Blog Post

Great Changes in Responding to HIPAA Compliance

Richard P. Kusserow | June 2019
  • 75% of compliance programs report now including the privacy officer
  • Most organizations are having difficulty with added HIPAA responsibility
  • Tips on the cost-benefit analysis of using outside HIPAA experts
  • Most organizations require only part-time privacy officers

In this year’s national Compliance Benchmark Survey, respondents reported that 75% of HIPAA privacy officers have been placed within their organizations’ Compliance Office. Also, two-thirds of respondents stated that their Compliance Office was operated by five or fewer staff, and most did not expect an increase in resources for the coming year. Nearly two-thirds of the respondents reported that their organization had recent encounters with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) over HIPAA breaches. Taken together, the evidence suggests that HIPAA privacy is proving to be a significant strain on compliance offices; and it explains why many are looking for outside assistance for managing HIPAA risks. When considering obtaining outside HIPAA assistance, experts give the following advice.

Tips From Experts

  1. Steve Forman, CPA, has over 35 years of experience in managing and evaluating compliance programs. Mr. Forman has seen first-hand the consequences of this trend and how many organizations are outsourcing the privacy officer function to outside experts to deal with the added strain. For those considering this option, he suggests conducting a cost-benefit analysis. He noted that ZipRecruiter reported that as of May 24, 2019, the average annual pay for a fully qualified HIPAA Privacy Officer in the United States is $103,371 a year. With an additional 30% for overhead (i.e. FICA taxes, benefits, employee support, etc.), that brings the average total FTE cost to around $130,000 annually or around $11,000 per month. As such, he advises those considering using an Interim or Designated Privacy Officer to measure the costs of hiring an outside expert against the FTE figure.
  2. Catie Heindel, JD, CHC, CHPC, CHPS, is an expert on HIPAA compliance. Ms. Heindel notes that the reason why fully qualified HIPAA privacy officers command such high salaries is because in some sense the professional demands are equal to or greater than that of corporate compliance officers. The risk associated with not having a competent privacy officer is great, due to the high likelihood of having data breaches that could result in significant penalties. Compliance officers that have assumed responsibilities of the privacy officer function must, in most cases, rely upon a professionally qualified privacy expert to help them fulfill their responsibilities. Just delegating the work to someone on their staff, part-time, is begging for problems.
  3. Lisa Shuman, MPA, CHC, CHPC, CHRC, is another expert on HIPAA compliance and has served as privacy officer for multiple organizations, and provides client advisory services on many HIPAA matters. From Ms. Shuman’s experience, she has found that most of the smaller and mid-size organizations may not require full-time privacy officers. They may only need a privacy officer that works an average of 40-60 hours per month. She explained that once an organization has laid the foundation for HIPAA privacy with an initial risk analysis, implementation of relevant policy, and development of HIPAA training, the amount of day-to-day work for the HIPAA privacy officer declines greatly to mainly focusing on responding to or preventing breaches. Also, individual experts, backed by a team, are far more efficient at addressing issues than a solo full-time privacy officer with inadequate support.
  4. Kashish Parikh-Chopra. JD, CHC, CHPC, places Interim and Designated Privacy Officers for her clients. Often, compliance officers contact Ms. Parikh-Chopra after assuming responsibility for the privacy officer function, because they do not have all the needed expertise to confidently manage their organizations’ HIPAA privacy matters. Some ask for an assessment or gap analysis of the status of their HIPAA privacy program. Others ask for assistance in developing supporting policies and procedures or developing and delivering HIPAA training. More recently, many are requesting either an Interim or Designated Privacy Officer. In most cases, these engagements are part-time, or on-call services, where most of the work can be done remotely.

For more information on engaging HIPAA compliance assistance, contact Kashish Parikh-Chopra, JD at or (703) 535-1413.

About the Author

Richard P. Kusserow established Strategic Management Services, LLC, after retiring from being the DHHS Inspector General, and has assisted over 2,000 health care organizations and entities in developing, implementing and assessing compliance programs.

Subscribe to blog