Sitemaps
Questions
DiscussionsQuestionsExperts

Questions

Healthcare

What does it take to set up a HIPAA compliant infrastructure?

When considering implementing HIPAA in my company, I'd like to know how much it would cost in terms of technology, resources and time.

Answer This Question

3

Answers

Kathy Crook

Attorney. Entrepreneur. Privacy Pro.

It depends on your business/industry. Do you collect, maintain health information on behalf of your company or another company (health care provider or plan)? If not, HIPAA does not apply to you.

Answered over 8 years ago

Elliot Murphy

DevOps, Security, HIPAA, Digital Health tech

For AWS, it costs about $1500 a month minimum because you have to use dedicated EC2 instances. However, if you are already at the point of spending that much per month in EC2 instances anyway, it won't cost much more - it's just that becomes the minimum cost even for a single EC2 server.

There are many AWS services that are not on the HIPAA/BAA approved list, so you'll have to take that into consideration.

By far the most expensive thing is the time it takes to train all your staff and put in place the appropriate administrative controls to ensure that data is safeguarded and patches are put in place.

It's not that expensive to be HIPAA compliant, and if you aren't HIPAA compliant you are likely doing a very bad job of security. I always advise folks to do a good enough job with security (encryption, backups, proper oversight) that everything is HIPAA compliant even if it doesn't have to be.

Also, ever since the 2013 omnibus rule, the HIPAA rules flow out to infrastructure providers even if their product seems to not be specifically about health data - if you have a customer that passes health data through your systems, you are on the hook. Even if your product is very generic like a helpdesk ticketing system.

Answered over 8 years ago