7 Questions to Ask HIPAA Compliance Consultants
HIPAA compliance consultants are individuals or firms of compliance professionals with an understanding of the Health Insurance Portability and Accountability Act and how it is applied to different types of covered entities and business associates depending on their functions, their locations, and their organizational structures.
Due to their specialized knowledge, HIPAA compliance consultants can help covered entities and business associates identify compliance gaps, suggest ways in which the gaps can be filled, and develop policies and procedures to maintain compliance with HIPAA as much as possible (*). HIPAA compliance consultants can also deliver HIPAA training to members of the workforce.
(*) Engaging HIPAA compliance consultants does not guarantee you will not experience a HIPAA violation or a data breach. The majority of HIPAA violations and data breaches are attributable to human error and human susceptibility; and, due to the volume, the nature, and the urgency of communications in healthcare, it is impossible to eliminate these risks completely.
Why Does My Organization Need Help With Compliance?
HIPAA can apply to many different types of covered entities and business associates. Therefore, when the Rules that make up the HIPAA Administrative Simplification Regulations were published (i.e., the General Requirements, the Privacy Rule, the Security Rule, etc.), the Rules had to accommodate these different types of organization; and, within each type of organization, different skill sets, working practices, and workplace environments.
Since the publication of the HIPAA Administrative Simplification Regulations and the changes made to them by the HITECH Act, many organizations have changed the ways in which they create, receive, maintain, or transmit Protected Health Information. For reference, Amazon EC2 was launched a year before HITECH (2008), and the iPad did not launch until the year after HITECH. Consequently, there have been a lot of technologies introduced that the HIPAA Rules could not have accounted for.
If you combine the flexible language of HIPAA with the technological changes that have occurred, it is not hard to see why some organizations struggle with HIPAA compliance. Although yours may not be one of them, having a fresh pair of eyes look over your policies, procedures, and safeguards may help identify gaps you have possibly overlooked. Furthermore, seeking professional help demonstrates a good faith effort to comply with HIPAA in the event of a subsequent HIPAA violation or data breach.
Why Functions, Locations, and Structures Matter
There is no one-size-fits-all route to HIPAA compliance because – for example โ a healthcare provider has different compliance obligations from a billing company. Therefore, a healthcare provider that subcontracts Part 162 transactions to a billing company does not have to develop policies and procedures to ensure its transaction codes are up to date, while the billing company does not have to distribute a Notice of Privacy Practices nor obtain an acknowledgement of receipt for each Notice.
Location matters because many states have adopted laws that place additional compliance burdens on covered entities and business associates. Organizations in these states must ensure prospective HIPAA compliance consultants are familiar with the requirements of the state โ not just the well-publicized laws that apply to the privacy and security of data, but also less well-known laws relating to health insurance, healthcare licensure, and patient-physician privilege that might preempt HIPAA.
Organizational structures can make a big difference to the complexity of complying with HIPAA. The most common examples of when organizational structures matter are large healthcare systems that are part of an Organized Health Care Arrangement or a Health Maintenance Organization. However, any covered entity that is a hybrid or partial entity for the purposes of HIPAA may also experience challenges with HIPAA compliance due to the structure of the organization โ regardless of size.
7 Questions to Ask HIPAA Compliance Consultants
In the same way as no two covered entities are the same, no two HIPAA compliance consultants are the same. Some may offer more comprehensive services, while others may limit their services to Security Rule compliance. While the latter may be suitable for some types of business associates, engaging the โwrongโ HIPAA compliance consultants can be a waste of time and money. Therefore, it may be important to ask prospective HIPAA compliance consultants the following questions:
What is PHI?
The answer to this question can reveal how well prospective HIPAA compliance consultants understand HIPAA. You can certainly discount any that quote the โ18 HIPAA identifiersโ (because this is not what PHI is) and any that fail to understand the concept of designated record sets.
Does your service cover all Parts of the HIPAA Administrative Simplification Regulations?
This should be an important question for any organization that conducts Part 162 transactions inhouse or as a business associate because HHSโ Centers for Medicare and Medicaid Services (CMS) can sanction non-compliant organizations for repeated transaction rule failures.
What is the maximum penalty for HIPAA violations?
This question can reveal how up to date prospective HIPAA compliance consultants are with HIPAA regulations. Some still quote $1.5 million as the maximum amount HHSโ Office for Civil Rights can impose per violation type. However, this figure has been adjusted for inflation every year since 2015.
How are you preparing for the proposed changes to HIPAA?
It is important for HIPAA compliance consultants to be aware of the proposed changes to HIPAA and be prepared for them. You would not want to be in the middle of a compliance assessment when HHSโ Office for Civil Rights publishes a Final Rule your consultants are not prepared for.
What state laws preempt HIPAA in my location?
Elements of state laws preempt HIPAA in every location, so if a consultant tells you there are no state laws that preempt HIPAA in your location, you should remind them that some state laws apply to residents of the state wherever they are when data is created, collected, maintained, or transmitted.
Have you experience in assessing complex organizations?
It may not be the case that yours is a complex organization, but it would be useful to know if any โthinking outside the boxโ is required to maximize your organizationโs compliance with HIPAA. If the consultant does not have experience of this nature, they may only have a one-size-fits-all approach.
Can you provide verifiable references for organizations you have previously assessed?
Donโt take a consultantโs word that the โfeedbackโ published on their website demonstrates how valuable their services are. Do your due diligence to ensure that any consultant you engage is as good as they claim to be and independently verify references whenever possible.
Conclusion โ You Cannot Be Too Careful with HIPAA Compliance
If your organization is looking for help to identify compliance gaps, find ways to fill them, and develop policies and procedures to maintain compliance with HIPAA, it may be crucial that you ask every applicable question to prospective HIPAA compliance consultants. In the same way as covered entities and business associates can struggle with HIPAA compliance, so can some so-called experts (especially those who develop software first and then look for a way to apply its capabilities).
No credible consultant should object to your questions nor be surprised if you shop around to find the best consultant that meets your requirements. Similarly, no organization that has previously been assessed should object to being asked for a reference. Hopefully, any assessment you undergo will find a minimal number of compliance issues that are simple to resolve. Nonetheless, it can pay to take your time and choose wisely. You cannot be too careful with HIPAA compliance.