When considering implementing HIPAA in my company, I'd like to know how much it would cost in terms of technology, resources and time.
It depends on your business/industry. Do you collect, maintain health information on behalf of your company or another company (health care provider or plan)? If not, HIPAA does not apply to you.
For AWS, it costs about $1500 a month minimum because you have to use dedicated EC2 instances. However, if you are already at the point of spending that much per month in EC2 instances anyway, it won't cost much more - it's just that becomes the minimum cost even for a single EC2 server.
There are many AWS services that are not on the HIPAA/BAA approved list, so you'll have to take that into consideration.
By far the most expensive thing is the time it takes to train all your staff and put in place the appropriate administrative controls to ensure that data is safeguarded and patches are put in place.
It's not that expensive to be HIPAA compliant, and if you aren't HIPAA compliant you are likely doing a very bad job of security. I always advise folks to do a good enough job with security (encryption, backups, proper oversight) that everything is HIPAA compliant even if it doesn't have to be.
Also, ever since the 2013 omnibus rule, the HIPAA rules flow out to infrastructure providers even if their product seems to not be specifically about health data - if you have a customer that passes health data through your systems, you are on the hook. Even if your product is very generic like a helpdesk ticketing system.
I am assuming that you already determined that you have appropriate PHI to protect.
In which case it depends on the size of your company, how the information is stored, how it is accessed and who has access to it.
The cheapest way is to limit access to it which will decrease the amount of resources you will need to spend in order to meet HIPAA compliance.
You should be assigning a Privacy Officer who can monitor your HIPAA guidelines and report and misuse or breach.
It's tough to give you a cost estimate without knowing the structure and size of your company. I would refer to this document which should help you figure out what factors you need to focus on:
https://www.truevault.com/blog/how-do-i-become-hipaa-compliant.html
