Health care providers are generally aware of the need for Compliance and Privacy Officers to manage an effective compliance program and ensure HIPAA compliance. Health care organizations commonly experience Compliance and HIPAA Privacy Officer (Privacy Officer) vacancies due to reasons such as, retirement, termination, or new employment. In certain circumstances, a Federal Government audit or investigation may also trigger such a vacancy. Regardless of the reason, the departure of a long-time incumbent can create a vacuum that potentially leads to serious health care compliance problems and legal liabilities. To prevent such an issue from arising, the Board of Directors (Board) or new executive leadership may wish to hire an interim Compliance and/or Privacy Officer (Interim Officer) to maintain, update, or promote the organization’s compliance and HIPAA Privacy program.
Compliance experts provide the following advice regarding the use of Interim Compliance and HIPAA Privacy Officers to fill vacancies:
- When a Compliance or Privacy Officer vacancy arises, organizations should fill the position quickly. This allows the organization to continue its rapid response to emerging issues. The most challenging time to have a vacancy is during the holiday season or at the end of a calendar year. A sudden Compliance and/or Privacy Officer departure at that time makes finding a properly qualified candidate more difficult. As the regulatory and enforcement environment rapidly evolves, health care organizations cannot afford to have a gap in their compliance functions. When such a gap occurs, hiring an interim Compliance and/or Privacy Officer for a short term engagement can hold the program together until a permanent replacement is found. Organizations usually take three to five months to find an experienced and qualified permanent replacement. An Interim Officer can help mitigate problems during this transition period.
- Properly qualified interim Compliance Officer can present many advantages to an organization. Interim Compliance Officers can contribute the knowledge and skills obtained from their prior engagements in other organizations or government agencies. These Interim Officers may also address issues more efficiently, as they have likely encountered similar issues in the past. Moreover, as outside Officers, these individuals have not invested in any prior decisions or aligned with any parties within the organization. As a result, they can bring a fresh perspective and provide an objective assessment of the state of the organization’s compliance program. An interim Officer can also provide suggestions and guidance for compliance program improvements.
- Organizations should realize the key differences between the work of an interim Privacy Officer and that of a Compliance Officer. As previously mentioned, an interim Compliance Officer can bring many advantages to an organization, ranging from a broad skill set to an entirely new perspective on assessing a compliance program. Alternatively, an interim Privacy Officer can present a different set of advantages for an organization. For example, an interim Privacy Officer’s engagement can be part-time with most of the work conducted remotely. During the first month of the engagement, the interim Privacy Officer reviews the adequacy of existing policies, procedures, controls, and training content. Following the first month, the Privacy Officer will shift primarily to privacy violation investigations. Additionally, the interim Privacy Officer remains available at all times to address any organizational issues that may arise. An organization’s compliance department may not have the necessary resources and expertise that an interim Privacy Officer has to fulfill a temporary vacancy.
- When an organization is considering hiring a temporary Compliance and/or Privacy officer, they should assess the additional services the Interim Officer can contribute. Organizations seeking temporary Compliance or Privacy Officers should hire an Interim Officer who is willing and able to do more than just monitor and manage daily tasks. Interim Officers can provide an independent assessment of the compliance or HIPAA Privacy program’s status and its high-risk areas. They can also develop a roadmap for the incoming Compliance and/or Privacy Officer to follow. Upon completion of the engagement, the work of the temporary Officer can be compiled into a comprehensive briefing for the management and Board to review. By hiring an Interim Officer, an organization can ensure that their compliance program remains effective throughout the vacancy period.