The Health Insurance Portability and Accountability Act (HIPAA) is a complex piece of federal U.S. legislation. It takes compliance experts with a deep understanding of the law to assess risks relating to a business, to properly train personnel, and to help compose policies and procedures regarding HIPAA compliance.
Because of this we cannot stress enough the importance of the question: Do you need a HIPAA compliance consultant? That's why we've compiled six reasons why you should care about it.
What are HIPAA consultants?
HIPAA compliance consultants prioritize compliance issues that they identify as a business's potential risks under the HIPAA rules. In general, HIPAA consultants have a minimum of a Bachelor's Degree and many have additional coursework concentration in the HIPAA law itself. HIPAA consultants are experienced and knowledgeable about the law's requirements. They know how to help businesses compose policies and procedures in compliance with the law.
What does HIPAA require and who does it apply to?
HIPAA's regulations require health care organizations and their business associates to adopt policies and procedures that protect the privacy, security, and integrity of their clients' protected health information.
HIPAA compliance is not voluntary; it is mandatory.
- HIPAA's Privacy Rule protects the patient's individually identifiable health information that a health care organization holds or sends to another through any type of transmission.
- Not understanding the HIPAA rules or purposefully violating those rules will result in the imposition of hefty fines and may result in forced structural reorganization.
- Enforcement of HIPAA's Privacy Rule and Security Rule fall to the Office of Civil Rights, the Justice Department, and the FCC.
- Healthcare professionals who knowingly use or obtain health information in the intentional violation of the HIPAA rules may be criminally responsible under the criminal enforcement section of the Act.
How do HIPAA consultants benefit health care organizations?
HIPAA's privacy, security, and breach notification provisions are particularly complex. Neither an organization's staff or managers or C-Suite officers may possess the expertise required to comply with the Act. IT departments with limited staff and resources may not have the ability to perform the analysis and administrative tasks required for compliance.
It helps, too, that most HIPAA consulting experts specialize in various parts of the Act. The Act's Security Rule, for example, requires that businesses encrypt the personal health information they control by using an algorithm to transform the information into unidentifiable bits that cannot be translated without a key or some other secret process. When dealing with such intricate issues, it always helps to have objective eyes to review the compliance practices as well as the composition of policies and procedures.
Another benefit of a HIPAA consultant's report is that it may be taken into account as a mitigating factor if a civil rights action is filed after the report. Lawyers have seen time and again after a breach that the Office of Civil Rights wants to see the company's latest HIPAA Risk Analysis. HIPAA Risk Analysis is what HIPAA consultants do best.
What are the best fits for HIPAA consultants?
HIPAA compliance is an ongoing undertaking. Compliance consulting is not one-size-fits-all but should be tailored to the organization's particular needs. Regular reviews are necessary to track personal health information access and to detect security risks.
HHS.gov describes many useful examples of HIPAA enforcement cases and their remedies. You can read about them on the HHS website. A few of them are:
- The policies for telephone messages (minimum information necessary in messages; specific instructions on what information can be left in messages);
- The process to obtain valid authorizations for disclosure of personal health information
- The process for delivering privacy notices to patients
- Privacy practices to protect personal health information from disclosure in waiting rooms
- Pharmacy chain makes new safeguards to prohibit disclosure of personal health information on pharmacy logbook sitting on counters
- Health plan corrects computer vulnerability that mailed EOBs to the wrong person
- Health center revised process to avoid disclosure of personal health information to employers
Reviews by HIPAA compliance consultants may have discovered these defects before the HIPAA agencies came to call.
So, do you need a HIPAA consultant?
The short answer is that everyone needs a HIPAA consultant. The real question is how detailed a review does your company need?
Some companies may need help from beginning to end, including setting up business associate agreements and policies and procedures. Some businesses may only need a review of their current HIPAA policies and procedures. Some businesses may need help with employee training. And best practices say that HIPAA risk audits should be conducted on an annual basis to identify key IT security vulnerabilities. A great place to start is with a HIPAA Compliance checklist, which we've created for you here: