Smaller Entity Outsourcing of Compliance and Privacy Programs

Outside experts are able to build and manage effective compliance and privacy programs at lower cost.

Outsourcing compliance and privacy programs is a practical way for small healthcare organizations with limited resources to maintain robust, compliant, and cost-effective programs. Outsourcing provides access to specialized expertise, objectivity, and risk mitigation, without the financial and operational burdens associated with maintaining a full in-house team to build and manage these programs internally. The U.S. Department of Health and Human Services (HHS) Office of Inspector General’s (OIG) General Compliance Program Guidance (GCPG) explicitly recognizes that smaller organizations may outsource compliance program functions to experts on a part time basis. The U.S. Department of Justice (DOJ) also recognizes outsourcing compliance programs in its Evaluation of Corporate Compliance Programs guideline. Over the last thirty years, Strategic Management has been called upon to assume responsibility for compliance programs across dozens of smaller healthcare organizations. Those organizations who chose to outsource their compliance and privacy programs did so for a variety of reasons:

1. Gaining access to expertise not available in-house to navigate complex ever-changing regulations (HIPAA, HITECH, state laws, etc.), regulatory updates, audits, and risk management.
2. Hiring full-time compliance and privacy officers is often cost prohibitive for small organizations; outsourcing allows organizations to pay only for needed service without overhead employee benefit costs.
3. Outsourced providers can scale their services based on the organization’s size, risk profile, and growth, avoiding the cost and risk of under- or over-staffing an in-house team.
4. External providers offer an independent and unbiased perspective on compliance risks, which is essential for audits and assessments.
5. Outsourced experts bring experience for ongoing compliance risk monitoring, managing incidents and breaches, and reducing likelihood of encounters with regulatory and legal authorities.
6. Outsourcing allows smaller healthcare providers to focus on their core responsibilities of patient care rather than spending their limited administrative capacity navigating regulatory complexities.
7. Regulators (e.g., OIG, OCR, CMS, DOJ) expect organizations, regardless of size, to have effective compliance programs; outsourcing helps demonstrate a structured and professional approach to meeting those expectations.

More information on this topic is available at https://www.compliance.com/services/interim-outsourced-compliance-staffing/.  For further discussion you are welcome to contact Richard Kusserow at [email protected].

About the Author

Richard P. Kusserow established Strategic Management Services, LLC, after retiring from being the DHHS Inspector General, and has assisted over 3,000 health care organizations and entities in developing, implementing and assessing compliance programs.