January 6, 2016

Cost of HITRUST assessment and certification

Mohan Balachandran
Mohan Balachandran

Datica Alumni — Former Co-Founder

Cost is one of a few gating factors for companies considering a HITRUST Assessment. This cost can broken up into two broad categories – direct and indirect costs.

Direct costs of becoming HITRUST CSF certified

A validated HITRUST Assessment that results in a HITRUST CSF Certification is a more complete, certified version of a HIPAA audit. It was created by large healthcare enterprises to mirror PCI compliance. It is similar to a full HIPAA audit but goes into much more granular detail about the maturity of controls and compliance programs. A standard web app is used to enter information and those entries are validated by a HITRUST approved assessor. Then HITRUST, the organization, reviews all the entries, typically asks for more evidence, and you hopefully get HITRUST certified at the end. The direct costs for this include both fees to HITRUST and to your auditor, or approved assessor. The direct cost, at the low end, is about $40,000-$60,000 but costs can be much higher for larger organizations.

Indirect costs **of becoming HITRUST CSF certified**

As Steve Jobs said, “the most precious resource we have is time” and indirect costs are harder to quantify. In regard to the Datica HITRUST assessment, we estimate the total time spent for all employees and have come to an estimate of 200 hours. Also necessary to consider is the time spent between each audit to address issues and solidify compliance and infosec programs. Though not captured for our HITRUST assessment, this contributes to the overall cost of compliance.

Total costs **of becoming HITRUST CSF certified**

Conservatively estimating the cost of an hour of work to be $100/hour, a rough calculation can be tallied. With the cost of salaries, benefits and lost opportunities from work not performed simultaneously (writing code, customer support, sales, marketing, etc) a partial loss must be considered. Based on those numbers, the total cost of the HITRUST Assessment is appraised $60,000 - $80,000. If you are considering HITRUST, cost is only one consideration. Audits are time consuming and distracting, factors that are hard to quantify. Weigh the audit’s value for your organization. For us, HITRUST Certification was a no brainer because audits are part of our value proposition to customers. We have many customers that effectively scale sales without having done audits themselves, so it’s not essential to closing deals, even very large deals. It’s also important to understand that the cost of an audit is not simply a cost at one point in time. Audits are typically followed by annual reviews, sort of like miniature audits. These also cost money, eat time, and can be a distraction.

If you’re not a Datica customer and still want to learn why this is so valuable, or you just have questions about what it takes to complete a HITRUST assessment, please don’t hesitate to reach out directly or tweet us as our team of experts wants to be your trusted resource.

tag HITRUST HIPAA