Blog Post

HIPAA Supplemental Support

Richard P. Kusserow | June 2023

Key Points:

  • Four out of five Compliance Officers bear responsibility for HIPAA Privacy
  • The most frequent encounters with enforcement agencies are a result of a privacy breach
  • The privacy landscape is rapidly growing more complex with state legislative mandates
  • HIPAA workloads vary considerably over a year
  • Time and cost of recruiting qualified HIPAA professional is great
  • For many, the use of expert consultants can be a cost-effective solution 

Healthcare organizations are often faced with the challenge of complying with the HIPAA Privacy and Security Rules. The 2023 Compliance Benchmark Survey of Compliance Offices continued evidencing the trend of having HIPAA Privacy being placed under the Compliance Office. Today, four out of five healthcare organizations have moved in that direction, creating a significant challenge for Compliance Officers. Results of the Survey also found that the most common encounter healthcare organizations have with a regulatory and enforcement authority is with the Department of HHS-Office for Civil Rights, most often from a result of data breaches of PHI.  Privacy is challenging, because in addition to the federal HIPAA legislation and regulatory mandates, many states have added to the compliance requirements. It takes compliance experts to acquire a deep understanding of the law to assess risks relating to a business, train personnel properly, and help compose policies and procedures regarding HIPAA compliance. The burden of managing HIPAA requirements matches that of the compliance program in general. Complicating matters is that HIPAA Privacy compliance varies in terms of time and effort. For much of the time, the workload is very manageable, while at other times it can be overwhelming, such as when an assessment is due or there is new updated training, let alone addressing breaches in PHI. This creates a staffing problem, especially for smaller organizations with limited staff. Adding to the challenges is the difficulty and cost of recruiting qualified HIPAA compliance staff.  

Many Compliance Officers have found a solution by engaging outside supplemental support services for HIPAA compliance of certified HIPAA Privacy/Security consultants who have a deep understanding of the regulations and how they apply to organizations. Relying upon consultants can permit outsourcing the HIPAA Privacy Officer function on a short-term basis or entirely.  However, most often it is a matter of engaging a consulting firm to be available on call to assist as needed with updating training, conducting a compliance assessment, fixing immediate compliance gaps, developing long-term compliance strategy, or assisting with a data breach problem. Noteworthy when engaging a consultant, the pay is only for the hours of services provided. There are no costs of recruitment, training, or overhead (e.g., FICA, tax withholding, leave, benefits, etc.) and most work can be on a part-time basis, making it an affordable option to consider. Some common areas where qualified consultants can assist include the following:

  • Policy development
  • Training development and delivery
  • Auditing and monitoring of the Privacy Program
  • HIPAA Risk assessment
  • Privacy Program updates to comply with laws, rules, and regulations
  • HIPAA privacy gap assessment
  • HIPAA privacy policies and procedures review and development
  • HIPAA breach notification assessment and remediation
  • Privacy officer, security officer, and general staff training
  • Business Associate compliance audits
  • Interim Privacy Officer services
  • HIPAA security risk analysis
  • HIPAA security rule gap and compliance assessments

For more on this topic, see and

Keep up-to-date with Strategic Management Services by following us on LinkedIn.

About the Author

Richard P. Kusserow established Strategic Management Services, LLC, after retiring from being the DHHS Inspector General, and has assisted over 3,000 health care organizations and entities in developing, implementing and assessing compliance programs.

Subscribe to blog