For AWS, it costs about $1500 a month minimum because you have to use dedicated EC2 instances. However, if you are already at the point of spending that much per month in EC2 instances anyway, it won't cost much more - it's just that becomes the minimum cost even for a single EC2 server.
There are many AWS services that are not on the HIPAA/BAA approved list, so you'll have to take that into consideration.
By far the most expensive thing is the time it takes to train all your staff and put in place the appropriate administrative controls to ensure that data is safeguarded and patches are put in place.
It's not that expensive to be HIPAA compliant, and if you aren't HIPAA compliant you are likely doing a very bad job of security. I always advise folks to do a good enough job with security (encryption, backups, proper oversight) that everything is HIPAA compliant even if it doesn't have to be.
Also, ever since the 2013 omnibus rule, the HIPAA rules flow out to infrastructure providers even if their product seems to not be specifically about health data - if you have a customer that passes health data through your systems, you are on the hook. Even if your product is very generic like a helpdesk ticketing system.
Answered 6 years ago