How much does HIPAA compliance cost? A small-practice breakdown
What HIPAA compliance actually costs a small practice — risk analysis, policies, training, safeguards, and annual upkeep, with real dollar ranges.
By CoreFolio
8-minute read
Practices ask "how much does HIPAA compliance cost?" expecting a single number. There isn't one — and any vendor who gives you a flat figure is usually pricing one slice and letting you assume it covers the whole thing. HIPAA does not charge a fee, does not require registration, and does not certify anyone. What it requires is a body of work: a current risk analysis, written policies, trained staff, signed vendor agreements, and technical safeguards that match what your own analysis says you need.
The cost is the sum of those parts. This article breaks each one down with real ranges, so you can build a budget that reflects your actual practice instead of a number pulled from a sales page. The goal is a clear picture of what you are paying for and why — not a push toward any single path.
What HIPAA actually requires you to pay for
The HIPAA Security Rule frames compliance as an ongoing program, not a one-time purchase. Section 45 CFR § 164.306 sets the general requirements — practices must ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI) and document their approach.1 The administrative safeguards at § 164.308 require a risk analysis and a risk management process, workforce training, and sanctions for violations.2 And § 164.316 requires that policies and documentation be written down and kept for six years.3
None of those provisions names a dollar amount. The Office for Civil Rights (OCR) — the U.S. Department of Health and Human Services (HHS) enforcement arm — does not tell you how to spend; it evaluates whether the work is accurate, thorough, and current. That is why costs vary so widely: two practices can both be defensible while one spent $800 and the other spent $12,000, because they made different choices about time, tools, and outside help.
The cost, line item by line item
A complete HIPAA program for a small practice has six recurring cost centers. Here is what each typically runs.
1. Risk analysis and risk management plan
This is the foundation OCR asks for first in almost every investigation. It can be produced free with the HHS Security Risk Assessment Tool, bundled into self-service guided software (which covers the assessment along with your policies and training for about $1,200 per year, all-in), or produced by a consultant at $1,500–$8,000 as a discrete engagement. For a full breakdown of just this line item — including the time and risk costs of each path — see the dedicated guide on HIPAA risk assessment cost.
2. Policies and procedures
HIPAA requires written policies covering the Security Rule, Privacy Rule, and Breach Notification Rule. Free templates exist but often need heavy editing to match your practice; generic policies that do not reflect your actual systems are a common OCR finding. Budget $0 (self-written) to $1,500 (templated and customized) to several thousand dollars if a consultant drafts a full policy set. Policies are mostly a first-year cost, with light annual review after.
3. Workforce training
Section 164.308(a)(5) requires security awareness training for all workforce members, and the Privacy Rule requires privacy training. Costs range from free (self-delivered from your own materials) to $10–$50 per employee per year for a training service. For a five-person practice that is roughly $50–$250 per year — small, but recurring, and OCR looks for dated completion records, not just that training "happened."
4. Business associate agreements
Every vendor that touches PHI on your behalf — your electronic health record (EHR) platform, billing service, IT provider, cloud backup — needs a signed business associate agreement (BAA). Most reputable vendors provide one at no charge. The cost here is usually time (identifying every vendor and chasing signatures) rather than money, unless you have counsel review the agreements, which can add $200–$500 per agreement.
5. Technical safeguards
This is the line item that surprises practices, because its size depends entirely on what your risk analysis finds. Multi-factor authentication (MFA) is often free or low-cost through your existing EHR or email provider. Encryption for laptops and phones is frequently built into current operating systems. But if the analysis surfaces older unencrypted devices, an unsupported server, or a backup that was never tested, remediation can run from a few hundred to several thousand dollars. Budget conservatively and treat the analysis as the thing that sizes this number for you.
6. Ongoing maintenance
HIPAA compliance is not a one-time project. The risk analysis must be reviewed and updated — at least annually and after any significant change (new EHR, a breach, a new location). Policies need review. Training repeats. Whatever your first-year total, plan for a smaller but real recurring cost every year after.
What it adds up to: three common paths
Most small practices land in one of three patterns. The figures below are first-year estimates for a single-location practice with one to fifteen staff and a standard EHR environment. They exclude technical remediation, which is practice-specific and sized by your risk analysis.
| Path | What it covers | First-year range |
|---|---|---|
| Mostly DIY | Free tool, self-written policies, self-delivered training | $0–$1,000, plus your time |
| Self-service guided software | Assessment, policies, and training, all-in | About $1,200/year |
| Consultant-led | Expert-run assessment plus remediation and policies | $5,000–$25,000 |
A consultant is the right call for complex environments, post-incident situations, or practices that want to hand the whole program to an expert and keep advisory access — a valid path at a different price point. DIY is lowest in dollars and highest in time and methodology risk. Self-service guided software sits in the middle and is the best value for most small practices: structure, documentation, and currency at a flat subscription.
A living binder, not a one-time document set
There is a split inside the software path worth understanding before you buy. Most tools — including the ones that use AI to draft your policies — leave you with a document set you generate once and then keep current by hand. The moment your practice changes, the file starts drifting from reality, and updating each document falls to whoever has the least time.
CoreFolio's Practice plan works differently. You enter your practice once — your systems, vendors, locations, and staff — and your documents are built from those details, with vendor scripts tailored to your specific EHR. When something changes — a new vendor, another location, a staff update — the binder flags the documents that need a refresh, so your file reflects your practice today rather than the day you set it up.
That is the difference between buying a set of documents and keeping a living file. It is self-service guided software built for a practice without a compliance team, with the guided risk assessment, the Digital Binder with named PDF artifacts, workforce training, and vendor tracking in one place: $99/month or $990/year, less than a comparable all-in software bundle. The first 100 founding practices lock in $49/month or $490/year for as long as they stay subscribed, a limited offer while those founding seats last.
The cost of getting it wrong
The reason budgeting matters is the downside. OCR's Risk Analysis Initiative has produced a steady run of settlements against small practices whose core failure was not having a defensible risk analysis at all.4 Settlement amounts for small entities have landed in the low five figures and up, typically paired with a multi-year corrective action plan — which itself carries a cost far larger than any of the line items above.
Framed that way, the question shifts. It is not only "what does compliance cost?" but "what does it cost to skip it and be investigated?" A modest, well-documented program is inexpensive relative to that exposure.
How to build your budget
You do not need every number nailed down to start. Work in this order:
- Run the risk analysis first. It is the foundation OCR asks for, and it sizes your technical-safeguard spend. Until you have it, the remediation line item is a guess.
- Inventory your vendors. List everyone who touches PHI and confirm a signed BAA for each. This is mostly free and mostly a matter of time.
- Decide DIY, self-service guided software, or a consultant for the documentation, based on your environment's complexity and the time you realistically have.
- Budget the recurring costs, not just year one — training, the annual risk-analysis update, and policy review.
- Fix the gaps the analysis surfaces, in priority order. This is the variable cost, and it is the one worth spending on.
A defensible HIPAA program is achievable on a small-practice budget. What it takes is knowing which line items are cheap, which are variable, and which one — the risk analysis — sizes all the others.
Sources
Footnotes
-
45 CFR § 164.306 (security standards: general rules). https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.306 ↩
-
45 CFR § 164.308 (administrative safeguards, including the risk analysis and training requirements). https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308 ↩
-
45 CFR § 164.316 (policies, procedures, and six-year documentation retention). https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.316 ↩
-
HHS OCR resolution agreements and civil monetary penalties, including the Risk Analysis Initiative. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html ↩