Is HIPAA compliance expensive? Or, is it short-sighted to only worry about what HIPAA compliance costs? A new report from Ponemon Institute, The True Cost of Compliance with Data Protection Regulations, looks at compliance costs across several industries and multinational organizations. The study has a lot of details as we always expect from Ponemon Institute. They cover healthcare data protections as well as other data protection requirements. The analysis provides some valuable insight into the real impacts compliance vs non-compliance actually means to your bottom line. The findings may surprise you no matter what you think the costs will show.
Pay Now Or Pay Even More Later
Is HIPAA Compliance Expensive?
What were the findings we found important to share from this new Ponemon report, you may ask? Well, of course, it involves interesting points and ways for us to point out that we were right! Reference our previous episode Talk to the boss about HIPAA from earlier this year. The findings in the report actually support our position that compliance is not the reason you should be addressing privacy and security.
The reason you should address privacy and security is that it will cost you a boatload of money if you don’t. The costs are due to business disruptions, loss of reputation, loss of productivity, etc. Those are much more so than in fines and penalties for not being compliant. Is HIPAA compliance expensive? Well, you can pay now for the compliance work to protect yourself from the huge costs of dealing with problems that happen when you aren’t protected. According to this report:
The cost of non-compliance is $14.82m vs compliance is $5.47m.
Almost three times the costs for failure to protect your data as it is for doing the work to protect the data up front and preventing the problems in the first place. It is clearly a solid investment to protect the privacy and security of the data you maintain in your business. If meeting HIPAA compliance requirements helps you do that then dilly, dilly! HIPAA ends up being the way to SAVE money! It has a huge ROI just one that you don’t realize until you don’t do it.
Here are some specific details from the report.
Business disruption represents the most costly consequence of privacy and security breaches, while fines, penalties, and other settlement costs represent the least costly consequences of compliance failure.
Following are typical compliance costs:
- Data protection and enforcement activities
- Incident response plans
- Compliance audits and assessments
- Policy development
- Communications & training
- Staff certification
- Redress activities
- Investments in specialized technologies to protect data assets such as threat intelligence, managed file transfer, identity and access governance, cyber analytics, data loss prevention, encryption and more
These costs, as shown in this report, are 2.71 times the cost of compliance:
- Business disruption
- Productivity losses
- Revenue losses
- Fines, penalties and settlement cost
Healthcare organizations and technology and software organizations experienced the highest growth in cost at 106 percent and 99 percent, respectively.
The following factors lower the total cost of compliance according to the report:
- The more effective an organization’s security posture is, the lower the cost of non-compliance. “security effectiveness is unrelated to compliance cost”
- Corporate investment in compliance reduces the negative consequences and cost of non-compliance.
- Ongoing compliance audits reduce the total costs of compliance. “organizations that do not conduct compliance audits experience the highest compliance cost when adjusted for size.”
“if companies spent more on compliance such as audits, enabling technologies, training, expert staffing and more, they would experience a more than commensurate reduction in non-compliance cost.“
It pays to pay attention! The more you evaluate what is going on the better everyone will be in their normal jobs on a daily basis.
Organizations that conduct five or more internal compliance audits per year have the lowest total compliance cost in both 2011 and 2017. The highest total compliance cost in the current study ($26.7 million) pertains to organizations that conduct one or two internal compliance audits per year.
Clearly, these data elements show that investing in the compliance work is actually way more about protecting your business than it is HIPAA compliance itself. When it comes to business decisions there comes a time where you have to determine what you are willing to risk. If you are electing to not fund your privacy and security program because you think it is too expensive then you must also acknowledge that you are electing to risk all of your patient’s data security and privacy first and foremost. But, after seeing this report’s findings, you are electing to save money by not spending to protect your patient’s privacy and security while also accepting the risk of spending three times that amount should something go wrong.