The Benefits of Outsourcing HIPAA Privacy Responsibilities

Key Points:

• HIPAA violations and enforcement actions continue to rise.
• Eighty percent of Compliance Officers are now responsible for compliance with HIPAA and privacy laws.
• Outsourcing the role can cost less than employing a HIPAA Privacy Officer.
• Small healthcare organizations can ill-afford dedicated HIPAA staff.
• Outside experts engaged to assist with HIPAA and HITECH compliance are common. 
• Programs should mitigate the threat of costly fines, lawsuits, and loss of reputation
• Staying compliant with HIPAA, HITECH, and state privacy laws can be a challenge.

Rise in Enforcement

HIPAA enforcement actions continue to rise. Not only is there the threat of fines and penalties, but an increasing trend for class action suits by individuals who had their PHI information breached. Most cases are the result of poorly managed Privacy programs and failures on the part of employees to follow the regulation. Over the last decade of moving HIPAA Privacy under the Compliance Office, the trend has four out of five Compliance Officers bearing that added responsibility. Many covered entities and business associates attempt to tackle HIPAA on their own, not realizing how many factors make up an effective compliance program and the requirements for a Privacy Program. Meeting the challenge may lie with outsourcing HIPAA Privacy.

Engaging Outside Support

The ever-changing and expanding laws and regulations relating to healthcare have increased the practice of outsourcing various functions and activities to external partners. This has been particularly evident with Compliance Officers, most of whom outsource various activities, such as hotline operations, sanction screening, compliance training programs, and compliance surveys. Privacy compliance can be equal in complexity to that of the Compliance Program. Therefore, it is not surprising that many seek outside expert privacy support, either as an on-call service or outsourcing Privacy to an established consulting firm that reports to the Compliance Officer. This is particularly true for smaller healthcare organizations that can ill-afford dedicated HIPAA staff to ensure compliance with ever-changing HIPAA, HITECH, and state rules. One major advantage to outsourcing HIPAA compliance is preventing accidentally violating any regulations. It provides that added level of assurance that nothing is being missed. Outsource experts know exactly what needs to be done to mitigate damaging legal, reputational, and financial issues.

An important consideration is that outsourcing the Privacy Officer’s work can be less costly than hiring a W-2 HIPAA Privacy officer. According to ZipRecruiter, a HIPAA Privacy Officer’s average salary is about $100,000/year and figures about an additional 30% for overhead (e.g., FICA, space, equipment/supplies, annual/sick/holiday leave, health/retirement benefits, etc.) that brings the W-2 cost up to about $130,000. This means that an outside expert firm might be able to be far less costly than hiring an employee qualified and certified in that work.

Benefits of Engaging an Outside Expert

1. Immediately assume Privacy Officer duties and responsibilities
2. Provide subject matter expertise and specialized resources not available internally
3. Bring the benefit of experience with other organizations
4. Already possess needed knowledge that avoids costly learning curve
5. Conduct HIPAA Risk Analysis to identify and address gaps in HIPAA Privacy Rule requirements
6. Review the adequacy of documentation of the Privacy Program
7. Revise/update the Program to comply with current federal and state privacy rules
8. Develop customized HIPAA policies and procedures
9. Prepare and administer the annual HIPAA Compliance Workplan
10. Clarify HIPAA’s addressable requirements throughout your organization
11. Meet the ebb and flow of managing the Privacy Program
12. Keep the organization current with ever-changing regulatory and enforcement challenges
13. Develop updated privacy training programs
14. Implement best practice standards and processes
15. Coordinate, manage, investigate, and to remedial actions for Privacy breaches
16. Develop a HIPAA Privacy staff training program
17. Address vulnerabilities identified through HIPAA audit gap analyses

The key to selection is finding an experienced firm and having them dedicate an individual to the work that can build and manage an effective HIPAA Privacy compliance program. For any engagement, it is important to reserve the right to terminate the service at any time. There are several models for using outside consultants to bolster the HIPAA Privacy Program. Email [email protected] for more information on these options.

You can also keep up-to-date with Strategic Management Services by following us on LinkedIn.

About the Author

Richard P. Kusserow established Strategic Management Services, LLC, after retiring from being the DHHS Inspector General, and has assisted over 3,000 health care organizations and entities in developing, implementing and assessing compliance programs.