Costs Associated with a HIPAA Audit
Although undergoing a HIPAA audit — whether done by a third party or a self-assessment — can help better protect sensitive patient data, the costs associated with the audit are high. In fact, cost is often the sole factor preventing companies from considering an audit.
There are two broad categories of costs involved with a HIPAA audit: direct costs and indirect costs.
HIPAA Audit: Direct Costs
The direct costs of a HIPAA audit may include a HIPAA Gap Assessment, which often serves as an introductory step to a full audit and costs between $20,000 and $30,000. A full HIPAA audit is most often done by technology vendors working with healthcare organizations and runs between $20,000 and $50,000 depending on the size of the company.
HIPAA Audit: Indirect Costs
In addition to the direct costs of a HIPAA audit are the indirect costs such as the time required of valuable internal resources (i.e., staff) to not only undergo the audit process, but also to make modifications and improvements to processes along the way.
Overall, the cost of the audit is directly tied to the size of the organization, infrastructure, etc. A larger organization means more employees, more programs, more processes, more workstations and more stored personal health information (PHI) — all contributing to a higher cost of HIPAA compliance. On the other hand, undergoing a HIPAA audit could end up costing smaller companies more than larger companies due to time and resource constraints. It is worth noting, of course, that the cost of becoming HIPAA compliant pales in comparison to the penalties of a data breach.
Compliance, Not Certification
Perhaps the most important takeaway for organizations considering a HIPAA audit is the difference between compliance and certification. One challenge with a HIPAA audit is that there is no concrete certification awarded to an organization once the audit is complete — much like Europe’s GDPR. This is the main difference between a HIPAA audit and the HITRUST CSF that is slowly becoming the new standard in the healthcare industry. Suffice it to say: if HIPAA is a state, then HITRUST is the United States — meaning it is composed of several security frameworks and regulatory factors (including HIPAA), allowing BAs to assess against several industry-standard frameworks to appease customers across the board. With our eyes on the future, we are accomplishing our HITRUST renewal to assist us in breaking into new territories.