What Is the Cost of a HIPAA Compliance Software Audit?

Healthcare organizations in the US are obliged to meet HIPAA requirements and secure patients’ protected health information (PHI) by all means. But what is the cost of auditing HIPAA compliance? In this article, we shed light on aspects that influence the overall cost of HIPAA compliance and reveal the HIPAA compliance software audit cost.

What to check to ensure your healthcare app is HIPAA compliant

Before we calculate the cost of a HIPAA compliance software audit, let’s see what HIPAA regulations involve and what aspects may influence the overall cost of becoming HIPAA compliant. 

Check software

HIPAA regulations require software that receives, processes, and stores PHI to meet several demands. Here, we list the main software requirements companies must follow to comply with HIPAA. 

#1 Strictly control access

Companies working in healthcare may have a lot of staff members. However, not all of them require access to PHI to carry out their duties. That’s why companies need to implement role-based access to patients’ health information. 

Organizations need to define the staff who will be working with PHI and divide them into several groups in accordance with the amount of PHI they need access to. Therefore, several access levels should be implemented for each group accordingly so that every staff member only has access to the information they need. 

#2 Limit session times

To prevent PHI from being accessed by unauthorized users, limit session times in the system. This minimizes the chance that someone could access and steal sensitive information when a device is left unsupervised. 

#3 Encrypt data

Although encryption is optional according to HIPAA, it’s one of the fastest and easiest ways to protect PHI. When using encryption, it’s critical to use reliable protocols that meet the National Institute of Standards and Technology (NIST) requirements and to store encryption keys in a place that’s protected from potentially malicious insiders. 

#4 Establish an activity tracking system

Activity tracking systems help track users’ behavior in your systems and networks. An activity tracking system can identify suspicious behavior and help you detect and stop insider threats. If one of your staff members performs unusual actions either with malicious intent or unintentionally, the system will warn you about it, and you’ll have a chance to investigate the issue.

#5 Back up data

HIPAA regulations require organizations to regularly back up PHI and store a copy on a separate third-party server. Thus, in case of data loss or hardware failure, PHI can be easily restored. 

#6 Secure authentication

Companies need to implement a secure authentication procedure to protect against PHI leakages. There are various ways you can ensure secure authentication: by implementing password expiration dates; multi-factor, biometric, and risk-based authentication; physical cards; and electronic keys. 

#7 Secure data transfer and storage

Companies must ensure that PHI is stored and transferred securely. Whether you’re using physical servers or cloud storage to store PHI, you must ensure that patients’ information is safe when transferred and stored. 

#8 Protect correspondence

The security of email correspondence is one more aspect organizations need to care about. All emails sent from your company’s network should be protected by encryption protocols such as AES for sensitive data protection against brute force attacks and OpenPGP or S/MIME for encrypting emails. 

Wrapping up

Achieving HIPAA compliance is not only about hardening and protecting your software. HIPAA regulations require healthcare organizations to take several other steps as well. Let’s take a look at them.

Organization check 

In terms of HIPAA compliance, there are four more aspects companies should pay attention to. 

#1 Hire a HIPAA specialist

HIPAA regulations require organizations to put in place a HIPAA Compliance Officer whose responsibilities will be to ensure that the organization meets HIPAA requirements and to keep protected health information safe and sound. This position may be occupied either by an in-house employee or by an outsourcing specialist. 

Larger companies usually divide the responsibilities of the HIPAA Compliance Officer between two representatives: a HIPAA Privacy Officer and a Security Officer. Each has different responsibilities. 

A HIPAA Privacy Officer is responsible for anything regarding HIPAA-related documentation and procedures. This includes developing a HIPAA-compliant privacy program that will maintain the safety of PHI within the company, monitoring changes to HIPAA rules, creating training materials, and conducting training on HIPAA compliance rules for employees. The Privacy Officer also maintains risk analysis and risk management reports, monitors the organization's compliance with HIPAA rules, answers employees’ questions regarding HIPAA, and responds to customers’ complaints of non-compliance. 

A Security Officer is in charge of implementing technology to keep PHI safe. Security Officers develop internal disaster recovery plans, monitor attempts to access PHI, and prevent unauthorized access to it. They help organizations adopt proper procedures to improve PHI security, develop policies and guidelines for information security systems, and create training materials about the organization’s privacy program in cooperation with the HIPAA Privacy Officer. 

#2 Protect devices

All devices and medical equipment that record, receive, and transmit PHI need to meet HIPAA compliance rules. To secure electronic protected health information (ePHI), organizations need to follow several principles: 

• Regulate access to devices with patients’ PHI — Healthcare companies need to develop policies that regulate access to hardware where patients’ PHI is located. 
• Prevent the theft of devices that store ePHI — Implement policies and procedures to prevent your devices and the ePHI that’s stored them from being tampered with or stolen. You aren’t limited in the security and protection measures you can choose from. To protect your devices, you may implement digital access keys for entering your facility or hire a security company to safeguard your facility, for instance.
• Regulate access to devices in case of an emergency — Establish separate procedures and guidelines on access to devices with PHI in emergency situations. 
• Keep maintenance and movement records — Document the dates of repairs and modifications to physical devices and their components. Moreover, you need to record the employees responsible for those modifications. The same rule applies to situations when a device’s physical location is changed. 

In addition to keeping hardware secure, you need to bear in mind the security of electronic media. Electronic media is any medium that can be used to store PHI, such as flash drives, USB drives, and DVDs. There are several requirements on protecting PHI stored on electronic media. 

• Regulate the use of media — Develop guidelines that outline the terms and conditions for use of media by your employees. Provide your employees with clear instructions they can follow to keep media-stored PHI secure. 
• Provide for proper disposal of PHI — Create guidelines on the appropriate removal of PHI before media drives are reused to store other information.
• Keep records of media drive movement — The movement of media drives, the date and time of movement, and the people responsible for that movement should be recorded. 

#3 Ensure protection of the physical environment

HIPAA outlines some rules for physical environment security as well. These rules touch upon several aspects of an organization’s physical environment: 

• Office access controls — Organizations must implement procedures to track who accesses company facilities and offices where PHI is located (and when) to prevent third parties from accessing these sites. 
• Workstation use — A healthcare organization must have policies and guidelines on the proper use of workstations that provide access to PHI. Organizations should outline what each workstation and device should be used for, by whom it can and cannot be used, and the way it works. 
• Workstation security — HIPAA regulations require healthcare companies to take reasonable and efficient measures to prevent workstations from being accessed by unauthorized users. Thus, you need to establish physical safeguards and implement an access control system for all workstations that access PHI.
• Protect the organization’s network — Make all efforts to prevent unauthorized network access. Use a firewall and antivirus software, and make sure your staff use strong passwords for their accounts and change those passwords often.

#4 Develop and maintain HIPAA-related documentation

Creating HIPAA-related documentation and keeping it up to date is a crucial aspect of achieving HIPAA compliance. An organization needs to develop and maintain a set of documents related to HIPAA compliance. Most of them are obligatory, while others are addressable. Let’s take a look at them. 

Obligatory HIPAA-related documents

• Risk analysis and risk management — An assessment of possible risks and vulnerabilities that may hamper the security of (e)PHI stored by an organization.
• Sanctions policy — A policy that outlines the sanctions a company will apply on staff members if they fail to ensure the confidentiality of (e)PHI. 
• Information systems activity reviews — A document containing regular detailed reviews on (e)PHI access and activity logs. It helps companies detect and report any vulnerabilities and intrusions. 
• Assigned security responsibility — A document that states the name, title, and contact information of the company’s current HIPAA Security Officer. It also outlines the Security Officer’s HIPAA-related activities and responsibilities. 
• Security reminders — Includes security-related information and aims to educate company employees about the measures they need to take and the actions they must avoid to protect ePHI. Security reminders are also an essential component of a company’s security awareness training program. 
• Response and reporting policy — Describes how a company will identify and respond to security issues. A response and reporting policy is a step-by-step plan that includes an outline of the company’s actions that can help them to prevent further damage, fix any issues, and analyze them to prevent such issues in the future. 
• Emergency mode — Outlines recovery procedures that employees must follow in case any security issues arise. This document describes necessary actions for every department in an organization and provides contact information for recovery teams and information about the recovery site. 
• Business associate agreements (BAA) — These are contracts that a covered entity needs to sign with business associates that might get access to PHI. A healthcare organization itself is a covered entity, and a business associate is any vendor that the covered entity hires to perform a particular task. By signing business association agreements, business associates undertake to follow HIPAA regulations and protect against PHI leakages on their end. 
• HIPAA privacy policy for BAA — Describes an organization’s rules and processes that need to be followed by every member of the organization and its business associates to keep PHI safe and private. 
• Contingency plans — Plans that can help healthcare organizations recover from any kind of emergency and get back to their ordinary workflow. These plans should contain recovery procedures for potential issues like a fire in an office building, a natural disaster, a cyberattack, and other eventualities.

Addressable HIPAA-related documents

• Uses and disclosures of PHI — Contains an updated list of cases in which uses and disclosures of PHI are permitted. 
• Security awareness and training — An educational program that contains materials to teach a company’s employees how to prevent security breaches and keep PHI safe.

Even though some of these documents are not obligatory, you’d better have them in your organization as they serve as an additional layer of protection against PHI leakages. 

How much does a HIPAA compliance software audit cost?

Below is the approximate price of a software audit that will help you ensure your healthcare app is compliant with HIPAA. But first, let’s review how much time is required for HIPAA compliance specialists to perform an audit. 

What is the cost of the HIPAA compliance software audit?

Below, we reveal both optimistic and pessimistic estimates. The optimistic estimate implies that the software has clear functionality and proper documentation. In the pessimistic estimate, we take into account possible risks, lack of appropriate documents, and a need to implement additional scenarios that were not obvious at the beginning. 

In total, a HIPAA compliance software audit requires between 56 and 74 hours. 

Price of a HIPAA compliance software audit

Hourly rates of HIPAA compliance specialists vary across countries. According to Clutch, the cost of such a service in the United States and Western Europe varies from $50 to $150 per hour. HIPAA compliance specialists from Eastern Europe provide this service at a rate between $25 and $49 an hour, while specialists in India and some Asian countries may charge less than $25 per hour. 

Thus, the price of a HIPAA compliance software audit in the US and Western Europe is roughly $6,500, while in Eastern Europe, such an audit may cost you approximately $2,450. The cheapest option is to hire specialists from India and get an audit for approximately $1,650.

However, there are more aspects to bear in mind than just the price. A poor audit at a low cost may lead to security gaps and, therefore, huge monetary and reputational losses. When choosing a team to check your software product for HIPAA compliance, you need to pay attention to the price/quality ratio. To achieve the best results, it’s vital to choose a team from a country with a well-developed IT sphere, a high level of education, and a culture similar to yours. 

Summing up

Becoming HIPAA compliant may seem expensive and challenging. However, ensuring the safety of health information and gaining your patients’ trust is priceless.