The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

How Much Does HIPAA Compliance Cost?

Posted By on Mar 13, 2024

Estimates of how much does HIPAA compliance cost have risen sharply since HHS  forecast costs of between $458 and $3,602 for health plans – and of between $1,269 and $10,211 for hospitals – for complying with the Privacy Rule in 1999. A quarter of a century later, mid-range estimates of how much does HIPAA compliance cost fall into the range of between $80,000 and $120,000.

The Health Insurance Portability and Accountability Act was passed in 1996 in an attempt to reform the health insurance industry. To neutralize the costs of the reforms to the industry and protect tax revenues, Congress added measures to reduce fraud and abuse in the healthcare industry and simplify the administration of healthcare transactions such as eligibility checks, authorizations for treatment, and claims for reimbursement.

The measures to simplify the administration of healthcare transactions led to the publication of the Administrative Simplification Regulations (Subchapter C of Subtitle A of the Public Welfare Code). The Regulations include the HIPAA General Provisions, the Transaction Rules and Code Sets, and the HIPAA Privacy, Security, and Breach Notification Rules. Since their publication, the Administrative Simplification Regulations have been updated multiple times.

What Does it Mean to be HIPAA Compliant?

What it means to be HIPAA compliant is that an individual or organization that qualifies as a covered entity or business associate (see “Who Needs to be HIPAA Compliant?” below) complies with all the applicable standards, and implementation specifications of the Administrative Simplification Regulations. For some individuals and organizations, this can mean complying with far fewer standards and implementation specifications than for others.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

For example, whereas a large health system that conducts healthcare transactions in-house will have to comply with most of the Administrative Simplification Regulations, a cloud service provider that provides “no view” data storage services as a business associate will only have to comply with the applicable standards and implementation specifications of the Security and Breach Notification Rules – reducing how much it can cost to become HIPAA compliant.

Who Needs to be HIPAA Compliant?

An individual or organization needs to be HIPAA compliant if they qualify as a HIPAA covered entity – i.e., a health plan, a health care clearinghouse or a healthcare provider that conducts electronic transactions for which the Department of Health and Human Services (HHS) has published standards in 45 CFR Part 162. It is important to be aware that not all providers of insured health benefits or all healthcare providers qualify as HIPAA covered entities.

In addition, a third party service provider that provides a service to or on behalf of a HIPAA covered entity also needs to be HIPAA compliant if the service involves the creation, receipt, storage, or transmission of Protected Health Information (PHI). Service providers that provide such services are referred to as “business associates”, and not only must business associates comply with all applicable standards of HIPAA, but their subcontractors must do as well.

How Much Does HIPAA Compliance Cost According to HHS

HHS has only produced partial estimates of how much does HIPAA compliance cost because the different types of organizations covered by HIPAA and because – at the time the proposed Security Rule was published – it was assumed that covered entities who conducted electronic healthcare transaction would already have most of the required security measures in place, and would only need to implement minimal additional measures to become HIPAA compliant.

However, in the Notice of Proposed Rulemaking for the Privacy Rule, HHS estimated the average cost of implementing the provisions of the Privacy Rule as between $337 and $732 depending on the size of an organization and the nature of its activities. This estimation of how much HIPAA compliance cost in 1999 failed to take into account that many covered entities were already required to comply with state laws relating to the privacy of healthcare data.

How Much Does HIPAA Compliance Cost According to HHS? HIPAAJournal.com

Similarly, when HHS estimated the average cost of compliance with the Omnibus Final Rule in 2013 at $1,040 per organization, the estimate failed to take into account that many states already had breach notification laws. As 75% of the 2013 Omnibus Final Rule estimate was based on the cost of breach notifications – and the number of future breaches that would incur costs was unknown – it is probably best to ignore this estimated cost of HIPAA compliance.

How Much Does HIPAA Compliance Cost in 2024

Taking inflation into account, the cost of HIPAA compliance in 2024 should be double what it cost in 1999, but that is unlikely to be the case. Although there is no consensus of opinion among compliance professionals, the mid-range estimate seems to be between $80,000 and $120,000 depending on whether compliance efforts are mostly in-house (potentially with help from software or consultants) or completely outsourced.

In reality, how much does HIPAA compliance cost in 2024 depends on the size, nature, and distribution of an organization, the degree of compliance with other healthcare regulations, and the resources available to the organization to become HIPAA compliant. Due to these variables, it may cost less for a larger, multi-specialty, multi-location health system to become HIPAA compliant than for a smaller, single-location dental practice.

Does Size, Nature, and Distribution Matter?

The size, nature, and distribution of an organization is not such a big factor in determining how much does HIPAA compliance cost compared to some other variables. For example, it might be assumed that a large health system providing a variety of medical services to patients in multiple physical service delivery sites and in the community is going to have a larger workforce to train, more standards to comply with, and more compliance challenges to overcome.

However, the HIPAA regulations protecting the privacy of individually identifiable health information are the same regardless of the medical service provided, the additional standards protecting sensitive psychiatry, SUD, and reproductive healthcare information are similar (and only apply to a subset of the workforce), and the implementation specifications for securing PHI apply whether colleagues are communicating PHI from adjoining offices or from miles apart.

Compliance with Other Healthcare Regulations

How much does HIPAA compliance cost is more likely to be affected by the degree of compliance with other healthcare regulations than by an organization’s size, nature, and distribution. For example, a health system that complies with the conditions for participation in Medicare is going to be much closer to HIPAA compliance than a dental practice that only bills health plans and has not implemented any measures to protect the privacy or security of PHI.

Compliance with federal non-health regulations and voluntary standards can also make a difference to how much does HIPAA compliance cost. If a health system complies with OSHA and voluntary standards such as SOC 2, ISO/IEC 27001, or NIST SP 800-66r2, the health system will most likely already have the measures in place to comply with HIPAA’s Disaster Recovery, Contingency Operations Planning, and Emergency Access requirements.

The Resources Available to Become HIPAA Compliant

Similarly, the resources available to become HIPAA compliant are also going to affect how much does HIPAA compliance cost. A large health system will already likely be paying for legal, compliance, and IT services – either directly (i.e., via employed members of the workforce) or indirectly (i.e., outsourced contractors). The health system may only need to redirect the resources it is already paying for in order to fund becoming HIPAA compliant.

A smaller, single-location dental practice might also be paying directly or indirectly for legal, compliance, and IT services. However, the existing paid-for resources are less likely to have the capacity to scale up in order to support HIPAA compliance (depending on the existing degree of HIPAA compliance), and it is more likely that the smaller, single-location dental practice will have to engage third party consultants or outsource certain compliance activities.

How Much Does HIPAA Non-Compliance Cost?

There is no one-size-fits-all scale for how much does HIPAA non-compliance cost because penalties for HIPAA compliance failures are assessed according to multiple factors. These factors include (but are not limited to):

  • Whether the covered entity/business associate knew or should have known the compliance failure was a violation of HIPAA.
  • The nature and extent of the violation(s), the number of individuals affected, and how long the violation(s) continued.
  • Whether the violation(s) resulted in physical, financial, and/or reputational harm, or prevented/hindered access to health care.
  • The history of prior compliance and whether violations of a similar nature have previously been reported or notified to HHS.
  • How the covered entity/business associate has responded to previous compliance failures or technical assistance provided by HHS.

Even when the penalties for HIPAA violations are not financial, they can still incur indirect costs. HHS Office for Civil Rights initiates hundreds of compliance reviews each year; and, when non-compliance with HIPAA is identified, organizations are required to adopt corrective actions. The corrective actions can include the implementation of further safeguards, revisions to policies and procedures, and workforce retraining – all of which can be disruptive and costly.

Calculating How Much Does HIPAA Compliance Cost

To calculate how much does HIPAA compliance cost, a covered entity or business associate needs to review their current degree of healthcare regulatory compliance against a HIPAA compliance checklist and then conduct a gap analysis to identify what measures need to be implemented to raise HIPAA compliance to the required level. The measures can then be costed to calculate how much achieving a state of HIPAA compliance will cost.

However, HIPAA compliance is an ongoing requirement. Achieving “point-in-time” HIPAA compliance is not sufficient to excuse a covered entity or business associate from a penalty for a violation of HIPAA, and organizations not only need to calculate how much does HIPAA compliance cost, but also how much maintaining a healthcare compliance program will cost. Organizations requiring help with these calculations should seek professional compliance advice.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist