What does compliance with the Health Insurance Portability and Accountability Act (HIPAA) cost?
When it issued the HIPAA Final Rule in 2013, the U.S. Department of Health and Human Services estimated HIPAA implementation would cost all covered entities (CEs) between $114 million and $225.4 million.a But the true cost of compliance has become far greater. The international technology and data firm GlobalSCAPE notes the industry’s compliance costs increased 106% between 2011 and 2017.b
HIPAA compliance is not just costly. It also is time consuming and complex, adding an administrative burden on healthcare employees. GlobalSCAPE notes HIPAA compliance is “among the top 5 most difficult compliances to achieve.” Consequently, many CEs are pouring substantial resources into their compliance programs, trying to keep abreast with complex and ever-changing healthcare laws.c
See related sidebar: 5 steps to becoming HIPAA compliant
Some CEs believe there’s an alternative to compliance. Small or understaffed organizations try to avoid expenditures and don’t allocate enough of their budget to implement a reliable HIPAA compliance program, choosing instead to focus on their HIPAA certification rather than the actual compliance process.
This approach is penny wise and pound foolish. The risks are simply too great. According to GlobelSCAPE, the average price of noncompliance is 2.71 times higher than that of compliance. When CEs are discovered to be in violation of the HIPAA Privacy and Security Rules, they can incur massive fines and penalties from government audits, class-action lawsuits and other legal repercussions, not to mention the loss of patient trust. Consider the comparative costs of compliance versus noncompliance.
The cost of compliance
Factors affecting the cost of HIPAA compliance include an organization’s type, size and culture; its current environment (i.e., level of compliance) and the size of its workforce dedicated to HIPAA compliance, according to SecurityMetrics, an international data security firm.d The American Hospital Association has found that staff salaries account for more than 80% of a hospital’s healthcare compliance cost.e Estimates of total compliance costs vary. Beyond employee expenses, HIPAA requires CEs to implement some costly specifications to the rules, including internal audits, staff training, security risk analyses, policy development and information technology security.
Audits. Since 2016, the HHS Office for Civil Rights (OCR) has been ramping up its audits on CEs and their business associates to enforce compliance with the HIPAA Privacy and Security Rules.f To reduce the risk of being found in violation of HIPAA and fined, CEs should conduct internal HIPAA audits using the OCR’s audit protocol. The audit protocol is extensive, requiring considerable time and effort, prompting some providers to engage a third party to complete the full compliance audit. External audits can cost $40,000 or more, SecurityMetrics reports.
Security risk analyses (SRAs). The HIPAA Security Rule requires CEs to conduct SRAs. When conducted in-house, the process can take many hours over weeks or months, prompting some CEs to hire outside consultants to perform this task. Based on an organization’s size and the scope of the analysis, the cost of an SRA and risk management plan can range from $2,000 to $20,000, according to SecurityMetrics.
Policies and procedures, with associated staff training. HIPAA requires CEs to adhere operationally to policies and procedures formulated in writing, usually by the CE’s compliance officer. Or a HIPAA policy template can be purchased from a vendor, allowing CEs to “plug-n-play.” Other considerations include:
- Specialized training to familiarize staff members with the policies and procedures, as well as with changes in healthcare regulations.
- Compliance courses, which can be cost-effective tools to help a CE maintain compliance.
The cost of developing policies and procedures and providing appropriate staff training depends on the organization’s size and the sophistication of the policies. SecurityMetrics notes the combined costs can range from $1,000 to $5,000, with an additional cost of as much as $3,000 for privacy officer certification training. Total HIPAA training costs will depend on whether an organization develops and executes staff training in-house, purchases an off-the-shelf commercial solution or hires a vendor.
Gap analysis. A gap analysis compares actual performance with potential and desired performance by assessing a CE’s strengths and weaknesses to understand its risk of noncompliance. A gap analysis can cost between $15,000 and $30,000 and can take up to 40 hours to complete. Although not mandated by HIPAA, a gap analysis is instrumental to indicating what an organization needs to do to achieve compliance.
IT security. The growing presence of IT in healthcare has brought with it an increased cost of security compliance to address new threats, such as cybercrime. As of May 2018, according to one report, more than 90% of healthcare organizations had experienced a data breach over the previous two years.g Thus, cybersecurity risks are so high in healthcare, the question for a CE might not be about whether it will face a data breach but about when.
Responding to several catastrophic breaches, many healthcare organizations have made investment in health IT security a priority. Among organizations responding to one 2015 survey, 35% said they intended to make significant investment in HIPAA compliance.h This is no cheap endeavor. In 2014, 56% of providers responding to a survey by PwC said they had budgeted more than $500,000 for compliance activities (30%, between $1 million and $5 million), and 49% rated privacy and confidentiality as a “top-of-mind’ compliance risk.i Despite such expenditures, most cybersecurity professionals report they do not have adequate staff, time or resources to prevent data breaches.j
Regardless of the various compliance expenses described above, it’s vital that a CE maintains a robust and legitimate compliance program. Why is that important? The lack of such a program could be construed to be willful neglect (i.e., a failure to treat compliance with the degree of attention required to uphold the law). The OCR cites willful neglect as a key factor it considers in determining the size of the penalty it will impose on a CE for a HIPAA violation.k
The cost of noncompliance
The HIPAA Enforcement Act authorizes the OCR to fine CEs that fail to protect the privacy and security of protected health information (PHI) in their possession. There are countless ways PHI can be compromised, from insufficient access controls, to impermissible disclosures, to stolen laptops, to poor business associate practices, to phishing attacks and so on. Yet as overwhelming as HIPAA compliance may seem, it also is clear a CE can suffer massive financial damage without a compliance program. Noncompliance can lead to business disruption, productivity losses, fines and penalties and settlement costs (including legal defense and corrective action plans). Although there is no single cost of noncompliance, the many known costs a healthcare organization can incur add up.
Government audits and violation fines. The OCR investigates patient complaints and reviews CEs’ HIPAA compliance through auditing. If a CE does not have a clear commitment to compliance, a government audit immediately places the organization on the defensive. An OCR audit costs time and expenses related to providing documentation, but the true monetary hit comes if the CE is found in violation of HIPAA.
Fines can range from $100 to $50,000 per violation, with a maximum fine of $1.5 million
per violation category, and these numbers are multiplied by the number of years an organization allowed the violation to persist. The Federal Trade Commission also can issue fine ups to $16,000 per violation.
Breaches and breach notifications. A HIPAA breach resulting in compromised PHI can cost $7.79 million, on average, including lost revenue, settlement, forensics, lawsuits and breach notification, according to a 2015 analysis in HIPAA Journal.l Breach notification alone can cost $1,000 or more, as an organization sends priority mail breach notification letters and provides credit or identification theft monitoring to victims. Furthermore, there’s a hidden cost to data breaches, as victims may change healthcare providers; 65 percent of respondents to a TransUnion survey said they might change providers after a data breach.m
Class-action and civil lawsuits. Victims of breaches may pursue class-action lawsuits against a healthcare provider on the grounds of negligence. Class-action lawsuits can cost up to $1,000 per patient record breached, according to SecurityMetrics. Victims also may individually pursue monetary compensation through civil lawsuits.
How well an organization fares in court is largely determined by its stance toward compliance. The legal system treats proactive compliance more favorably than reactive compliance, with willful-neglect cases incurring greater financial penalties and possibly even jail time for compliance officers and others within an organization.
Attorneys general penalties. The Health Information Technology for Economic and Clinical Health (HITECH) Act allows attorneys general to issue financial penalties to healthcare organizations for HIPAA violations. SecurityMetrics reports such penalties can be as high as $6.8 million.
Settlements and Corrective Action Plans (CAPs). There are numerous cases of HHS enforcing CAPs on CEs found in violation of HIPAA.n One settlement case involved the theft of a laptop containing PHI from an employee of CardioNet.o The OCR investigated and found CardioNet did not have sufficient risk analysis and risk management processes in place at the time, and its policies and procedures had not been implemented. Consequently, CardioNet had to settle by paying $2.5 million and implementing a CAP.
Perhaps the most shocking case is the infamous Anthem, Inc. data breach, which exposed the PHI of nearly 79 million people.p Anthem had to pay $16 million to HHS and take significant corrective action for the HIPAA violations that led to the incident. Anthem failed to take appropriate cybersecurity measures to enable it to detect the hackers who infiltrated their system.
No time for procrastinating
CEs have had to comply with HIPAA since its enactment in 1996; yet many continue to delay budgeting for a comprehensive compliance program. They should reconsider this approach: The potential costs of lacking such a program are clearly too great for CEs to defer action any longer.
HIPAA compliance is not a financial loss but an investment safeguarding an organization’s finances and reputation in the face of breaches and lawsuits. Beyond helping to avoid penalties, a proactive compliance program demonstrates the organization’s ethics, which makes the organization attractive to high-quality staff members as well as patients. That’s a key point CEs should keep in mind as they count the cost of compliance.
Footnotes
a. HHS, “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule,” Federal Register, Jan. 25, 2013.
b. “In Healthcare, Compliance Is Costly, but Ultimately the Best Medicine,” GlobalSCAPE, Feb. 20, 2018.
c. Zaino, J., “Compliance Costs Can Be Managed,” Healthcare Finance News, Nov. 4, 2014.
d. Stone, J., “How Much Does HIPAA Compliance Cost?” SecurityMetrics.
e. Trifilio, S., “Understanding the True Costs of Healthcare Regulatory Compliance,” HealthcareSource, March 28, 2018.
f. Downing, K., “Auditing for HIPAA Compliance,” Healthcare Innovation, April 26, 2017.
g. Pennic, F., “Global Healthcare Cybersecurity Spending Expected to Exceed $65B Over 5 Years,” HIT Consultant,
May 1, 2018.
h. Wallask, S., “Healthcare Spending Infographic: Security Tops Priorities,” SearchHealthIT.
i. PwC, State of Compliance 2014: Healthcare Provider Industry Brief, 2014.
j. Balbix, “Ponemon Study: Only 1 in 3 Organizations Are Confident They Can Avoid Data Breaches,” GlobeNewswire, Feb. 13, 2019.
k. See CFR 45 § 160.404, “Amount of a Civil Money Penalty.”
l. “The Cost of HIPAA Non-Compliance,” HIPAA Journal, May 4, 2015.
m. “65% of Patients Would Avoid Companies that Suffered a HIPAA Breach,” HIPAA Journal, March 24, 2015.
n. HHS, “Resolution Agreements: Resolution Agreements and Civil Money Penalties.” Content last reviewed on Feb. 7, 2019.
o. HHS, “$2.5 Million Settlement Shows That Not Understanding HIPAA Requirements Creates Risk,” press release, April 24, 2017.
p. HHS, “Anthem Pays OCR $16 Million in Record HIPAA Settlement Following Largest U.S. Health Data Breach in History,” press release, Oct. 15, 2018.